Onboard Windows devices with certificates using Workspace ONE UEM and SCEP

In this topic, you will learn how to deploy Portnox™ Cloud certificates to Windows devices via Workspace ONE UEM and SCEP.

Turn on the Portnox Cloud SCEP services

In this section, you will configure Portnox™ Cloud to provide SCEP services to your devices.

If you have previously turned on the Portnox Cloud SCEP services, skip to the later steps.

Portnox Cloud SCEP services let devices contact the Cloud SCEP server and get a unique certificate for the device or for the specific user of the device.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the right-hand side pane, find and click on the CLEAR GENERAL SETTINGS heading.

    More options appear under the CLEAR GENERAL SETTINGS heading and description.

  3. Enable integration with SCEP services.

    1. Scroll down to the SCEP SERVICES section.
    2. Click on the Edit link.
    3. Activate the Enable integration checkbox.
    4. Click on the Save button.

  4. Click on the  ⧉  icon next to the SCEP URL field to copy the SCEP URL, and paste it in a text file for later use.
  5. Click on the  ⧉  icon next to the Password field to copy the SCEP password, and paste it in a text file for later use.

Download the root CA certificate from Portnox Cloud

In this section, you will download the Portnox™ Cloud root CA certificate from the Cloud portal.

You need the root CA certificate so that your managed devices can verify the validity of cloud RADIUS servers, which have certificates signed by this root CA certificate. If the root CA certificate is not distributed to managed devices, some devices may show a security warning each time that the user connects to networks managed by Portnox Cloud.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the right-hand side pane, find and click on the CLEAR RADIUS SERVICE heading.

    The active servers appear under the CLEAR RADIUS SERVICE heading and description along with advanced options.

  3. Click on any of the active RADIUS services to show its configuration.
  4. Click on the Download root certificate link to download the root CA certificate.

    Save the file on your disk to use it later. The default name of the file is rootCertificate.cer.

Create the SCEP CA configuration and the SCEP request template

In this section, you will create the SCEP CA configuration and the SCEP request template in Workspace ONE UEM. This configuration and this template will be used by the profiles that you will create later.

Note: If you already created Workspace ONE UEM profiles for other operating systems, you do not need to create a new SCEP CA configuration. However, you may need to create a new SCEP request template, if you use device-based profiles, and if the device identification for this operating system uses different authentication repository properties than other operating systems.
  1. Open your Workspace ONE UEM tenant dashboard in your browser, and log in as the administrator.
  2. In the left-hand side menu, select: GROUPS & SETTINGS > All Settings.

  3. In the Settings pane, in the left-hand side menu, select: System > Enterprise Integration > Certificate Authorities.

  4. In the Certificate Authorities pane, click on the Add button.

  5. In the Certificate Authority – Add/Edit pane:

    1. In the Name field, enter a name for this configuration.

      In this example, we used the name Portnox Cloud SCEP, but you can use any name you like.

    2. In the Authority Type field, select the Generic SCEP option.
    3. In the SCEP URL field, paste the SCEP URL that you copied earlier from Portnox Cloud.
    4. In the Static Challenge and Confirm Challenge Phrase fields, paste the password that you copied earlier from Portnox Cloud.
    5. Click on the TEST CONNECTION button to test your configuration.

      You should get a message Test is successful. If you get a message Test is unsuccessful, check your configuration values and also check the status of your Airwatch Cloud Connector – either make sure it is disabled, or enabled and deployed.

    6. Click on the SAVE AND ADD TEMPLATE button to save this configuration and proceed to adding a SCEP request template.
  6. In the Certificate Template – Add/Edit pane:

    1. In the Name field, type a name for this template.

      In this example, we used the name Portnox Cloud SCEP Template, but you can use any name you like.

    2. In the Certificate Authority field, select the name of the SCEP configuration you just created.
    3. In the Subject Name field, enter the variables that Workspace ONE UEM will use to fill the Subject name field of the certificate.

      The CN= value in the Subject name field of the certificate must match a value from the authentication repository in Portnox Cloud, which uniquely identifies the user or the device. This is the value on the basis of which the Portnox Cloud SCEP server will know for which user or device it should issue a certificate.

      Note: Click on the + symbol to show a list of variables that you can use.

      In this example, we used the format CN={EmailAddress}, which generates the subject name on the basis of the user’s email address and is the recommended value for user-based SCEP certificates in Portnox Cloud.

    4. In the Private Key Length field, we recommend that you select the 2048 option.
      Note: If you’re likely to experience network packet fragmentation due to the structure of your network, for example, due to firewalls, choose 1024 instead to prevent issues due to fragmentation. If such problems occur, see the following topic: Certificate fragmentation issues.
    5. In the Private Key Type field, select both checkboxes.
    6. In the Automatic Certificate Renewal field, we recommend that you select the ENABLED option and in the Publish Private Key field, we recommend that you select the DISABLED option.

      These values will not directly affect the integration. They apply to your certificate renewal management and security preferences. Adjust them to your needs, if necessary.

    7. Click on the SAVE button to save the template.

Result: You created a configuration for the Portnox Cloud SCEP CA and the SCEP request template.

Create a user profile

In this section, you will create a user profile in Workspace ONE UEM for obtaining the SCEP certificate.

The user profile in Workspace ONE UEM is needed to obtain the SCEP certificate from the Portnox Cloud SCEP server for the current user or for the current device. The SCEP certificate is then used by the device profile for WiFi identification.

  1. In the left-hand side menu, select: RESOURCES > Profiles & Baselines > Profiles.

  2. In the Profiles pane, click on the Add button and select the Add Profile option.

  3. In the Add Profile pane, click on the Windows icon.

  4. In the Select Device Type pane, click on the Windows Desktop icon.

  5. In the Select Context pane, click on the User icon.

  6. In the General tab, in the Name field, enter a name for the profile and configure other options as required by your organization policies.
    Note: In the Smart Groups field, make sure to select the correct group to push this profile to correct devices.

    In this example, we used the name Portnox Cloud User Profile, but you can use any name you like.

  7. In the left-hand side menu, click on the SCEP option, and then click on the Configure button in the right-hand side pane.

  8. In the SCEP pane:

    1. In the Credential Source field, select the Defined Certificate Authority option.
    2. In the Certificate Authority field, select the name of the SCEP CA configuration you created earlier.
    3. In the Certificate Template field, select the name of the SCEP request template you created earlier.
    4. In the Key Location field, select the TPM If Present option.
  9. In the bottom-right corner of the Add a New Windows Desktop Profile pane, click on the SAVE AND PUBLISH button.

  10. In the View Device Assignment window, confirm if the profile will be pushed to correct devices, and then click on the PUBLISH button.

Result: You created a user profile for Portnox Cloud and Windows devices.

Create a device profile

In this section, you will create a device profile in Workspace ONE UEM with a Wi-Fi payload for secure Wi-Fi connections.

The device profile in Workspace ONE UEM is used to distribute the root CA certificate that you downloaded earlier from Portnox Cloud, as well as to push the Wi-Fi configuration on the basis of the SCEP certificate generated with the help of the user profile.

  1. In the left-hand side menu, select: RESOURCES > Profiles & Baselines > Profiles.

  2. In the Profiles pane, click on the Add button and select the Add Profile option.

  3. In the Add Profile pane, click on the Windows icon.

  4. In the Select Device Type pane, click on the Windows Desktop icon.

  5. In the Select Context pane, click on the Device icon.

  6. In the left-hand side menu, click on the Credentials option, and then click on the Configure button in the right-hand side pane.

  7. In the Credentials pane, configure the following payload:

    1. In the Credential Source field, select the Defined Certificate Authority option.
    2. In the Certificate Authority field, select the name of the SCEP CA configuration you created earlier.
    3. In the Certificate Template field, select the name of the SCEP request template you created earlier.
    4. In the Key Location field, select the TPM If Present option.
    5. In the Certificate Store field, select the Personal option.
  8. Click on the + icon in the bottom-right corner of the Credentials pane to add another credentials payload, and then configure the following payload:

    1. In the Credential Source field, select the Upload option.
    2. In the Certificate Store field, select the Trusted Root option.
    3. In the Certificate section, click on the UPLOAD button and select the root CA certificate file that you downloaded earlier.
    4. Select the Thumbprint and use your operating system’s copy to clipboard function to copy and save the thumbprint for later, for example, in the notepad or in a text file.
  9. In the left-hand side menu, click on the Wi-Fi option, and then click on the Configure button in the right-hand side pane.

  10. In the Wi-Fi pane:

    1. In the Service Set Identifier field, enter the SSID of your Wi-Fi network.
    2. In the Security Type field, select the WPA2 Enterprise option.
    3. In the Encryption field, select the AES option.
    4. In the Protocols field, select the Certificate option.
    5. In the Authentication field, select the Certificate #1 option.

      This is the SCEP certificate that is requested by the user profile and added as the first Credentials payload in this profile.

    6. In the Trusted Server Certificate Thumbprints section, click on the Add button and paste the thumbprint that you saved in the previous steps.

      This thumbprint is needed so that the managed Windows computer recognizes the Portnox Cloud RADIUS server. Without it, the user would see a security warning.

  11. In the bottom-right corner of the Add a New Windows Desktop Profile pane, click on the SAVE AND PUBLISH button.

  12. In the View Device Assignment window, confirm if the profile will be pushed to correct devices, and then click on the PUBLISH button.

Result: You created a device profile for Portnox Cloud and Windows devices.

After you created your profiles, you can use your regular Workspace ONE UEM procedures to push them to managed computers immediately and see if they work correctly. For information on managing computers, pushing profiles, and troubleshooting, consult the Workspace ONE UEM documentation.

Important: For Windows desktops, Workspace ONE UEM does not support wired network profiles, only Wi-Fi profiles. Support for wired profiles is currently available in the Workspace ONE UEM Beta programme. Until this support is available for all Workspace ONE UEM instances, the workaround is to manually configure a device to connect to the wired LAN without Workspace ONE UEM, use the netsh command to export a lan.xml file, and then use that XML file as a custom XML payload in Workspace ONE UEM.