Digital certificates authenticate enterprise users and ensure secure access of corporate emails, Wi-Fi and other resources. SCEP (Simple Certificate Enrollment Protocol) is a convenient way to obtain digital certificates on a large scale and streamline endpoint authentication process. For this reason, most UEM systems integrate deeply with Certificate Authorities over SCEP, to automate endpoint authorization and authentication before granting them access to enterprise resources.
How EMM integrates with CA Server over SCEP?
To push certificate on a device, an MDM administrator has to apply a profile containing a SCEP certificate to a device, the MDM server then contacts the CA server to obtain an OTP. The CA server responds with a HTTP 401 (Unauthorized) code. In response to this, the MDM server provides its credentials to the CA server. If the credentials are correct, the CA server then issues an OTP to the MDM server. The MDM server then creates an encrypted certificate request and sends it to the CA server along with the OTP. The CA server then issues a certificate to the MDM, which in turn applies it to the device.
Steps to integrate and push CA certificates from 42Gears UEM
1. Configure Certificate Management in Account Settings
To get SCEP enrolled into the devices, the admin needs to login to SureMDM Web Console and go to Account Settings and click on Certificate Management:
A screen similar to the one below will appear which has the CA Server Address, Certificate Template, Certificate Renewal Period, Common Name Wildcard, Alternate Name Wildcard. Once all these fields are filled by admin, check Enable OTP and Save it.
Note: The above mentioned fields need to be filled by an admin in AD server, which will then automatically be fetched through MDM while enrolling the SCEP on devices after entering the CA server address.
2. Create a Profile and include certificate using SCEP
iOS/Android EMM profiles can be configured to include SCEP certificate. For example, in iOS, go to Profiles, select iOS and select Certificate profile. A prompt will appear and you will have to check the Create Certificate Using SCEP option.
3. Use certificate for authenticating against enterprise resource
Once the certificate using SCEP is included in your profile, you can now use this certificate for authentication against enterprise resources like Wi-Fi, Email, etc. For example, in the same profile mentioned in step no. 2 above, go to the Wi-Fi tab and configure it and then click on Add. A window will prompt to enter the SSID, select Security Type supported as EAP/TLS, check the Certificate Based Authentication and Auto Join options and save it.
4. Push profile to devices
We can now save above profile and apply it to any devices enrolled in SureMDM. Once pushed to the device, the 42Gears UEM will query CA server over SCEP to obtain certificate for that device, bundle it in its payload and push it to device. The UEM agent on device will receive the payload, extract certificate from it and install on the device, making it available for other apps like email client, VPN client, for authentication.
5. Verify certificate on device
Once the profile is successfully deployed, you can see the EMM installed certificates by going to the device Settings > General > Device Management.
Once the device is secured with SCEP certificate, In the case of any certificate being lost or leaked, the admin can revoke the particular certificate for that device without disturbing the other certificates and devices. This is the major advantage of having certificates per employee over the single gold certificate that work for all devices in the organization.
6. Renew and Revoke certificates
To renew or revoke any certificate, we need to go to Account Settings > Certificate Management > Get Managed Certificates. Here you can see a list of all the certificates issued by CA server on EMM request. The admin can choose to either Revoke or Renew these certificates from here. SureMDM can also auto renew the certificates on expiration.
In enterprises, employees are often allowed to bring their own devices at work. They access enterprise resources on their devices from anywhere which might put the corporate resources at risk. In addition to regular password based authentication, enterprises should bring in that extra layer of security through certification based authentication. This gives greater control and flexibility in the hands of IT admins.
With Certification Based Authentication (CBA), pushing certificates manually on multiple devices is time consuming and laborious, so integrating and automating this workflow using a UEM solution saves a lot of effort and time for IT admins. Organisations must ensure that the UEM solution they are using, properly integrates with certification authority servers.
42Gears’ UEM solution supports integration with most CA servers over SCEP, allowing seamless deployment of certificates to enterprise devices.
If you are looking for the UEM solution which can be integrated well with CA certificates,Try 42Gears’ UEM solution here.