Create a new computer entry under the
Mobile Devices
OU ( which is the one i am using for mobile hardware devices)
Enable Advanced Features under the View menu, then open the newly created computer object. Go to Attribute Editor and add the following attributes:
- dNSHostName: devel1-ipad.domain.com.au
- operatingSystem: iOS (descriptive only - doesn't affect EAP-TLS)
- servicePrincipalName: HOST/devel1-ipad.domain.com.au (this is the name the device sends during the EAP-TLS negotiation, but with HOST in lowercase)
Certificate
Via the Certificate MMC snap-in (personal certificates), request a mobile device certificate. You need to have permission to enroll this certificate template.
- Subject name: (Common name) devel1-ipad.domain.com.au
- Alternative name: (DNS) devel1-ipad.domain.com.au
- Friendly name: Development Team iPad 1 (match the description in the Active Directory computer object you created)
The certificate should successfully create and return signed by the Issuing CA.
Export the certificate (no private key) as DER encoded binary X.509 (.CER) by right-clicking on the certificate in the snap-in.
As an administrator (i.e. a user with Active Directory object modification rights), publish the exported certificate (file) to Active Directory:
> certutil -v -f -dspublish "devel1-ipad.cer" Machine
-------------------------------------------------------------------------------
Result
CN=devel1-ipad,OU=Mobile Devices,OU=Staff,OU=Hardware,DC=Domain,DC=com,DC=au?userCertificate
Certificate added to DS store.
CertUtil: -dsPublish command completed successfully.
Client-Side Configuration
iPhone Configuration Utility (both iOS and OS X)
Using the iPhone Configuration Utility, create a new (or duplicated) configuration profile.
Go to DC and open the iphone configuration utility software
In the Credentials tab:
- Import the company's Root certificate and the device certificate.
- Enter the device certificate's password (to match the one you used after selecting it).
In the Wi-Fi tab:
- Service Set Identifier: Network S
- Hidden Network: not ticked
- Security Type: WPA / WPA2 Enterprise
- Protocols: TLS (ticked), all others (unticked)
- Authentication / Username:
host/hostname.domain.com.au
(must match the Active Directory servicePrincipalName) N.B. "host" MUST be in lowercase, otherwise the AD service principal lookup will fail.
- Authentication / Identity Certificate: select the device certificate.
- Export the file to desktop as none security.
- copy the .mobileconfig file to desktop machine whether the Apple device connected.
- Open the Iphone configuration utility
- file --> add to library
- click on the device name on the left hand site.
- select the configuration profile.
- click install.
- then it ll pop up in the device and finish the installation on the device.
Push to the device by attaching via USB, going to the device's configuration profiles tab and clicking on Install for the relevant profile.
No comments:
Post a Comment