Integrating Kandji with EAP-TLS for Certificate Auto-Enrollment

Kandji is one of the premier Mobile Device Management Systems on the market today. We are proud partners of theirs, and have created this guide to help Kandji users configure SecureW2’s SCEP Gateway API so they can auto-enroll their managed devices for certificates, while simultaneously configuring their devices for certificate-based Wi-Fi authentication.

Kandji admins will have two deployment options:

  • Option 1: SecureW2 will create a custom .mobileconfig to push to your devices that will configure them for SCEP certificates and certificate-based Wi-Fi using that SCEP certificate.
  • Option 2: Create a SCEP configuration using the Kandji Library, and push out a .mobileconfig to configure devices for certificate-based Wi-Fi using that SCEP certificate.

Prerequisites

For either option, you must have:

  • Active SecureW2 Cloud Connector License
  • Active SecureW2 Managed Device Gateway License
  • Active Kandji License
  • Enterprise-grade Access Points (They Support WPA2-Enterprise)
  • iOS or macOS Devices Actively Managed in Kandji

For Option 1:

You must send the SecureW2 support team the following information so they can configure a custom .mobileconfig file for you to upload into Kandji

  • Name of SSID Devices will be Authenticating Against
  • RADIUS Server Root CA
  • Required Certificate Attributes
    • Subject Field
    • Subject Alternative Name Type
    • RFC 822 Name
    • Key Size
    • Key Usage

Option 1: Custom .mobileconfig for SCEP and Wi-Fi Configuration

After you’ve received the custom .mobileconfig file from the support team, you will need to insert the SCEP URL and Challenge that is generated from SecureW2.

How to generate a SCEP URL and Challenge from SecureW2

  1. Navigate to Identity Management → API Tokens
  2. Populate the Fields like so:kandji eap-tls
  3. A .csv file will download that contains your SCEP URL and Secret Key
  4. Paste the URL into the URL field in Kandji
  5. Paste the Secret Key into the Challenge field in Kandji

Create a new BluePrint and from Library -> Add Custom profile and upload the profile that has been shared. This should configure the device to get a certificate from the SecureW2 mgmt portal and connect it to the secured SSID.

Option 2 : Native Kandji SCEP Configuration + Custom Wi-Fi .mobileconfig

The second option is you can create a SCEP configuration using the Kandji Library. However this will still require a custom .mobileconfig to be uploaded for the Wi-Fi configuration.

  1. Create a new Blueprint or use an existing Blueprint.
  2. Library → Add a New Library
  3. Click on SCEP → Add & Configure

kandji eap-tls

Here you could add the SCEP URL and the shared Key that you have received from SecureW2 Management portal and assign it to the Blueprint that was created from the previous step.

kandji eap-tls

First we need to generate a SCEP URL and Challenge from SecureW2

  1. Navigate to Identity Management → API Tokens
  2. Populate the Fields like so:kandji eap-tls
  3. A .csv file will download that contains your SCEP URL and Secret Key
  4. Paste the URL into the URL field in Kandji
  5. Paste the Secret Key into the Challenge field in Kandji

Now we can populate the other settings required for a SCEP Profile

  1. Subject Field
    • Optional: can have any variable that is desired, typically we populate this with the email.
  2. Subject Alternative Name Type
    • Required: RFC 822 Name
  3. RFC 822 Name
    • Enter: $SERIAL_NUMBER
    • This value will be used to encode on the certificate and would create an entry in the SecureW2 management portal for a device.
    • You can enter multiple values sent using RFC 822 Name separated by semicolon.
  4. NT Principal Name
    • Optional: we leave this blank.kandji eap-tlsNOTE: RFC 822 Name is a mandatory field that needs to be sent from Kandji to encode the SAN values in a certificate.
  5. Key Size
    • Required: 2048
  6. Key Usage
    • Optional: Both Signing & Encryption

NOTE: We set Key Usage as Both Signing & Encryption, but in our test lab we found that it works without selecting any option.

Lastly, scroll down to the Options section.

  1. Automatic profile redistribution
    • Required: Set the days to 30 days before certificate expiration.

kandji eap-tls

Secure EAP-TLS Authentication with Kandji and SecureW2

Once the profile has been completed, the network is ready to authenticate Kandji devices using digital certificates and EAP-TLS. The certificates pushed to devices require no action from the end user, eliminating the risk of misconfigured devices. Our services come at an incredibly affordable price to boot.