Onboard iOS devices with certificates using IBM MaaS 360 UEM and SCEP

In this topic, you will learn how to deploy Portnox™ Cloud certificates to iOS devices via MaaS 360 UEM and SCEP.

Turn on the Portnox Cloud SCEP services

In this section, you will configure Portnox™ Cloud to provide SCEP services to your devices.

If you have previously turned on the Portnox Cloud SCEP services, skip to the later steps.

Portnox Cloud SCEP services let devices contact the Cloud SCEP server and get a unique certificate for the device or for the specific user of the device.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Services > GENERAL SETTINGS > SCEP Services option.

  3. Enable integration with SCEP services.

    1. Click on the Edit link.
    2. Activate the Enable integration checkbox.
    3. Click on the Save button.
  4. Click on the  ⧉  icon next to the SCEP URL field to copy the SCEP URL, and paste it in a text file for later use.
  5. Click on the  ⧉  icon next to the Password field to copy the SCEP password, and paste it in a text file for later use.

Download the root CA certificate from Portnox Cloud

In this section, you will download the Portnox™ Cloud root CA certificate from the Cloud portal.

You need the root CA certificate so that your managed devices can verify the validity of Cloud RADIUS servers, which have certificates signed by this root CA certificate. If the root CA certificate is not distributed to managed devices, some devices may show a security warning each time that the user connects to networks managed by Portnox Cloud.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Services > CLOUD RADIUS SERVICE > Cloud RADIUS instance option.

    The right-hand pane shows the list of active servers.

  3. Click on any of the active RADIUS services to show its configuration.
  4. Click on the Download root certificate link to download the root CA certificate.

    Save the file on your disk to use it later. The default name of the file is rootCertificate.cer.

Optional: Hand over information from the Portnox Cloud team to the MaaS 360 team

In this section, you will learn what information was collected in previous steps from Portnox Cloud, which is needed to configure MaaS 360 to work with Portnox Cloud.

If different people are responsible for managing Portnox Cloud and MaaS 360, here is the information you need to hand over:

  • The URL of the Portnox Cloud SCEP server. For example, https://scep.portnox.com/b2973887-1274-45d4-91d0-4a342a861c76.

  • The password for the SCEP server.

  • The root CA certificate file in the Base-64 encoded X.509 format. For example, rootCertificate.cer.

Install the IBM Cloud Extender on a Windows machine

In this section, you will download IBM Cloud Extender and install it on a Windows virtual or physical machine. Cloud Extender is required by MaaS 360 to support the SCEP protocol.

Note:
If you previously installed Cloud Extender for your MaaS 360 tenant, you can skip this step. To configure SCEP, you can use your existing Cloud Extender installation.
  1. In your browser, go to the MaaS 360 Login URL.

    You received this URL in the initial email from MaaS 360, which IBM sent to you after you registered for MaaS 360.

  2. In your MaaS 360 dashboard, in the top menu, select SETUP > Enterprise Integration > Cloud Extender.

  3. Follow steps 2 and 3 on the screen to get your Cloud Extender license key (sent to your email) and download the Cloud Extender installer file (MaaS360_Cloud_Extender.exe).

    Note:
    If the Windows machine where you want to install Cloud Extender is different than the machine you are accessing the dashboard with, copy the file to the destination machine.
  4. Run the installer file on the destination machine and follow the installer wizard steps to install the software.

    When installing Cloud Extender, you will be asked to enter the license key (received via email) and your Account ID. You can find the Account ID in your MaaS 360 dashboard by clicking on the user icon in the top-right corner of the screen.

Result: You have installed Cloud Extender on the destination Windows machine.

Create the SCEP CA configuration in Cloud Extender

In this section, you will create the SCEP CA configuration using the Cloud Extender Configuration Tool on the destination Windows machine. This configuration and this template will be used by the profiles that you will create later in the MaaS 360 tenant.

Note:
If you already created MaaS 360 UEM profiles for other operating systems, you do not need to create a new SCEP CA configuration, unless you use user-based profiles and device-based profiles for different devices, or if the device identification for this operating system uses different authentication repository properties than other operating systems.
  1. In the Cloud Extender Configuration Tool, click on the Certificate Integration tile.

  2. In the Certificate Integration pane, click on the Add New Template button and then select the following options:

    1. In the Select your Enterprise Certificate Authority (CA) section, select the Microsoft CA option.
    2. In the Select the purpose of issuing Identity Certificates section, select the User Authentication for Email, Wi-Fi, VPN, browser or reverse proxy > SCEP option.
    3. Click on the Next button.
  3. In the SCEP Config step:

    1. In the Template Name field, enter a name for this template.

      In this example, we used the name Portnox Cloud, but you can use any name you like.

    2. In the Hostname of SCEP server fields, select the http option in the first field, and in the second field, paste the SCEP URL that you copied earlier from Portnox Cloud. Then, remove the http:// prefix.
    3. In the SCEP Server challenge type field, select the Static option.
    4. In the Challenge Value field, paste the password that you copied earlier from Portnox Cloud.
      Note:
      The password will be displayed in clear text.
    5. Click on the Next button.
  4. In the Cert Attributes step:

    1. In the Subject field, type a variable that will help you identify this device on the Devices screen in Portnox Cloud.

      For example: /CN=%imei%.

      Portnox Cloud will create Portnox accounts for new devices, and the value of this variable will be used as the name for such accounts. In this case, new Portnox accounts for new devices will be named after the device’s IMEI so you can identify the devices in Portnox Cloud.

      Note:
      The list of variables with explanations is available in Cloud Extender documentation.
    2. In the Subject Alternate Name field, select the None option.
    3. Click on the Next button.
  5. In the Finish step, click on the Advanced button.

  6. In the Advanced window:

    1. In the SCEP Server URL field and the Challenge URL field, paste the SCEP URL that you copied earlier from Portnox Cloud.
    2. Adjust the other fields according to your preferences, then click on the OK button.
  7. In the Finish step:

    1. In the Test Configuration section, enter example values for a user that exists in your integrated directory, and then click on the Save and Test button.
    2. If the test was successful, click on the Save button to test your configuration.

Result: You created a configuration for the Portnox Cloud SCEP CA.

Create an iOS profile in MaaS 360

In this section, you will create an iOS profile in the MaaS 360 tenant for obtaining the SCEP certificate.

  1. In your MaaS 360 tenant, in the top menu, select: SECURITY > Policy Management > Policies.

  2. In the Policies pane, click on the Add Policy button.

  3. In the Add Policy pane:

    1. In the Name field, enter the name for this policy.

      In this example, we used the name Portnox Cloud iOS, but you can use any name you like.

    2. In the Type field, select the iOS MDM option.
    3. In the Start From field, select the My Existing Policies option.
    4. In the My Existing Policies field, select the (def) Default iOS MDM Policy option.
    Note:
    You can also edit the Default iOS MDM Policy directly if you want all your iOS devices to use the same policy.
  4. In the new policy pane, in the left-hand side menu, select the Advanced Settings > Certificates option.

  5. In the Certificates pane, activate the Configure Trust or Credentials Certificates on the Device checkbox.

  6. In the Trust or CA Certificates section, in the Certificate Name field, enter a name for this certificate, and then in the Certificate section, click on the  +  icon.

    In this example, we used the name root certificate, but you can use any name you like.

  7. In the Upload New Certificate window:

    1. In the Certificate Display Name field, enter a name for this certificate.

      In this example, we used the name root certificate, but you can use any name you like.

    2. Click on the Drag and drop files here or click to upload link, and then select the Portnox Cloud root certificate file that you downloaded earlier.
    3. Click on the Save button.
    4. After you close the window, select the certificate in the Certificate field.
  8. In the left-hand side menu, select the Device Settings > Wi-Fi option. Then, click on the Edit button.

  9. In the Wi-Fi field, select the WPA/WPA2 (Enterprise) option.

  10. In the Service Set Identifier (SSID) field, type the SSID of your Wi-Fi network.

  11. Activate the Auto Join checkbox.

  12. Activate the Disable MAC Address Randomization checkbox.

    Important:
    If you do not turn off MAC address randomization, and the supplicant certificates are not issued by Portnox SCEP, and the certificate’s SAN field does not include a Jamf or Intune device ID, Portnox Cloud assigns a new license to the device each time it connects with a different MAC address. This can significantly increase your licensing costs. Even if you use Portnox SCEP and this issue does not apply, we still recommend turning MAC address randomization off for safety.
  13. In the Encryption Type field, select the WPA option.

  14. In the Accepted EAP types field, select only the TLS option.

  15. In the Trusted Certificates field, select the root certificate from the list.

    Note:
    This is the same certificate that you added earlier in the Certificates pane.
  16. In the Trusted Certificate Name field, type: clear-rad.portnox.com.

  17. Activate the Certificate Required checkbox.

  18. In the Identity Certificate field, select the SCEP CA configuration that you added earlier in the Cloud Extender.

  19. Click on the Next button twice, and then on the Publish button to publish this policy. Then, follow the steps as requested, including confirming and entering your MaaS 360 password.

Result: You created a profile for Portnox Cloud and iOS devices. You can now assign this profile to devices by following MaaS 360 documentation.