AirWatch SCEP Gateway Setup

AirWatch SCEP Gateway Setup

Certificate-based security and managed devices have historically been at odds with one another. Many organizations recognize the value of certificate security, but the process of configuring each managed device often leads to them settling on credential-based security. By configuring a SCEP gateway on AirWatch, certificates can be distributed to individual devices with no end user interaction. A configuration profile is pushed to each managed device and prompts the automatic enrollment process. AirWatch and SecureW2 combined results in a secure network and strongly protected managed devices.

Prerequisites:

The following are the prerequisites for setting up Simple Certificate Enrollment Protocol (SCEP) on AirWatch:

  • End users can enroll their device with AirWatch.
  • Certificate for Apple push notifications has been created and uploaded in AirWatch.

 

Generating SCEP URL and Secret

To generate the SCEP URL and secret, perform the following steps:

  1. Log into the SecureW2 Management Portal.
  2. Navigate to Identity Management -> API Tokens.
  3. Click Add API Token -> New. The following screen appears:
  4. Enter Name and select SCEP Enrollment Token from the Type drop-down list and click Save.
  5. A csv file containing the SCEP and secret is downloaded.

Generating the SCEP API Token

NOTE: Save this file securely. This file is downloaded only once at the time of token creation. If lost, the token and secret cannot be retrieved.

You can also refer to the steps mentioned in the section Configuring API Tokens (SCEP Enrollment Token) in the JoinNow MultiOS and Connector Configuration Guide for your reference.

 

Creating New Intermediate CA for SCEP Gateway Integration

As a best practice, we recommend having a new intermediate CA for JoinNow, SCEP Gateway integration with AirWatch. With this in place, emails triggered from SecureW2 JoinNow can be disabled when the certificate expires.

To add a new intermediate CA, perform the following steps:

  1. Log into SecureW2 Management Portal.
  2. Navigate to PKI Management -> Certificate Authority -> Add Certificate Authority.
  3. Under Basic, select Intermediate CA from the Type drop-down list.
  4. In the Common Name field, enter a name of your choice and click Save. This generates the new intermediate CA

 

Creating User Role

To a role policy, perform the following steps:

  1. Navigate to Policy Management -> User Roles -> Add Roles Policy.
  2. In the Basic tab, enter the Name and Description for the role policy in the fields provided.
  3. Click Save. The page will refresh and display the Conditions tab.
  4. Under Identity Providers, select the SCEP Token you created in “Generating SCEP URL and Secret” on page 107 from the drop-down list.

Creating the Role policy to be distributed to users

 

Creating Enrollment Policy

To add an enrollment policy, perform the following steps:

  1. Navigate to Policy Management -> Enrollment -> Add Enrollment Policy.
  2. In the Basic tab, enter the Name and Description for the enrollment policy in the fields provided.
  3. Click Save. The page will refresh and display the Conditions tab.
  4. Select the user role policy created in “Creating User Role” on page 109. Both User and Device role policies are required for enrollment.
  5. Under Settings -> Use Certificate Authority, select the CA created in “Creating New Intermediate CA for SCEP Gateway Integration” on page 108.

NOTE: A fallback device policy can be used to allow enrollment based on the User Policy only.

 

Setting Up Certificate Enrollment via SCEP on AirWatch

Perform the following steps to set up the Certificate Enrollment via SCEP on AirWatch:

Create a Certificate Authority on the AirWatch MDM Portal:

  1. Login to the AirWatch MDM Portal.
  2. Navigate to Devices -> Certificates -> Certificate Authorities.
  3. Click Add to create a new Certificate Authority.
  4. Enter a Name and Description.
  5. Select Generic SCEP from the Authority Type.
  6. Enter the SCEP server URL from the downloaded csv file.
  7. Select Static as the Challenge Type.
  8. Enter the Secret from the downloaded csv file.
  9. Click on Save to save the Certificate Authority.

Creating the certificate authority that will store the certificate used

Create a Certificate Template:

  1. Go to Devices -> Certificates -> Certificate Authorities -> Request Templates.
  2. Click Add to create a new Certificate Template.
  3. Enter a Name and Description for the template.
  4. Provide the CA created earlier under Certificate Authority.
  5. Select the Common Name of the certificate from the drop-down list. For example, the email address of the user.
  6. Enter the Length of the Private Key.

Configuring the certificate template to be used by Airwatch devices

Create a Profile:

  1. Navigate to Devices -> Profiles & Resources -> Profiles.
  2. Click Add and select the Operating System. In this example, a profile for Android is created.
  3. Enter the Name for the profile.
  4. Click on Credentials and click Configure.
  5. Select Defined Certificate Authority in Credential Source.
  6. Select the newly created Certificate Authority from the Certificate Authority Menu.
  7. Select the newly created Certificate Template from the Certificate Template menu.
  8. Save & Publish to complete the profile.

Identify the source of certificates

With the final save click, the setup has been completed. The organization can utilize the SCEP gateway and integrate with AirWatch to distribute certificates without having to manually configure or rely on end users. The configuration profile initiates the enrollment process on the device and it automatically enrolls and connects to the secure network. Configuring the necessary components is straightforward and the organization will benefit from the security and efficiency perks that certificate-security brings to the network.

AirWatch is registered trademark of VMware in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.

  • Email addresses from free providers (Gmail, Hotmail, etc.) will not be accepted.
  • This field is for validation purposes and should be left unchanged.