Onboard Android devices with certificates using Workspace ONE UEM and SCEP

In this topic, you will learn how to deploy Portnox™ Cloud certificates to Android devices via Workspace ONE UEM and SCEP.

Turn on the Portnox Cloud SCEP services

In this section, you will configure Portnox™ Cloud to provide SCEP services to your devices.

If you have previously turned on the Portnox Cloud SCEP services, skip to the later steps.

Portnox Cloud SCEP services let devices contact the Cloud SCEP server and get a unique certificate for the device or for the specific user of the device.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Services > GENERAL SETTINGS > SCEP Services option.

  3. Enable integration with SCEP services.

    1. Click on the Edit link.
    2. Activate the Enable integration checkbox.
    3. Click on the Save button.
  4. Click on the  ⧉  icon next to the SCEP URL field to copy the SCEP URL, and paste it in a text file for later use.
  5. Click on the  ⧉  icon next to the Password field to copy the SCEP password, and paste it in a text file for later use.

Download the root CA certificate from Portnox Cloud

In this section, you will download the Portnox™ Cloud root CA certificate from the Cloud portal.

You need the root CA certificate so that your managed devices can verify the validity of Cloud RADIUS servers, which have certificates signed by this root CA certificate. If the root CA certificate is not distributed to managed devices, some devices may show a security warning each time that the user connects to networks managed by Portnox Cloud.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Services > CLOUD RADIUS SERVICE > Cloud RADIUS instance option.

    The right-hand pane shows the list of active servers.

  3. Click on any of the active RADIUS services to show its configuration.
  4. Click on the Download root certificate link to download the root CA certificate.

    Save the file on your disk to use it later. The default name of the file is rootCertificate.cer.

Create the SCEP CA configuration and the SCEP request template

In this section, you will create the SCEP CA configuration and the SCEP request template in Workspace ONE UEM. This configuration and this template will be used by the profiles that you will create later.

Note:
If you already created Workspace ONE UEM profiles for other operating systems, you do not need to create a new SCEP CA configuration. However, you may need to create a new SCEP request template, if you use device-based profiles, and if the device identification for this operating system uses different authentication repository properties than other operating systems.
  1. Open your Workspace ONE UEM tenant dashboard in your browser, and log in as the administrator.
  2. In the left-hand side menu, select: GROUPS & SETTINGS > All Settings.

  3. In the Settings pane, in the left-hand side menu, select: System > Enterprise Integration > Certificate Authorities.

  4. In the Certificate Authorities pane, click on the Add button.

  5. In the Certificate Authority – Add/Edit pane:

    1. In the Name field, enter a name for this configuration.

      In this example, we used the name Portnox Cloud SCEP, but you can use any name you like.

    2. In the Authority Type field, select the Generic SCEP option.
    3. In the SCEP URL field, paste the SCEP URL that you copied earlier from Portnox Cloud.
    4. In the Static Challenge and Confirm Challenge Phrase fields, paste the password that you copied earlier from Portnox Cloud.
    5. Click on the TEST CONNECTION button to test your configuration.

      You should get a message Test is successful. If you get a message Test is unsuccessful, check your configuration values and also check the status of your Airwatch Cloud Connector – either make sure it is disabled, or enabled and deployed.

    6. Click on the SAVE AND ADD TEMPLATE button to save this configuration and proceed to adding a SCEP request template.
  6. In the Certificate Template – Add/Edit pane:

    1. In the Name field, type a name for this template.

      In this example, we used the name Portnox Cloud SCEP Template, but you can use any name you like.

    2. In the Certificate Authority field, select the name of the SCEP configuration you just created.
    3. In the Subject Name field, enter the variables that Workspace ONE UEM will use to fill the Subject name field of the certificate.
      Note:
      Click on the + symbol to show a list of variables that you can use.

      In this example, we used the format CN={EmailAddress}, which generates the subject name on the basis of the user’s email address and is the recommended value for user-based SCEP certificates in Portnox Cloud.

      If you are using device-based certificates, use a device-related value such as CN={DeviceSerialNumber} instead. This will let Portnox Cloud create Cloud accounts for new devices, and the value of this variable will be used as the name for such accounts. In this case, new Portnox accounts for new devices will be named after the device’s serial number so you can identify the devices in Portnox Cloud.

    4. In the Private Key Length field, we recommend that you select the 2048 option.
      Note:
      If you’re likely to experience network packet fragmentation due to the structure of your network, for example, due to firewalls, choose 1024 instead to prevent issues due to fragmentation. If such problems occur, see the following topic: Certificate fragmentation issues.
    5. In the Private Key Type field, select both checkboxes.
    6. Optional: In the SAN Type field, click on the +Add button to add a new SAN entry. Then in the left-hand side field for the new SAN entry, select the User Principal Name option, and in the right-hand side field, type {EmailAddress}.
      Note:
      This step is necessary for user-based certificates. If you are using device-based certificates, skip this step.

      If you are using user-based certificates, the variable in this field must match a value from the authentication repository in Portnox Cloud, which uniquely identifies the user. In the case of device-based certificates, Portnox Cloud will create a Portnox account based on the information from the certificate. To understand how Portnox Cloud matches the identity in the certificates with the authentication repository, read the following section: Certificate identity information.

      In this example, we used the variable {EmailAddress}, which generates the UPN SAN on the basis of the user’s email address and is the recommended value for user-based SCEP certificates in Portnox Cloud.

      Note:
      Click on the + symbol to show a list of variables that you can use.
    7. In the Automatic Certificate Renewal field, we recommend that you select the ENABLED option and in the Publish Private Key field, we recommend that you select the DISABLED option.

      These values will not directly affect the integration. They apply to your certificate renewal management and security preferences. Adjust them to your needs, if necessary.

    8. Click on the SAVE button to save the template.

Result: You created a configuration for the Portnox Cloud SCEP CA and the SCEP request template.

Optional: Hand over information from the Portnox Cloud team to the Workspace ONE team

In this section, you will learn what information was collected in previous steps from Portnox Cloud, which is needed to configure Workspace ONE to work with Portnox Cloud.

If different people are responsible for managing Portnox Cloud and Workspace ONE, here is the information you need to hand over:

  • The URL of the Portnox Cloud SCEP server. For example, https://scep.portnox.com/b2973887-1274-45d4-91d0-4a342a861c76.

  • The password for the SCEP server.

  • The root CA certificate file in the Base-64 encoded X.509 format. For example, rootCertificate.cer.

Create a profile for Android

In this section, you will create a profile in Workspace ONE UEM for Android devices. This profile will contain the necessary certificates as well as SCEP and Wi-Fi configurations.

  1. In the left-hand side menu, select: RESOURCES > Profiles & Baselines > Profiles.

  2. In the Profiles pane, click on the Add button and select the Add Profile option.

  3. In the Add Profile pane, click on the Android icon.

  4. In the Name Your Profile field, enter a name for the profile.

    In this example, we used the name Portnox Cloud Android Profile, but you can use any name you like.

  5. In the Start typing to search for payloads and settings field, type credentials, and then click on the SEARCH button. Then, click on the ADD button in the Credentials row.

  6. In the Credentials section:

    1. In the Credential Source field, select the Defined Certificate Authority option.
    2. In the Certificate Authority field, select the name of the SCEP CA configuration you created earlier.
    3. In the Certificate Template field, select the name of the SCEP request template you created earlier.
    4. Click on the ADD button under the Credentials heading to add another credentials payload.
  7. In the second Credentials section:

    1. In the Credential Source field, select the Upload option.
    2. In the Certificate section, click on the CHOOSE FILE button and select the root CA certificate file that you downloaded earlier. Then, click on the ATTACH CERTIFICATE button.

  8. In the Start typing to search for payloads and settings field, type wi-fi, and then click on the SEARCH button. Then, click on the ADD button in the Wi-Fi row.

  9. In the Wi-Fi section:

    1. In the Service Set Identifier field, enter the SSID of your Wi-Fi network.
    2. Activate the Set as Active Network switch.
    3. In the Security Type field, select the WPA/WPA2 Enterprise option.
    4. In the SFA Type section, select the TLS option.
    5. In the Identity Certificate field, select the Credentials 1 option.
    6. In the Root Certificate section, activate the Credentials 2 checkbox.
    Important:
    Newer Android versions may also require you to fill in the Identity and Domain fields, even if the values you input here are effectively ignored and the actual information is acquired from the certificate fields. The Identity field can contain any string, and the Domain field should specify the corporate domain supported by your authentication repository.
  10. Check if your summary information is the same as on the screenshot, and then in the bottom-right corner of the profile pane, click on the NEXT button.

  11. In the Assignment section, select the Smart Group as needed to push this profile to correct devices, configure any other options as needed in your environment, and then click on the SAVE & PUBLISH button.

Result: You created a profile for Portnox Cloud and Android devices.

After you created your profile, you can use your regular Workspace ONE UEM procedures to push it to managed devices immediately and see if it works correctly. For information on managing devices, pushing profiles, and troubleshooting, consult the Workspace ONE UEM documentation.