Onboard Windows devices with user certificates using SOTI MobiControl and SCEP

In this topic, you will learn how to deploy Portnox™ Cloud user certificates to Windows devices via SOTI MobiControl and SCEP.

Important: As of the moment of writing, SOTI MobiControl only supports Windows and Android devices with Portnox Cloud SCEP servers. SOTI MobiControl allows you to manage also macOS, and iOS devices, but there are issues in the SOTI MobiControl administrative interface that prevent it from working with the Portnox Cloud SCEP servers. If you need an option to manage devices other than Windows or Android, please contact SOTI for an update on when these issues will be resolved.

Turn on the Portnox Cloud SCEP services

In this section, you will configure Portnox™ Cloud to provide SCEP services to your devices.

If you have previously turned on the Portnox Cloud SCEP services, skip to the later steps.

Portnox Cloud SCEP services let devices contact the Cloud SCEP server and get a unique certificate for the device or for the specific user of the device.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Services > GENERAL SETTINGS > SCEP Services option.

  3. Enable integration with SCEP services.

    1. Click on the Edit link.
    2. Activate the Enable integration checkbox.
    3. Click on the Save button.
  4. Click on the  ⧉  icon next to the SCEP URL field to copy the SCEP URL, and paste it in a text file for later use.
  5. Click on the  ⧉  icon next to the Password field to copy the SCEP password, and paste it in a text file for later use.

Download the root CA certificate from Portnox Cloud

In this section, you will download the Portnox™ Cloud root CA certificate from the Cloud portal.

You need the root CA certificate so that your managed devices can verify the validity of cloud RADIUS servers, which have certificates signed by this root CA certificate. If the root CA certificate is not distributed to managed devices, some devices may show a security warning each time that the user connects to networks managed by Portnox Cloud.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Services > CLEAR RADIUS SERVICE > CLEAR RADIUS instance option.

    The right-hand pane shows the list of active servers.

  3. Click on any of the active RADIUS services to show its configuration.
  4. Click on the Download root certificate link to download the root CA certificate.

    Save the file on your disk to use it later. The default name of the file is rootCertificate.cer.

Copy the tenant CA certificate thumbprint from Portnox Cloud

In this section, you will copy the tenant CA certificate thumbprint from the Cloud portal and save it, so you can use it later in SOTI MobiControl configuration.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Services > GENERAL SETTINGS > Trusted Root Certificates option.

  3. n the Trusted Root Certificates section, select the value of the Thumbprint next to the certificate that you are currently using (if more than one) and use your operating system’s copy function to copy this value to the clipboard.

  4. Save the value from the clipboard in a temporary text file to use it later during configuration.

Optional: Hand over information from the Portnox Cloud team to the SOTI MobiControl team

In this section, you will learn what information was collected in previous steps from Portnox Cloud, which is needed to configure SOTI MobiControl to work with Portnox Cloud.

If different people are responsible for managing Portnox Cloud and SOTI MobiControl , here is the information you need to hand over:

  • The URL of the Portnox Cloud SCEP server. For example, https://scep.portnox.com/b2973887-1274-45d4-91d0-4a342a861c76.

  • The password for the SCEP server.

  • The root CA certificate file in the Base-64 encoded X.509 format. For example, rootCertificate.cer.

  • The thumbprint of the tenant CA certificate. For example, 6E138176256057344FEA53BDDAD3D0F6BF2D90F3.

Create the SCEP CA configuration and the SCEP request template

In this section, you will create the SCEP CA configuration and the SCEP request template in SOTI MobiControl. This configuration and this template will be used by the profiles that you will create later.

  1. Open your SOTI MobiControl tenant dashboard in your browser, and log in as the administrator.
  2. In the left-hand side menu, select: SYSTEM SETTINGS > Global Settings.

  3. In the Global Settings menu, scroll down and select: Services > Certificate Authority.

  4. In the Certificate Authority window, click on the  +  button.

  5. In the CERTIFICATE AUTHORITY window:

    1. In the Name field, enter a name for this configuration.

      In this example, we used the name Portnox Cloud SCEP, but you can use any name you like.

    2. In the Certificate Type field, select the ADCS option.
    3. In the Configuration Type field, select the SCEP option.
    4. Deactivate the Use SCEP Client switch.
    5. In the Service URL field, paste the SCEP URL that you copied earlier from Portnox Cloud.
    6. Activate the Use Static Challenge switch.
    7. In the Static Challenge field, paste the password that you copied earlier from Portnox Cloud.
    8. In the Thumbprint field, paste the thumbprint value that you copied earlier from Portnox Cloud.
  6. Scroll down the CERTIFICATE AUTHORITY window to the Certificate Templates section and click on the  +  button.

  7. In the Template Details section:

    1. In the Name field, type a name for this template.

      In this example, we used the name Portnox Cloud SCEP Template, but you can use any name you like.

    2. In the Subject Name field, enter CN=%ENROLLEDUSER_EMAIL% (or select this value using the  ⚙  icon).
    3. In the Subject Alternative Names section, click on the  +  icon, in the ALTERNATIVE NAME TYPE column, select the User Principle Name option, and in the ALTERNATIVE NAME VALUE column, enter %ENROLLEDUSER_EMAIL% (or select this value using the  ⚙  icon).
    4. Turn off the Provision Certificate to Authenticated Users Only switch.
    5. In the Certificate Usage field, select the Signing and Encryption option.
    6. Turn off the Enable Non-Repudiation switch.
    7. In the Key Size field, we recommend that you select the 2048 option.
      Note: If you’re likely to experience network packet fragmentation due to the structure of your network, for example, due to firewalls, choose 1024 instead to prevent issues due to fragmentation. If such problems occur, see the following topic: Certificate fragmentation issues.
    8. Turn on the Remove old certificates upon successful renewal switch.
    9. In the Key Protection section, select the Protected if Supported option and in the Valid Period field, keep the default value of 1 Years or change this value if desired.
    10. In the Hash Algorithm section, activate the SHA-1 checkbox.

      If you are sure that all your device operating systems support newer and safer SHA-2/SHA-3 algorithms, you can also select the other checkboxes.

    11. In the Extended Key Usage (EKU) section, activate the CLIENT_AUTHENTICATION switch.
    12. Click on the ADD button to save the template.
  8. Click on the SAVE button to save the SCEP configuration.

Result: You created a configuration for the Portnox Cloud SCEP CA and the SCEP request template.

Create a profile for Windows

In this section, you will create a profile in SOTI MobiControl for Windows devices. This profile will contain the necessary certificates as well as SCEP and Wi-Fi configurations.

  1. In the left-hand side menu, select: CONFIGURATIONS > Profiles.

  2. In the top-right corner of the Profiles pane, click on the NEW PROFILE button.

  3. In the ADD PROFILE window, click on the Windows icon, and then select the Modern Desktop option.

  4. In the CREATE PROFILE window, in the GENERAL tab, in the Profile Name field, enter a name for the profile.

    In this example, we used the name Portnox Cloud SCEP Windows, but you can use any name you like.

  5. Click on the CONFIGURATIONS tab and then click on the  +  button in the top-right corner. Then, select the Certificates option and then the Root Certificates option.

  6. In the ROOT CERTIFICATES window, in Target Certificate Store section, select the Device option, and in the Add Certificates row, click on the button on the right-hand side to import a new certificate.

  7. In the Add Certificate window, click on the Browse button, find the root CA certificate file that you downloaded earlier from Portnox Cloud, and then click on the IMPORT button.

  8. In the ROOT CERTIFICATES window, activate the radio button next to the DigiCert Trusted Root G4 certificate (root CA certificate). Then, click on the Save button.

  9. In the CONFIGURATIONS tab, click on the  +  button in the top-right corner. Then, select the Certificates option and then the Client PFX Certificates option.

  10. In the CLIENT PFX CERTIFICATES window, in the Target Certificate Store section, select the User option, and in the Certificate Templates section, activate the radio button that represents the SCEP template that you created earlier. Then, click on the Save button.

  11. In the CONFIGURATIONS tab, click on the  +  button in the top-right corner. Then, select the SCEP option.

  12. In the SCEP window, in the Target Certificate Store section, select the User option, and in the Certificates section, activate the radio button that represents the SCEP configuration that you created earlier. Then, click on the Save button.

  13. In the CONFIGURATIONS tab, click on the  +  button in the top-right corner. Then, select the WiFi option.

  14. In the WIFI window:

    1. In the Network Name field, enter the SSID of your network managed by Portnox Cloud.
    2. Configure other fields in the Network section to match your network configuration.
    3. In the Security Type field, select the WPA2 Enterprise option.
    4. Expand the Protocols section.
    5. In the Accepted EAP Types section, activate the TLS radio button.
    6. Expand the Authentication section.
    7. In the SCEP Template field, select the SCEP template that you just configured.
    8. Expand the Trust section.
    9. Activate the Enable Server Validation switch.
    10. In the Trusted Certificates field, select DigiCert Trusted Root G4 (the root CA certificate that you uploaded earlier).
    11. In the Trusted Server Names section, click on the  +  icon.
    12. In the TRUSTED SERVER NAMES section, in the text field, type: clear-rad.portnox.com.
    13. Click on the Save button to save the Wi-Fi profile.
  15. Click on the SAVE AND ASSIGN button to save your configuration profile and assign it to your managed devices.

Result: You created a user profile for Portnox Cloud and Windows devices.

After you created your profile, you can use your regular SOTI MobiControl procedures to push it to managed devices immediately and see if it works correctly. For information on managing devices, pushing profiles, and troubleshooting, consult the SOTI MobiControl documentation.