Integrating ACME CA server with MDM
Automated Certificate Management Environment (ACME) is used to automate the creation, distribution and installation of certificates without user intervention. By integrating Mobile Device Manager Plus with ACME, admins can issue certificates easily and install those certificates on devices. It provides a simplified and scalable method for handling certificates in large organizations. This is applicable only for iOS, iPadOS and tvOS 16 or later versions.
The major advantages of certificate-based authentication are:
- Zero-user intervention as users are authenticated via certificates.
- Facilitates high volume deployment of certificates by automatically provisioning and silently installing certificates on devices.
- Secure network communication such as Wi-Fi, VPN and securing e-mail through encryption is carried out using certificates.
This document covers the steps involved in creating the CA server and template which are required to manage ACME certificates using Mobile Device Manager Plus.
Certificate-based authentication workflow
The device connects to the provided ACME server URL and requests a client certificate with the configured template containing the KeyType, KeySize, and Hardware Bound fields. If the attest is true, the ACME server requests an attestation for the device. Then the device communicates with the ACME server to authenticate the device, provide the attestation, and request a matching certificate based on the Subject, Subject Alt Name, Key Usage, and Extended Key Usage fields configured in the template. The ACME server issues a certificate to the device that can be used for authenticating access to Wi-Fi, VPN etc.
Configuring ACME in MDM
Follow the steps given below to configure ACME in MDM:
- On the MDM console, navigate to Device Mgmt -> Certificates
- Click on the CA Servers tab and click on Add CA server
- Provide the following details:
|Server Type||Specify server type as ACME.|
|Certificate Authority Name||Specify the name of the Certificate Authority issuing certificates.|
|Server URL||Enter the server URL through which certificate is requested. Provide HTTP Server URL,
1. If the ACME server is within the organization network
2. If the ACME server is not exposed to external networks.
|Add CA Certificate||Upload the Certificate Authority's certificate|
Creating templates for the CA servers
For creating user-specific certificates, a template needs to be configured based on which all the certificates will be issued by the CA.
Follow the steps given below to configure the template on MDM:
- On the MDM console, navigate to Device Mgmt -> Certificates.
- Click on Templates tab and click on Add Templates
- Select the server to which the template belongs. In this case, select the ACME server that was previously added
- Provide the following details:
|Certificate Template Name||Specify the certificate template name.|
|Subject||Specify the Subject DN that needs to be present in the certificate. You can use dynamic keys such as %username%, %email%, %firstname% to fetch the the corresponding details mapped to the device. For instance, you can enter C=US,O=Zylker,OU=Zylker,CN=%firstname%.|
|Subject Alternative Name (Can be configured only if Subject Alternative Name Type is configured)||Specify a value for subject alternative name value. The value to be entered can include DNS name, URI or email. For instance, you can use the dynamic key %email% for email.|
|Attest||The device gets an attestation certificate from Apple and submits it to the ACME server for authentication. If yes, the Hardware bound should be 'Yes'.|
|Hardware Bound||Specify whether the private key should be bound to the device or not. If yes, KeyType must be ECSECPrimeRandom and KeySize must be 256 or 384.|
|Key Type||Specify whether the key type is ESCECprimeRandom or RSA.|
|Key Size||Specify whether the key is 1024 or 2048 bits|
|Use as Digital Signature||Enabling this option ensures the certificate can be used for Digital Signature|
Creating a ACME profile
To distribute certificates to managed devices, a ACME profile need to associated with these devices. Follow the steps given below to create and associate the ACME profile to devices
- Navigate to Device Mgmt -> Profiles and create an Apple profile.
- Select ACME from the left pane.
- Select the created Certificate template.
- Click on Save and publish the profile.
It is recommended to distribute the profile to a device for testing before distributing it to your production environment. Once testing is complete, you can distribute the profile to your production environment using Groups.