Related Tips & Info

Tutorial: ZENworks Mobile Management 3.1 and Certificate Management

jblackett
 
0 Likes
ZENworks Mobile Management 3.1 is due to be released shortly. There are several key new features that I will be discussing shortly, but one of the most interesting capabilities is the ability to use ZENworks Mobile Management to provision your devices with certificates that can be used to authenticate to your WPA2-Enterprise networks and your Exchange system. After having set this up, I decided there needed to be a bit more information included about how to setup the Microsoft side of things, not just how to setup the ZENworks side of things, as is going to be covered in the documentation.

The purpose of this document is to describe the steps from initial installation of Windows Server to login of your device to your wireless network. I won’t be covering how to configure Microsoft Exchange to accept certificates for authentication. However, you can refer to http://www.o-xchange.com/p/configure-exchange-certificate-based.html for more information on how to do that if you are interested.

For the purpose of this tutorial, I had the following configuration at the start of the tutorial:

  • Windows 2012 R2 configured and fully patched with the following roles installed and configured

    • Active Directory Services

  • DNS



  • ZENworks Mobile Management 3.1 installed on a Windows 2012 R2 server

  • A Netgear Nighthawk R7000 wireless router that supports WPA2-Enterprise authentication

  • An iOS device running iOS 8


 

Install and Configure Active Directory Certificate Services


In order to use ZENworks Mobile Management to issue certificates, your certificates must be provided by Microsoft’s Active Directory Certificate Services. This role is included with Windows 2012 R2 and is installed via Server Manager. Once you complete the steps in this section you will have a properly configured Certificate Authority that will be able to issue certificates.

  1. Install the Certificate Authority role on the Windows 2012R2 Active Directory server.

    1. Launch Server Manager.

  2. Select Manage > Roles and Features.

  • At the welcome screen, click Next.

  • At the installation type screen, click Next.

  • At the select destination screen, click Next.

  • Select Active Directory Certficate Services; then click Next.

  • Click Add Features.

  • Click Next.

  • At the select features screen, click Next.

  • At the Active Directory Certificate Services screen, click Next.

  • At the Select role services screen, click Next.

  • At the confirm installation selections screen, click Install.



  • Configure the Certificate Authority Role.

    1. Click the flag icon with the exclamation point near it.

  • Click Configure Active Directory Certificate Services on the destination server link.

  • At the specify credentials screen, click Next.

  • At the Select Role Services to configure screen, select Certification Authority; then click Next.

  • At the Specify the setup type of the CA screen, select Enterprise CA; then click Next.

  • At the Specify the type of the CA screen, select Root CA; then click Next.

  • At the Specify the type of the private key screen, select Create a new private key; then click Next.

  • At the Specify the cryptographic options screen, click Next.

  • At the Specify the name of the CA screen, make a note of the Common name for this CA value; then click Next.

  • At the Specify the validity period screen, click Next.

  • At the Specify the database location screen, click Next. This should display a summary like the one below:CertAuth-Summary

  • Click Configure to configure the CA. This will configure the CA.

  • When the configuration finishes, click Finish.



  • Configure the CA to allow issuing enrollment agent certificates so that it can issue one to the ZMM server.

    1. Click the start menu and open Administrative Tools.

  • Double click Certification Authority.

  • Expand the CA in the tool; then click Certificate Templates.

  • Right click Certificate Templates and select New > Certificate Template to issue…

  • Highlight Enrollment Agent; then click OK.




Install and Configure additional Active Directory Certificate Services features


In order for ZENworks Mobile Management to submit requests on behalf of the users using the mobile devices in your system, you must have configured the Policy Enrollment Service and Policy Enrollment Web Service features as well. These components are installed through Server Manager and can be installed on either the Certificate Authority server, or on a separate server. For simplicity of this tutorial I have installed them on the same server.

  1. Install the other required ADCS services.

    1. Launch Server Manager.

  2. Select Manage > Roles and Features.

  • At the welcome screen, click Next.

  • At the installation type screen, click Next.

  • At the select destination screen, click Next.

  • Expand Active Directory Certificate Services.

  • Select Certificate Enrollment Policy Web Service; then click Add Features.

  • Select Certificate Enrollment Web Service.

  • Select Certificate Authority Web Enrollment; then click Add Features.

  • Click Next.

  • At the Web Server Role (IIS) screen, click Next.

  • At the select role services screen, click Next.

  • At the confirm installation selections screen, click Install.

  • When complete, click Close.

  • Restart the server.



  • Configure the other ADCS services.

    1. Login to the server as the domain administrator.

  • Open Server Manager.

  • Click the flag icon with the exclamation point near it.

  • Click Configure Active Directory Certificate Services on the destination server link.

  • At the specify credentials screen, click Next.

  • At the Select Role Services to configure screen, select all of the available roles; then click Next.

  • At the CA for CES screen, click Next.

  • At the Authentication Type for CES screen, select User name and password; then click Next.

  • At the specify service account (recommended) screen, select Use the built-in application pool identity; then click Next.

  • At the Authentication Type for CEP screen, select User name and password; then click Next.

  • At the Enable Key-Based Renewal for CEP screen, click Next.

  • At the Specify a Server Authentication Certificate screen, select the certificate that was issued to the full DNS name of the server; then click Next.

  • Click Configure.

  • Review the Results page then click Close.



  • Open IIS Manager so that you can see the names of the sites that were created.

    1. Launch IIS Manager.

  • Expand the server > Sites > Default sites. You should see something similar to what is below:IISManager




Make a note of the CEP and CES site names for later. You have now completed the configuration of Active Directory Certificate Services.

Install and Configure Network Policy Server to Certificate Authentication


The next two sections deal with how to configure your network to require WPA2-Enterpise and how to authenticate wireless users. The first step is to configure a RADIUS server that can utilize the certificates that will be issued by your Certificate Authority. Again, for simplicity’s sake I elected to install the Network Policy Server role on my Windows 2012 R2 server acting as the Certificate Authority. You will then need to configure the NPS server to authenticate users’ 802.1x requests.

  1. Install the other required ADCS services.

    1. Launch Server Manager.

  2. Select Manage > Roles and Features.

  • At the welcome screen, click Next.

  • At the installation type screen, click Next.

  • At the select destination screen, click Next.

  • Select Network Policy and Access Services.

  • Click Add Features.

  • Click Next.

  • Click Next.

  • At the Network Policy and Access Services welcome page, click Next.

  • At the Select role services screen, click Next.

  • Click Install.

  • Click Close.

  • Close Server Manager.



  • Configure NPS to provide 802.1x authentication for the wireless router.

    1. Open Administrative Tools > Network Policy Server

  • In the Standard Configuration section select RADIUS server for 801.2X Wireless or Wired Connections from the drop down.

  • Click Configure 802.1X.

  • Select Secure Wireless connections

  • In the Name field, enter Secure wireless; then click Next.

  • At the RADIUS clients screen, click Add.

  • In the Friendly name enter a descriptive name for the Nighthawk or whatever Wi-fi router / AP you are using.

  • In the Address field, enter the IP address or DNS name of your router.

  • In the Shared Secret field, either enter a value or select Generate and then click Generate.

  • Copy the shared secret to a file that you can use in the next section.

  • Click OK.

  • Click Next.

  • At the Configure an Authentication Method screen, select Microsoft : Smart Card or other certificate; then click Next.

  • If you want to limit who can access the wireless, specify the Domain groups that you want to have access; then click Next.

  • At the Configure Traffic Controls screen, click Next.

  • Click Finish. You have now completed the configuration of the Windows 2012 R2 server.




Configure the Wireless Router to use NPS server for RADIUS authentication


Once you have a RADIUS server, you need to configure your wireless router. Of course every wireless router will have slightly different UI, but the steps should be pretty close to the same. Here’s how you configure it on my Nighthawk.

  1. Login to the Nighthawk router by browsing to http://<LAN IP of router> and entering your admin name and password.

  • Click the Advanced tab.

  • Click the link for one of the Wireless networks that you are currently hosting.

  • At the bottom of the network properties, in the Security Options section, select WPA/WPA2 Enterprise

  • In the WPA/WPA2 Enterprise section for the Encryption mode select your desired encryption scheme.

  • In the RADIUS server IP Address field, enter the IP address of your Windows server that is running NPS.

  • In the RADIUS server Port field, enter the port that you configured NPS to listen for RADIUS Auth requests on (typically 1812).

  • In the RADIUS server Shared Secret field paste the shared secret value that you created in the NPS configuration. When you are all done these settings should look something like this:NightHawkRadius


Configure ZENworks Mobile Management to Provision Certificates


Now that you’ve successfully configured the infrastructure to issue certificates and authenticate users using those certificates, you can now configure ZENworks Mobile Management to provision the certificates out to the mobile devices.

NOTE: The ZENworks Mobile Management server must be a member of the same domain that the Active Directory Certificate Authority is servicing.

  1. Install the Certificate Authority certificate in the Local Machine store on the ZENworks Mobile Management server.

    1. Open Internet Explorer on your ZMM server.

  2. Browse to https://<winserver>/certsrv

  • At the login prompt enter the domain administrator’s username and password.

  • Click the Download a CA certificate, certificate chain, or CRL link.

  • Click Download CA certificate; save the file.

  • Double click the certificate file you downloaded.

  • Click Install Certificate.

  • Select Local Machine.

  • Select Place all certificates in the following store; then click Browse.

  • Select Trusted Root Certification Authorities; then click OK.

  • Click Next.

  • Click Finish.



  • Create a Certificate Authority object in the ZENworks Mobile Management dashboard that tells ZENworks how to connect to the Certificate Authority.

    1. Login to the dashboard as an organizational or system admin by browsing to https://<zmm server>/dashboard

  • Select Organization > Certificate Management > Certificate Authorities

  • In the Name field, enter a descriptive name for the Certificate Authority.

  • In the Server Hostname field, enter the IP address or DNS name of the server. This must match the subject name of the SSL certificate associated with the IIS that is hosting the enrollment web services.

  • In the Username field, enter the name of a domain administrator in the DOMAIN\USER format.

  • In the Password field, enter the password of the specified user.

  • In the Policy Service Name field, enter the name of the policy service as shown in the IIS administration console on the server hosting these services. The name of the service is typically ADPolicyProvider_CEP_UsernamePassword.

  • In the Enrollment Service Name field, enter the name of the enrollment service as shown in the IIS administration console on the server hosting these services. The name of the service is typically <AD Cert Authority Name>_CES_UsernamePassword.

  • In the description enter a short description about the CA. This should result in a form that looks like the one below:ZMMCertAuth

  • Click Save to save the changes. The ZMM server will attempt to contact the services and present an overview of any connection problems.

  • On the test results button, click Close. This will attempt to issue an Enrollment Agent certificate to the user specified so that the ZENworks server can submit requests on behalf of other users.





  1. Create a Certificate Template in the ZENworks dashboard. This object contains information about how the certificate request should be constructed when sent by the server.

    1. From the dashboard, select Organization > Certificate Management > Certificate Templates.

  2. Click Add Certificate Template

  • In the Name field, enter the name of the template. This will be the name of a template created on the Certificate Authority and must be unique.

  • Select to either have ZENworks Mobile Management build the subject or enter a specific subject. If you enter a specific subject you can leverage built in variables such as {username} or {emailaddress}.

  • If you chose to have ZMM build the subject name, select whether you want to mint the certificate using the Common Name only or the Fully Distinguished name. For this tutorial I selected Common Name.

  • Check the include e-mail name in subject checkbox.

  • In the Certificate Authority drop down, select the Certificate Authority you created in step 1.

  • Check the Auto Re-issue checkbox, if you want the certificate to automatically be re-issued as it approaches expiration.

  • In the Key Type dropdown, select Signing and Encryption.

  • In the Key Size dropdown, select 2048. You should now have a form that looks something like the one below:ZMMCertTemplate

  • Click Finish to commit the change. This will connect to the Certificate Authority, create the certificate template, and make that template available for publishing by the Certificate Authority.



  • Create an iOS or Android Wifi corporate resource and assign it to an Active Directory domain user that you want to test. In this tutorial we will create an iOS Wi-Fi resource.

    1. From the dashboard, select Organization > iOS Corporate Resources > Wi-Fi Networks.

  • Click Add New iOS Wi-Fi Network

  • In the Resource Name field, enter a unique name for the resource.

  • In the SSID field, enter the SSID of the WPA2-Enterprise network you configured on the router.

  • In the Security Type dropdown, select WPA Enterprise

  • In the Accepted EAP Types field, check TLS

  • In the Certificate Authority drop down, select the Certificate Authority you configured.

  • In the Certificate Template drop down, select the Certificate Template you configured.

  • Click Finish. This should result in a definition similar to the one shown below:ZMMWifi



  • Wait 10 minutes.

  • Assign the corporate resource to an Active Directory group.

    1. Click the Assign to LDAP Groups/Folders button in the toolbar. The following dialog appears:ZMMAssign

  • Select the group that you want to be able to authenticate. If you configured a specific group for authentication in NPS, make sure that you select that group.

  • Click Update Assignments to save the change. This may take a few minutes before the APNS pushes the Wifi network definition.




Manage Provisioned Certificates in ZENworks Mobile Management


Once certificates have been provisioned by ZENworks Mobile Management you can view the certificates, renew the certificates and revoke the certificates from the ZENworks Mobile Management console. In this section we’ll use the certificate management UI to verify the creation of the certificate.

  1. In the dashboard, select Organization > Certificate Management > Certificates.

  • If all has been successful you should now see a certificate has been issued by the system, similar to what you see below:ZMMCertififcates


You are now ready to attempt the wireless connection. If the certificate is not listed, make sure that the APN has been pushed to the device.

NOTE: If you are using certificates for exchange, make sure to disable proxying of ActiveSync from the Organization settings page.

Connect to the Wireless Network


Now comes the moment of truth. This section walks you through assigning the Wifi resources you created and then testing to see if your mobile device can authenticate to the server.

  1. On the iOS device, go to Settings > Wireless Network.

  • Attempt to connect to the network that has been configured by ZENworks Mobile Management. This should cause the device to authenticate to the wireless network through the RADIUS server using the certificate


Summary


ZENworks Mobile Management 3.1 works in conjunction with Active Directory Certificate Services to make it easy to provision certificates to mobile devices for Wi-Fi and Exchange resources. Hopefully you found this tutorial useful in understanding how to implement this new capability.

Labels:

Webinars
Comment List
Parents Comment Children
No Data
Related
Recommended

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.