Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Branding
Branding Branding
Login Check our Prices

ACME Certificate Enrollment: Addigy Integration

Introduction

SecureW2’s ACME service can cryptographically prove that a device is a genuine Apple product, and confirm its serial number using Apple Managed Device Attestation (MDA). MDA is what allows JoinNow Connector PKI to validate a device’s identity and cross-reference it with your MDM to ensure that only trusted devices can enroll for certificates.

Traditional SCEP implementations only require a pre-shared key for certificate issuance. With ACME, organizations can ensure that only trusted, managed devices obtain and maintain certificates that are used to access critical resources. Addigy is one of the first MDMs to develop native support for ACME, and this document will outline how Addigy customers can integrate SecureW2’s PKI services to configure ACME-based certificate enrollment. 

Prerequisites

  • iOS devices that support ACME protocol
  • Subscription to the Addigy portal
  • JoinNow Connector PKI subscription along with Enterprise Enrollment and Attestation (EEA)

Setting Up ACME in SecureW2

To set up ACME-based authentication in SecureW2, the following high-level steps are required:

  1. Creating an Intermediate CA
  2. Creating a Certificate Template
  3. Creating a Key Attestation Provider in JoinNow
  4. Creating an API token in JoinNow
  5. Creating an Identity Lookup Provider in JoinNow
  6. Creating Policies in JoinNow

Creating an Intermediate CA

As a best practice, SecureW2 recommends having a new intermediate CA for JoinNow ACME Gateway integration with Addigy.

To create a new intermediate CA:

  1. In the JoinNow MultiOS Management Portal, go to PKI > Certificate Authorities.
  2. Click Add Certificate Authority.
  3. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
  4. From the Type drop-down list, select Intermediate CA.
  5. From the Certificate Authority drop-down list, select the default Root CA that comes with your organization.
  6. In the Common Name field, enter a name. SecureW2 recommends a name that includes ‘ACME’.
  7. Click Save.

Creating a Certificate Template

A certificate template determines how information is encoded in the certificate to be issued by the Certificate Authority (CA). It consists of a list of certificate attributes and how information must be encoded in the attribute values. This information is provided by the organization administrator via the JoinNow Management Portal.

SecureW2 recommends creating a separate template for each MDM platform for easier identification of different values being passed.

To create an Addigy certificate template:

  1. Navigate to PKI > Certificate Authorities.
  2. Click Add Certificate Template.
  3. Under the Basic section, in the Name field, enter the name of the certificate template.
  4. In the Subject field, enter CN=${/auth/displayName:/device/identity:/device/ clientId}.
  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  7. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The available option is SHA-256.
  8. In the SAN section, enter the following for the:
    1. DNS field: ${/device/computerIdentity:/device/identity:/device/ buildModel}
    2. RFC822 field: ${/device/computerIdentity:/device/identity}
    3. Other Name field: ${/auth/upn:/device/identity:/device/clientId}
    4. URI field: Organization URL from which the client obtains the certificate.
  9. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.
  10. Click Save.

Creating a Key Attestation Provider

A Key Attestation Provider in JoinNow helps set up ACME-based device attestation services for iOS devices.

To create a Key Attestation Provider:

  1. Navigate to Identity Management > Key Attestation Providers.
  2. Click Add Key Attestation Provider.
  3. Under the Basic section, in the Name field, enter a name for your Key Attestation Provider.
  4. In the Display Description field, enter a suitable description for the Key Attestation Provider (optional).
  5. From the Type drop-down list, select Apple.
  6. Click Save.
  7. Click Update.

Creating an API Token

To generate an API token:

  1. Navigate to Identity Management > API Gateways.
  2. Click Add API Gateway.
  3. Under the Basic section, in the Name field, enter a name for your API Gateway.
  4. In the Description field, enter a suitable description for the API Gateway (optional).
  5. From the Type drop-down list, select ACME Client Certificate Enrollment Token.
  6. From the Vendor drop-down list, select Addigy.
  7. Click Save. A .mobileconfig file is downloaded.

Creating an Identity Lookup Provider

With JoinNow, you can create a Generic HTTP based Identity Lookup Provider and integrate it with Addigy MDM for device lookup during ACME enrollment.

  1. Navigate to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. Under the Basic section, in the Name field, enter a name for your Lookup IdP.
  4. In the Description field, enter a suitable description for the Lookup IdP (optional).
  5. From the Type drop-down list, select Generic HTTP.
  6. Click Save.
  7. The page refreshes and the Configuration, API, and Attribute Mapping tabs are displayed.
  8. Select the Configuration tab.
  9. Under the Authentication section, from the Authentication Method drop-down list, select API Key.
  10. In the Key field, enter the key value from Addigy.
    1. For the Key value, navigate to Account > Integration > API Docs.
    2. Click Authorize and copy the value corresponding to Name.
  11. In the Value field, copy and paste the API Token value obtained in the Creating an API Token in Addigy section.
  12. Select the API tab.
  13. In the URI field, enter https://api.addigy.com/api/v2/mdm/devices/${identity}
  14. Under the Response Validation section, click Add.

    1. In the Response Path field, enter enrollment_profile.udid.
    2. From the Condition drop-down list, select Exists.
  15. Click Update.

Policy Management

Policy Management allows us to create specific Lookup policies, roles for users, and device groups, which can be used in SecureW2 to create custom certificate enrollment policies.

Creating an Account Lookup policy

The Account Lookup policy can be mapped along with the Addigy Identity Lookup provider created earlier for device lookup.

  1. Navigate to Policy Management > Account Lookup Policies.
  2. Click Add Account Lookup Policy.
  3. Under the Basic section, in the Name field, enter a name for your Account Lookup Policy.
  4. In the Display Description field, enter a suitable description for the Account Lookup Policy (optional).
  5. Click Save.
  6. The page refreshes and the Conditions and Settings tabs are displayed.
  7. Select the Settings tab.
    1. From the Identity Provider Lookup drop-down list, select the Lookup IdP created earlier (refer to the Creating an Identity Lookup Provider section).
    2. From the Lookup Type drop-down list, select Custom.
    3. From the Identity drop-down list, select Computer Identity.
  8. Click Update.

Creating a Role Policy

  1. Navigate to Policy Management > Policy Engine Workflows.
  2. Click Add Policy Engine Workflows.
  3. Under the Basic section, in the Name field, enter a name for your Role policy.
  4. In the Display Description field, enter a suitable description for the Role policy (optional).
  5. Click Save.
  6. The page refreshes and the Conditions tab is displayed.
  7. Select the Conditions tab.
  8. Under the Conditions section, from the Identity Provider drop-down list, select the API token you created in the earlier section (refer to the Creating an API Token section).
  9. Click Update.

Creating a Device Role Policy

The Device Role policy helps map the attestation provider in JoinNow for device attestation.

  1. Navigate to Policy Management > Device Role Policies.
  2. Click Add Device Role Policy.
  3. Under the Basic section, in the Name field, enter a name for your Device Role Policy.
  4. In the Display Description field, enter a suitable description for the Device Role Policy (optional).
  5. Click Save.
  6. The page refreshes and the Conditions tab is displayed.
  7. Select the Conditions tab.
  8. From the Identity drop-down list, select the Key Attestation Provider created earlier (refer to the Creating a Key Attestation Provider​ section).
  9. Click Update.

Creating an Enrollment Policy

  1. Navigate to Policy Management > Enrollment Policies.
  2. Click Add Enrollment Policy.
  3. Under the Basic section, in the Name field, enter a name for your Enrollment Policy.
  4. In the Display Description field, enter a suitable description for the Enrollment Policy (optional).
  5. Click Save.
  6. The page refreshes and the Conditions and Settings tabs are displayed.
  7. Select the Conditions tab.
  8. Under the Conditions section, from the Role list, select the user role policy you created in the Creating a Role Policy​ section.
  9. From the Device Role list, select the device role policy you created in the Creating a Device Role Policy​ section.
  10. Select the Settings tab.
  11. From the Use Certificate Authority drop-down list, select the Certificate Authority created for ACME (refer to the Creating an Intermediate CA​ section).
  12. From the Use Certificate Template drop-down list, select the certificate template created for ACME (refer to the Creating a Certificate Template​ section).
  13. Click Update.

Setting Up Certificate Enrollment via ACME in Addigy

To set up certificate enrollment via the ACME profile in Addigy:

Creating an API Token in Addigy

  1. Log in to Addigy portal.
  2. On the left pane, navigate to Account > Integrations.
  3. Select the V2 tab and click the New API Token button.
  4. On the New API Configuration page, in the Name field, enter a name for the API token.
  5. In the Permissions field, search for “View Devices” and select the View Devices checkbox.
  6. Click Add.
  7. The API token is displayed on the screen. Copy the token and save it on your console.

Configuring MDM Profile in Addigy

MDM profiles created in Addigy contain Payload configurations that can be assigned to a required group of devices.

To configure MDM profiles in Addigy:

  1. On the left pane, click Policies.
  2. Click New Policy.
  3. On the New Policy page, in the Policy Name field, enter a name for your policy.
  4. From the Parent Policy drop-down list, select a parent policy if required.
  5. Click Save.
  6. On the displayed page, in the left pane, navigate to Catalog > MDM Profiles.
  7. Click New.
  8. Click ACME.
  9. The profile page is displayed.
  10. Open the .mobileconfig file saved earlier from JoinNow.
  11. In the Payload Name field, enter a name for your payload.
  12. In the Client Identifier field, paste the string value corresponding to ClientIdentifier from the .mobileconfig file.
  13. In the Directory URL field, paste the string value corresponding to DirectoryURL.
  14. Enable the Hardware Bound checkbox.
  15. In the Key Size field, enter 384.
  16. From the Key Type drop-down list, select ECSECPrimeRandom.
  17. In the Subject field, copy the string value corresponding to Subject from the .mobileconfig file and enter CN=Subjectvalue.
  18. Click Create Profile. The MDM profile is created and displayed on the MDM Catalog page.
  19. Click the options button for the ACME profile created and select the Assignments option.
  20. Under the Assign to Policies section, select the policies to which the ACME profile should be assigned.
  21. Click Save.

Schedule a Demo

Sign up for a quick demonstration and see how SecureW2 can make your organization simpler, faster, and more secure.

Schedule Now

Pricing Information

Our solutions scale to fit you. We have affordable options for organizations of any size. Click here to see our pricing.

Check Pricing