Certificate Management for MacOS
- Types of Certificates
- Scalefusion Supported Certificates
- Supported Platforms
- Configure Certificate Settings
- Where are the Certificates available after installation
- Certificate-based Enterprise Wifi Profile
Digital Certificates simplify the IT team’s task to authenticate devices and check for security when operating in unknown networks.
Utilizing a Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) platform can further enhance the deployment experience of Digital Certificates on devices, as well as provide enterprises additional features and benefits of implementing security across devices.
Scalefusion, through Certificate Management, helps enterprises streamline the process of deploying Digital Certificates to end users' devices by automatically provisioning digital identities onto devices without end user interaction. You can enable authentication on managed devices using Scalefusion.
The document describes certificate management and how Standalone certificates can be applied on managed devices.
Types of Certificates
- Identity Certificate: These are the certificates that apps/browsers can use to identify the user and used for CBA (Cert Based Authentication). These are of typical .p12, .pfx formats
- CA Certificate: These are the certificates that verify the Trust of the certificate being presented. Can be of .cer, .pem and .der formats.
- Chained Certificates: Both 1 & 2 can contain a chain of certificate leading to a Leaf Node. That is the certificate payload/body can contain leaf certificate and the chain of issuing certificates.
Scalefusion Supported Certificates
Following types of certificates are supported under Scalefusion:
- PKCS1(cer, pem)
Configure Certificate Settings
Step 1: Upload a certificate to Dashboard
To configure certificates that can be deployed to devices, follow these steps:
- On Scalefusion Dashboard, navigate to Device Profile & Policies section > Certificate Management and click on UPLOAD CERTIFICATE
- This opens a new window Upload a Certificate
- Enter a name for the Certificate: Enter a display name for Identification purposes
- Upload Certificate file: Browse for the file and upload. Only .p12, .cer or .pem file formats are supportedIf the uploaded certificate happens to be .p12 or pfx that is an Identity certificate, the following additional details need to be entered:
Enter a Password for the file: A key that encrypts the certificate
- Allow Application access: This would allow all applications to access this certificate on the devices where it is installed. It is checked by default and is applicable only on Mac devices.If you Block application access (uncheck Allow Application) then the user will need to authenticate to access the application/websites on which the certificate is installed
- Click SAVE after entering all details.
The uploaded certificate with details would be displayed on the Certificate Management screen
Step 2: Apply Certificates to Device profiles / devices
Once certificates are uploaded, they need to be pushed to device profiles / devices. This is done through Publish under Actions
- Publish: Publishes certificate on selected device profile(s) / device(s). To publish,
- Click on Publish under Actions, in front of the certificate that has to be published. This opens a new window containing list of all device profiles and devices configured on Dashboard.
- Select the device profiles / devices on which the certificate has to be published and click PUBLISH.
The certificate will get associated with the device profile / device.
When a certificate is installed on device, the count of devices (for the certificate which is published) reflects under Installed On heading on Certificate Management screen
Other Actions on Uploaded Certificates
- Unpublish: Unpublishes certificate from the device profiles / devices. To Unpublish,
- Click on Unpublish under Actions, in front of the certificate that has to be unpublished. This opens a window containing list of all the device profiles and devices on which certificate is already published.
- Unselect the profiles and devices and click the button UNPUBLISH. The certificate will get uninstalled from the device(s) / device profiles.
- Delete: Deleting a certificate will uninstall the certificate from all devices and delete the stored certificate. Clicking Delete will show a Dialog for Confirmation "This Certificate is currently installed on the XX Device Profiles and used in XX Wifi Configurations? Are you sure you want to delete?"
The confirmation dialog appears only if the certificate is pushed else a simple confirm dialog box appears.
- Allow/Block Application Access: You can allow/block application access from here. The action name would show up based on selection of Allow Application Access setting at the time of uploading the certificate (Step 1 > #2 > #c). By selecting Allow/Block Application Access, you can allow/block all applications to access this certificate on the devices where it is installed.
- Download: Downloads the certificate on your system.
Expanded view of a Certificate
Clicking on down arrow before certificate name shows the expanded view of it. A certificate payload/file can be a single certificate or a chained certificate. Depending upon the same the expanded view shows up:
- Single Certificate: Shows the Issued By, Expiry and Key Usage
- Chained Certificate: Expanded view displays a List view and selecting each certificate displays its properties. A certificate in the chain can be,
- Root CA Certificate (is usually self-signed and hence no Issued By information is available)
- Intermediate CA Certificate (there can be n number of Intermediate CAs in a Certificate Hierarchy, usually it’s just one. Displays Issued By, as the intermediate CA certificate can be issued by another intermediate CA in the chain above or Root CA)
- Leaf Node Certificate (Displays Issued By which can be an Intermediate CA and extremely rarely the Root CA)
Where are the Certificates available after installation
- On Mac OS, certificates are available under Profiles
Certificate-based Enterprise Wifi Profile
On Mac OS devices, certificates can be associated with Enterprise Wifi configurations. As a result, all the devices where this Wifi has been published as well as Wifi being pushed on new Profiles, it will be sent with the Certificate payload.
Scalefusion supports Enterprise Wifi for iOS in two modes, viz LEAP and PEAP. The certificate option is there for PEAP mode.
- On the Dashboard, Navigate to Device Profile & Policies > Wifi Settings
- Click on Create New > Enterprise For macOS or Edit an existing Wifi configuration created for macOS
- In the Wifi Configuration window, once you select the PEAP checkbox there would be an option (drop-down) to select a certificate (Identity and Trust) that are previously uploaded.
- Select certificates that need to be associated with the Wifi configuration, and click Submit
The certificate will get associated with the Wifi Configuration.
- The association between the Wifi and Certificate will be removed and a new payload of Wifi would be sent.
- The Certificate will get uninstalled from devices.