How to Deploy SCEP Certificates Using Addigy and SecureW2

Certificates have outpaced passwords as the preferred method of authentication for enterprises because of their superiori network security and user experience. SecureW2 makes sure every device is properly authenticated and issued a certificate to be used for a variety of network authentication purposes.

Addigy is a cloud-based mobile device management platform designed for Apple environments to migrate away from on-premise systems. Admins are able to use SecureW2 to allow Addigy devices to be securely authenticated and enroll for certificates. The best part? Both of these can be automated, making it easier for the admin and end user. Here’s how you do it.

Tech Overview

  1. Set Up the Managed Device Gateway API
    • Using our Getting Started Wizard, you can easily set up SCEP gateway APIs.
    • Establish a trusted Intermediate CA to configure the payload to include certificate enrollment policies.
  2. Configure the SCEP Profile
    • Create a SCEP URL by generating a shared secret and access token using SecureW2’s Token wizard.
    • Configure the Wi-Fi Profile
  3. Configure the Wi-FI settings to allow certificates to connect to the correct server.
    • Configure the profile for EAP-TLS authentication, the most secure authentication protocol.
    • Push the Payloads to Managed Devices
  4. Add the SCEP URL to the Addigy portal so you are able to push out configuration profiles to all Addigy devices and
    • have them authenticated to the network.
    • You can also push out a payload allowing devices to enroll themselves for a signed certificate after authentication.

Create an Apple Push Certificate

You can create an Apple Push Certificate by downloading an Addigy Certificate Signing Request (CSR) file and uploading in Apple.

  1. On the Addigy Portal, go to Accounts.
    • Click MDM Settings.
  2. Download CSR File.
    • Click Add Certificate under Apple Push Certificates.
    • Download Addigy CSR.
  3. Go to this link.
    • Click Create a Certificate.
    • Upload your Addigy CSR.
  4. An Apple Push Certificate will be generated and a .pem file will be available for download.
  5. Upload the .pem file.
    • Go back to MDM Settings in Addigy.
    • Click on Add Certificate.
    • Upload the .pem file.
  6. Click Save.

Now you created a signed Apple Push Certificate for you managed devices. You’ll need to establish a connection so all of your managed devices are able to enroll for the certificate.

Building a .mobileconfig

For most platforms, you can create a custom CA and generate a SCEP URL with SecureW2’s Management Portal. These can be imported into your platform’s UI and start delivering certificates.

Addigy does not have this option, so you’ll need to build a custom mobileconfig with the SCEP URL and Shared Key. This can all be done in SecureW2’s Management Portal. After you’ve done this, reach out to the SecureW2 Support team. They can assist you in generating a custom .mobileconfig file to upload to Addigy.

Creating a SCEP URL and Shared Secret

To use an SCEP gateway for managed devices to enroll themselves for certificates, generate an SCEP URL so devices can communicate with SecureW2’s PKI.

  1. Navigate to API Tokens under Identity Management.
  2. Click Add API Token.
  3. Enter in a Name and Vendor and click Update.
  4. A CSV file will be downloaded that contains a shared secret and a SCEP URL. You will need to modify the SCEP URL to work with MEM Intune.
    • The unmodified URL is structured like so:

https://api.securew2.com/urltokenid/70b78eba-d84f-4997-89be-6ec117555347/enroll/ 891d25ab-af14-4e81-95c3-bc4793384fe4/89ed0be6-13q2-4973-b84d-fb4ff83e51ef

    • Insert /urlauth/secretkey/ into the SCEP URL and replace secretkey with the key provided in the CSV file that is downloaded from the Secure W2 Management Portal as displayed in the following example:

https://api.securew2.com/urltokenid/dd1cb780-4c61-b07f-ef69a5bfaf0f/urlauth/secretkey/ enroll/d53a3f06-1e7a-4c0c-8f0e-q3869d47f6fc/3b48048a-7e68-4ad3-efb5039b737d

Upload a .mobileconfig file to Addigy

Now that you’ve created a mobileconfig, you can plug it into the Addigy portal and will be able to push the payload to every managed device.

  1. Create a Profile in Addigy.
    • Go to Policies.
    • Click Catalog towards the top.
    • Click on Custom Profile and Add Profile.
  2. Upload your .mobileconfig file.
    • Enter your profile name.
    • Under Installation Files, click Select File(s) to upload your .mobileconfig file.
    • Under Installation Script, the output will be shown after uploading your file.
  3. Click confirm.

Now that you’ve created a custom profile in Addigy, you can start deploying that profile to your managed devices.

Adding an iOS Device

Here we will explain how to get the configuration profiles on an iOS device.

  1. Log in to the Addigy management portal.
    • Navigate to Policies.
  2. Find your device on the portal and click GoLive.
  3. Switch your device from ‘Onboarding’ policy to ‘Production’ policy.
    • This will deploy the Wi-Fi profile and SCEP payload.
  4. Navigate to MDM Configuration.
    • Check that the Addigy SCEP profile is uploaded.
    • Click on the Addigy SCEP profile to view the payloads and certificate.
  5. Hover over Production.
    • Click Confirm Production policy deployment.
    • Click on “View Details” to see the SCEP profile connecting to your iOS device.
      • It will take a few minutes for the profile to appear on your device.
  6. To find your profile, go to the Settings app and find Device Management under the General section.
    • You can also view device certificates here.
  7. Once the profile is on your device, go to Settings > Wi-Fi and connect to the Addigy SCEP network.
    • The device will connect to the network without any prompts.
  8. Your device should now be added to the Addigy management portal.

Removing the iOS Device

If you would like to remove the configuration profiles from an iOS device, here is how you can do that within Addigy.

  1. To remove the device from the network, navigate to Policies > Production.
    • Click on your device and change the policy from “Production” to “Onboarding”.
    • Click on Onboarding and confirm configuration.
  2. The profile will be pulled off the device, removing the device from the network.
    • The Wi-Fi profile and SCEP payload will no longer appear under Device Management.
  3. The device will then connect back to the setup Wi-Fi and be removed from “Policy Devices” on Addigy.

Verifying the SCEP Certificate on iOS Device

If you’re needing to verify that a SCEP certificate is on a network device, here’s how to do it.

  1. Log in to the SecureW2 management portal.
    • Navigate to Certificates.
  2. Copy either the serial number or the common name.
  3. Paste the ID into Addigy under the Devices tab.
    • You will be able to find the device attached to that certificate.

Revoking a SCEP Certificate from an iOS Device

If you want to revoke a certificate’s network access, you can do that quite easily in SecureW2. Here’s how.

  1. Go back to Certificates in SecureW2 Management Portal.
  2. Click “Revoke” on the certificate.
  3. If you try to connect to the SCEP Wi-Fi network, it will not automatically connect you to the network.
    • Instead you’ll see a login credentials prompt.

The industry is moving to the cloud, and Addigy is helping Apple environments migrate that way. By integrating Addigy with SecureW2, you can ensure all managed Apple devices will be able to securely and automatically enroll themselves for certificates. SecureW2’s cost-effective services make it easier to issue and manage certificates for network authentication.