Configure user browsers to automatically select the ZTNA certificate

In this topic, you will learn how to configure user browsers on Windows and macOS devices using UEM solutions (Microsoft Intune and Jamf) so that users are not prompted to select a certificate when accessing resources protected by Portnox™ ZTNA.

When a user accesses a resource protected by Portnox ZTNA using a browser, a dialog appears prompting them to select a certificate. In some cases, the operating system may offer multiple certificates, which can make it unclear which one to choose. Even after selecting the correct certificate, the dialog may reappear the next time the browser is restarted.

In certain configurations, it is possible to set up user browsers to automatically select the correct certificate for ZTNA without displaying the selection dialog. This behavior has been tested and confirmed to work in the following combinations:

However, in the following cases, we were unable to identify a method for automatic certificate selection:

  • Intune, macOS, and Safari
  • Any UEM, iOS, any browser

Intune, Windows, and Chrome-based browsers

In this section, you will learn how to use Intune to configure Chrome-based browsers on Windows, such as Chrome or Edge, to automatically select the correct ZTNA certificate without prompting the user to make a selection.

Note:
This method requires Windows license verification to be enabled, which may require you to have a suitable Windows or Microsoft 365 license level.
  1. Find the organization ID:
    1. In Portnox Cloud, go to Settings > Services > General Settings > Self Onboarding.
    2. In the Self Onboarding section, see the URL that is displayed.
      Note:
      If self-onboarding is not activated, click on the Edit link and temporarily turn it on to see the URL.

      The organization ID is the last part of the URL, after the last / symbol.

      For example, if the URL is https://user-registration.portnox.com/b2973887-1274-45c4-91d0-4a342a861c76, then the organization ID is b2973887-1274-45c4-91d0-4a342a861c76.

  2. Optional: Open the Manage user certificates console on one of your users’ Windows devices. Locate a Portnox certificate under Personal > Certificates, and check the Issuer field.

    Ensure that the organization ID appears under the O (Organization) attribute. For some older organizations, it may be listed under the CN (Common Name) attribute instead. If this is the case, you will need to update the scripts in the next step by changing the $CertificateIssuerField = 'O' line to $CertificateIssuerField = 'CN'.

  3. Download and prepare PowerShell scripts for automatic certificate selection:
    Note:
    These scripts were prepared by the Portnox team and are publicly available on our GitHub page.
    1. Download the Detect_autoselection.ps1 script.
    2. Download the Remediate_autoselection.ps1 script.
    3. Open both scripts in a text editor of your choice.
    4. In both scripts, replace the <YOUR_ORGID> string with the organization ID that you found in the first step.

    5. Save the modified scripts on your local disk, you will need them later.
  4. In your Intune tenant, go to: Devices > Windows > Scripts and remediations

  5. In the Remediations tab, click on the Create button.

  6. In the Basics step of the Create custom script creator, enter a Name for this set of scripts, and then click on the Next button.

  7. In the Settings step:

    1. In the Detection script file field, click on the  🗀  icon to open the Detect_autoselection.ps1 script that you modified and saved on your local disk.
    2. In the Remediation script file field, click on the  🗀  icon to open the Remediate_autoselection.ps1 script that you modified and saved on your local disk.
    3. Turn on the Run script in 64-bit PowerShell switch.
    4. Click on the Next button.
  8. Complete the remaining creator steps as required for your Intune environment. In the Assignments step, set how often you want the scripts to run.
    Note:
    It is not necessary to run these scripts frequently. Unless another application interferes with certificate selection on the machine, running the scripts once should be sufficient to permanently configure the browsers to automatically select the ZTNA certificate.

Intune, macOS, and Chrome-based browsers

In this section, you will learn how to use Intune to configure Chrome-based browsers on macOS, such as Chrome or Edge, to automatically select the correct ZTNA certificate without prompting the user to make a selection.

Note:
Repeat the steps below for each Chrome-based browser that you want to configure.
  1. Find the organization ID:
    1. In Portnox Cloud, go to Settings > Services > General Settings > Self Onboarding.
    2. In the Self Onboarding section, see the URL that is displayed.
      Note:
      If self-onboarding is not activated, click on the Edit link and temporarily turn it on to see the URL.

      The organization ID is the last part of the URL, after the last / symbol.

      For example, if the URL is https://user-registration.portnox.com/b2973887-1274-45c4-91d0-4a342a861c76, then the organization ID is b2973887-1274-45c4-91d0-4a342a861c76.

  2. Optional: Open Keychain Access on one of your devices, look for a Portnox certificate, and check the Issuer Name field.

    Ensure that the organization ID appears under the Organisation attribute. For some older organizations, it may be listed under the Common Name attribute instead. If this is the case, you will need to update the configuration file in the next step by changing all occurrences of the "O" parameter to "CN".

  3. Prepare a configuration file:
    1. Open a text editor of your choice, copy the following content, and paste it into the text editor: 
      <key>AutoSelectCertificateForUrls</key>
<array>
  <string>{"pattern":"[*.]appaccess.portnox.com","filter":{"ISSUER":{"O":"YOUR_ORGID"}}}</string>
  <string>{"pattern":"[*.]pa.portnox.com","filter":{"ISSUER":{"O":"YOUR_ORGID"}}}</string>
</array>
    2. Optional: If you use your own domain in the certificates, add a third <string> line to the configuration file after the existing two <string> lines: 
      <string>{"pattern":"[*.]your.domain","filter":{"ISSUER":{"O":"YOUR_ORGID"}}}</string>

      replacing domain.name with your custom domain name.

    3. Replace all occurrences of the YOUR_ORGID string with the organization ID that you found in the first step.
    4. Save the text file on your local disk as autoselect.plist, you will need it later.
  4. In your Intune tenant, go to: Devices > macOS > Configuration

  5. Click on the Create button and select the New Policy option.

  6. In the Create a profile pane:

    1. In the Platform field, select macOS.
    2. In the Profile type field, select Templates
    3. In the search bar, type pref.
    4. In the Template name field, click on the Preference file option.
    5. Click on the Create button.
  7. In the Basics step of the Preference file creator, enter the Name for this configuration profile, and then click on the Next button.

  8. In the Settings step:

    1. In the Preference domain name field, type:
      • com.google.Chrome if you’re creating this profile for Chrome
      • com.microsoft.Edge if you’re creating this profile for Edge
    2. In the Property list file field, click on the  🗀  icon to open the autoselect.plist file that you saved earlier.
    3. Click on the Next button.
  9. Complete the remaining creator steps as required for your Intune environment.

Jamf, macOS, and Safari

In this section, you will learn how to use Jamf to configure Safari on macOS to automatically select the correct ZTNA certificate without prompting the user to make a selection.

Note:
This method only works for configuration profiles that are applied at the User Level. Preference Items are not available for configuration profiles that are applied at the Computer Level.
  1. In Jamf, open a configuration profile that you created earlier, Edit the SCEP payload, and scroll to the bottom of the payload to the Preference Items section.
  2. Add the preference items:

    1. Click on the Add button to add a row to the Preference Items table.
    2. In the URL / EMAIL ADDRESS column, enter: *.appaccess.portnox.com
    3. In the PREFERENCE ITEM TYPE field, select the Identity Preference option.
    4. Click on the Save button.
    5. Click on the Add button again to add another row.
    6. In the URL / EMAIL ADDRESS column, enter: *.pa.portnox.com
    7. In the PREFERENCE ITEM TYPE field, select the Identity Preference option.
    8. Click on the Save button.
    9. Optional: If your organization uses custom domains for certificates, add another row with *.your.domain as the URL / EMAIL ADDRESS, where your.domain is your domain name.
  3. Save and redistribute your configuration profile.

Jamf, macOS, and Chrome-based browsers

In this section, you will learn how to use Jamf to configure Chrome-based browsers on macOS, such as Chrome or Edge, to automatically select the correct ZTNA certificate without prompting the user to make a selection.

  1. Optional: Open Keychain Access on one of your devices, look for a Portnox certificate, and check the Issuer Name field.

    Ensure that the organization ID appears under the Organisation attribute. For some older organizations, it may be listed under the Common Name attribute instead. If this is the case, you will need to update the configuration file in the next step by changing all occurrences of the "O" parameter to "CN".

  2. Prepare a configuration file:
    1. Open a text editor of your choice, copy the following content, and paste it into the text editor: 
      <dict>
  <key>AutoSelectCertificateForUrls</key>
  <array>
    <string>{"pattern":"[*.]appaccess.portnox.com","filter":{"ISSUER":{"O":"YOUR_ORGID"}}}</string>
    <string>{"pattern":"[*.]pa.portnox.com","filter":{"ISSUER":{"O":"YOUR_ORGID"}}}</string>
  </array>
</dict>
    2. Optional: If you use your own domain in the certificates, add a third <string> line to the configuration file after the existing two <string> lines: 
      <string>{"pattern":"[*.]your.domain","filter":{"ISSUER":{"O":"YOUR_ORGID"}}}</string>

      replacing domain.name with your custom domain name.

    3. Replace all occurrences of the YOUR_ORGID string with the organization ID that you found in the first step.
    4. Save the text file on your local disk as autoselect.plist, you will need it later.
  3. In Jamf, open a configuration profile that you created earlier
  4. In the list of payloads, click on the Application & Custom Settings payload, click on the Upload option, and then click on the Add button in the right hand side pane.

  5. In the Preference Domain field, type:
    • com.google.Chrome if you’re creating this profile for Chrome
    • com.microsoft.Edge if you’re creating this profile for Edge
  6. In the Property List section, click on the Upload button and upload the autoselect.plist configuration file that you prepared and saved earlier.

  7. Optional: Click on the Add button again if you want to add configuration for another Chrome-based browser in the same payload.
  8. Save and redistribute your configuration profile.