Home Knowledge Base SecureW2 Documentation Integrating Kandji with EAP-TLS for Certificate Auto-Enrollment

Integrating Kandji with EAP-TLS for Certificate Auto-Enrollment

MDMs can use the Simple Certificate Enrollment Protocol (SCEP) to automate the certificate life cycle for Managed devices. This saves administrators time compared to manually enrolling managed devices for certificates.

Kandji (Iru) is an MDM platform that supports Apple devices, including macOS, iOS, iPadOS, and tvOS. It also supports security and productive global work with the help of an advanced automation system. When it comes to certificate enrollment with SCEP, Kandji provides the SCEP URL and key, which the device can use to request a certificate from the PKI.

In this document, we will show you how to configure the SecureW2 SCEP Gateway API to auto-enroll Kandji-managed devices for certificates and configure the user device for Certificate-Based Wi-Fi authentication.

Prerequisites

To set up Kandji for device enrollment using SCEP, you need:

  • Active SecureW2 Cloud Connector License
  • Active SecureW2 Managed Device Gateway License
  • Active Kandji License
  • Enterprise-grade Access Points (They Support WPA2-Enterprise)
  • iOS or macOS Devices Actively Managed in Kandji

Configure SecureW2

This section describes the following procedures carried out in the JoinNow MultiOS Management Portal:

Creating an Intermediate CA for Kandji SCEP Gateway Integration

As a best practice, SecureW2 recommends creating a new intermediate CA for each SCEP Gateway API we create. Using a separate CA makes it easier to manage certificates and enables us to generate enrollment and network policies based on the issuing CA.

To create a new intermediate CA:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Dynamic PKI > Certificate Authorities.
  3. Click Add Certificate Authority.

  4. In the Basic section, from the Generate CA For drop-down list, select Device and User Authentication to authenticate devices and users.
  5. From the Type drop-down list, select Intermediate CA.
  6. From the Certificate Authority drop-down list, select the default Root CA that comes with your organization.
  7. In the Common Name field, enter a common name for the CA certificate. SecureW2 recommends a name that includes “SCEP.”
  8. From the Key Size drop-down list, select 2048 for the CA certificate key pair.
  9. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  10. In the Validity Period (in years) field, enter the validity period of the CA certificate.
  11. In the Notifications section:
    1. From the Expiry Notification Frequency (in days) drop-down list, select the frequency interval for which a certificate expiration notification should be sent to users.
    2. Select the Notify user on successful Enrollment check box to notify users after a successful enrollment.
  12. In the Revocation section:
    1. In the Revoke Certificate if unused for field, select the number of days after which an unused certificate can be revoked.
      • Since last usage – Select this checkbox to revoke the certificate after a specified number of days if it remains unused.
      • Since certificate issuance – Select this checkbox to revoke the certificate after a specified number of days after it is issued.
    2. From the Reason Code drop-down list, select any one of the following reasons for which the certificate is revoked.
      • Certificate Hold
      • AA Compromise
      • Privilege Withdrawn
      • Unspecified
  13. Click Save. The new intermediate CA is generated.

Creating a Kandji Certificate Template

The steps are to be followed for creating a Kandji Certificate Template to configure with EAP-TLS Authentication:

  1. Navigate to Dynamic PKI > Certificate Authorities.
  2. Scroll down to the Certificate Templates section.
  3. Click Add Certificate Template.

  4. In the Basic section, enter the name of the certificate template in the Name field.
  5. In the Subject field, enter CN=${/device/clientId}
  6. In the Display Description field, enter a suitable description for the certificate template.
  7. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  8. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.

  9. In the SAN section:
    1. In the Other Name field, enter ${/device/identity}
    2. In the RFC822 field, enter ${/device/clientId}
    3. In the DNS field, enter ${/device/identity}
  10. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.

  11. Click Save.

Creating a Device Management Platform

The SCEP URL serves as an endpoint that allows managed devices to connect with the SCEP server and enroll for certificates. The secret is also passed to Kandji’s external CA to authenticate these certificate requests.

The API Secret and Enrollment URL can be generated by creating a Device Management Platform in the JoinNow Management Portal.

Additionally, the tokens created for SCEP Enrollment can be used in Policy Management to assign a Policy Workflow/Device role based on the token in the incoming request.


To create a device management platform, perform the following steps:

  1. Navigate to Integration Hub > Device Management Platforms.
  2. Click Add.
  3. In the Basic section, enter the name of the Device Management Platform in the Name field.
  4. In the Description field, enter a suitable description for the Device Management Platform.
  5. From the Type drop-down list, select SCEP (Multi-Vendor) Enrollment Token.
  6. From the Vendor drop-down list, select Kandji.
  7. From the Certificate Authority drop-down list, select the intermediate CA you created earlier in the Creating an Intermediate CA for Kandji SCEP Gateway Integration section. If you do not select a CA, the organization’s default CA is chosen.
  8. Click Save. A .csv file containing the API Secret and Enrollment URL is downloaded. In addition, the Enrollment URL is displayed on the page.

NOTE: Save the file securely. This file is downloaded only once during token creation. If lost, the token and secret cannot be retrieved.

Policy Management

Setting up SCEP via Kandji requires three policies in the JoinNow MultiOS Management Portal:

  • Policy Workflow
  • Enrollment policy
  • Network policy

Configuring a Policy Workflow

The Policy Workflow defines roles that can be created based on specified criteria or attributes for a user or device. These roles can then be used as conditions in Network and Enrollment Policies.

To create a policy workflow, perform the following steps:

  1. Navigate to Policy Management > Policy Workflows.
  2. Click Add Policy Workflow.

  3. In the Basic section, enter the name of the policy workflow in the Name field.
  4. In the Display Description field, enter a suitable description for the policy workflow.
  5. Click Save.
  6. The page refreshes, and the Conditions tab is displayed.
  7. Select the Conditions tab.
  8. In the Conditions section, from the Core Provider drop-down list, select the Device Management Platform that you created earlier (refer to the Creating a Device Management Platform section).
  9. Click Update.

Configuring an Enrollment Policy

Policy Workflows function as roles that can be mapped to Enrollment Policies to dynamically issue different types of certificates.

To configure an enrollment policy:

  1. Navigate to Policy Management > Enrollment.
  2. Click Add Enrollment Policy.
  3. In the Basic section, enter the name of the enrollment policy in the Name field.
  4. In the Display Description field, enter a suitable description for the enrollment policy.
  5. Click Save.
  6. The page refreshes, and the Conditions and Settings tabs are displayed.
  7. Select the Conditions tab.
  8. In the Conditions section, select the Policy Workflows you created earlier from the Policy Workflow list (refer to the Configuring a Policy Workflow section).
  9. From the Device Role list, select DEFAULT DEVICE ROLE POLICY 1.

    NOTE:     You must select a User Role and Device Role for enrollment. Based on the Policy Workflows, you can use a fallback device policy to allow enrollment.
  10. Select the Settings tab.
  11. In the Settings section, from the Use Certificate Authority drop-down list, select the intermediate CA you created earlier (refer to the Creating an Intermediate CA for Kandji SCEP Gateway Integration​ section).
  12. From the Use Certificate Template drop-down list, select the template you created earlier (refer to the Creating a Kandji Certificate Template section).
  13. In the other settings, retain the default values.
  14. Click Update.

 

Configuring a Network Policy

Similar to the Enrollment Policy, the Network Policy applies settings to a particular Policy Workflow. It allows us to specify whether the device will be allowed or denied network access, along with other RADIUS attributes that can be sent, which are most commonly VLAN assignments. This segmentation allows us to quarantine at-risk devices, reducing the risk of lateral threat movement on the network.

To configure a network policy, follow these steps:

  1. Navigate to Policy Management > Network.
  2. Click Add Network Policy.
  3. In the Basic section, enter the name of the network policy in the Name field.
  4. In the Display Description field, enter a suitable description for the network policy.
  5. Click Save.
  6. The page refreshes, and the Conditions and Settings tabs are displayed.
  7. Select the Conditions tab.
  8. Select Match All or Match Any based on your requirement to set authentication criteria. In the case explained here, we are selecting Match All.

  9. Click the Add rule and select the Policy Workflow you want to assign to this network policy. It is essential to select the appropriate policy workflow, as it triggers the network policy. This menu offers various rules that you can select based on your business requirements.
  10. Click Save.
  11. The Policy Workflow option appears under the Conditions tab.
  12. From the Policy Workflow Equals drop-down list, select the user role policy you created earlier (refer to the Configuring a Policy Workflow section). You can select multiple User Roles to assign to a Network Policy.
  13. Navigate to the Settings tab.
  14. From the Access drop-down list, select any one of the options to allow or deny authentication requests. The default value is “Allow”.
  15. To configure MFA, select the checkbox to enable MFA.
  16. From the Perform MFA Using drop-down list, select a Core Provider for MFA.
  17. Click Add Attribute.
    1. From the Dictionary drop-down list, select an option:
      1. Radius: IETF – This is what we will use for the following attributes, as we are using standard RADIUS attributes for VLAN assignment.
      2. Custom: Used for any VSAs (Vendor-Specific Attributes).
    2. From the Attribute drop-down list, select any of the following options:
      1. Framed-Protocol
      2. Framed-IP-Address
      3. Framed-IP-NetMask
      4. Framed-Routing
      5. Filter-Id
      6. Framed-MTU
      7. Framed-Compression
      8. Reply-Message
      9. Framed-Route
      10. Framed-IPX-Network
      11. State
      12. Class
      13. Session-Timeout
      14. Tunnel-Type
      15. Tunnel-Medium-Type
      16. Tunnel-Private-Group-ID
      17. Framed-Pool
      18. User-Name
    3. In the Value field, enter the appropriate value for the attribute.
    4. Click Save.
    5. Repeat for any other RADIUS attribute you would like to send. For reference, here is what is commonly required for VLAN Assignment:
      1. Tunnel-Medium-Type: IEE-802
      2. Tunnel-Private-Group-ID: {VLAN Name}
      3. Server
Tunnel-Type: VLAN
    6. Click Update.

Configure Kandji

To configure SCEP-based enrollment through Kandji, create a Wi-Fi profile and set up a SCEP certificate as described below:

  1. Log in to the Kandji Portal.
  2. On the left Navigation bar, click Library.
  3. Click + Add Library Item on the top-right.
  4. In the Search Library Item field, enter Wi-Fi.
  5. Select Wi-Fi.

  6. Click Add and configure. A new Wi-Fi Library Item will be opened for configuration.
  7. In the Add a title field, enter a name for the new Wi-Fi Library Item.

    NOTE: Use the title to differentiate this Library Item from other Wi-Fi Library Items. Use a name that identifies the item — for example, the title might include the SSID or the location where the Wi-Fi configuration is used.

  8. From the Classic Blueprints drop-down list, select the blueprint that contains the devices you want to deploy to.
  9. In the Service Set Identifier (SSID) field, enter a name for your network.
  10. Select Auto join network to enable devices to automatically connect to this network when it is available.

    NOTE: If you do not select Auto Join Network, devices will have the configuration required to connect to the network; however, users must manually choose to connect.

  11. Select Hidden network if the network does not broadcast its SSID. Hidden networks are not standards-compliant and are not recommended for use.
  12. If you wish to turn off MAC address randomization, select Disable MAC address randomization.

  13. From the Authentication type drop-down list, choose WPA2-Enterprise.
  14. From the Accepted EAP Types drop-down list, select TLS.
  15. From the Identity certificate drop-down list, select SCEP. The Configure SCEP page is displayed.
  16. In the Configure SCEP page:
  17. In the URL field, enter the Enrollment URL for the SCEP server obtained from the .csv file created in the Creating a Device Management Platform section.
  18. In the Name field, enter a name as needed by your SCEP server. We recommend using the name of the CA where the SCEP service is requesting a certificate.
  19. In the Challenge field, enter the API Secret Key obtained from the .csv file created in the Creating a Device Management Platform section.
  20. In the Subject field, enter CN=$SERIAL_NUMBER
  21. In the Subject Alternative Names field, click + Add.
    1. From the SAN Type drop-down list, select RFC 822 Name. In the adjacent field, enter $UDID

  22. Under Key, from the Key size drop-down list, select 2048.
  23. From the Key usage drop-down list, select Both signing and encryption.

  24. Under Options, in the Automatic profile redistribution field, enter the number of days before the certificate expires.
  25. Select the Prevent the private key data from being extracted in the keychain checkbox.
  26. Click Done.

    NOTE: The certificate trust settings allow you to specify which certificates presented by the server or devices should be trusted.
  27. Under Certificate trust, select the Specify trusted certificates checkbox to provide certificates for the configured devices to trust.
  28. Download the Root and Intermediate CA certificates from the JoinNow Management Portal, and upload them in .cer or .crt format. To download the intermediate CA, use the one you created earlier in the Creating an Intermediate CA for Kandji SCEP Gateway Integration section.

  29. Select the Specify server certificate names checkbox and click + Add.
  30. In the Server certificate name field, enter *.securew2.com
  31. Click Save.

Secure EAP-TLS Authentication with Kandji and SecureW2

With our SCEP API gateways configured, your organization can use Kandji to automatically enroll your Kandji-managed devices for certificates. It’s an elegant solution that uses our gateways to issue an SCEP URL and Key to your managed devices, allowing them to request certificates from our PKI with no end-user input.

SecureW2 PKI offers a better user experience and a PKI that can seamlessly integrate with Kandji for SCEP certificate enrollment. This leads to faster and simpler certificate distribution so your administrators can focus on other tasks. For more information, click here to see our pricing details.

More Kandji Explainers