Version 8.2
trademarks, copyrights, and other intellectual property rights covering the subject matter in these
documents. The furnishing of this, or any other document, does not in any way imply any license to
these or other intellectual properties, except as expressly provided in written license agreements
with Good. This document is for the use of licensed or authorized users only. No part of this
document may be used, sold, reproduced, stored in a database or retrieval system or transmitted
in any form or by any means, electronic or physical, for any purpose, other than the purchaser’s
authorized use without the express written permission of Good. Any unauthorized copying,
distribution or disclosure of information is a violation of copyright laws.
While every effort has been made to ensure technical accuracy, information in this document is
subject to change without notice and does not represent a commitment on the part of Good. The
software described in this document is furnished under a license agreement or nondisclosure
agreement. The software may be used or copied only in accordance with the terms of those written
agreements.
The documentation provided is subject to change at Good’s sole discretion without notice. It is
your responsibility to utilize the most current documentation available. Good assumes no duty to
update you, and therefore Good recommends that you check frequently for new versions. This
documentation is provided “as is” and Good assumes no liability for the accuracy or completeness
of the content. The content of this document may contain information regarding Good’s future
plans, including roadmaps and feature sets not yet available. It is stressed that this information is
non-binding and Good creates no contractual obligation to deliver the features and functionality
described herein, and expressly disclaims all theories of contract, detrimental reliance and/or
promissory estoppel or similar theories.
Legal Information
© Copyright 2015. All rights reserved. All use is subject to license terms posted at www.good.com/
legal. GOOD, GOOD TECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD FOR
GOVERNMENT, GOOD FOR YOU, GOOD APPCENTRAL, GOOD DYNAMICS, SECURED BY GOOD,
GOOD MOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD TRUST, GOOD VAULT, and
GOOD DYNAMICS APPKINETICS are trademarks of Good Technology Corporation and its related
entities. All third-party technology products are protected by issued and pending U.S. and foreign
patents.
Certificates Overview 3
Contents
1 Good MSM Certificates: Technical Overview 6
2 Good MSM Certificate Prerequisites 7
Configure the Certificate Authority 10
Grant the Good MSM Service Account rights to the CA 10
Encryption Services 11
Publish the CEP Encryption and Exchange Enrollment Agent (offline request) templates 12
Create Wi-Fi CA templates 13
Create CA templates 13
Create VPN CA templates 17
Create Exchange CA templates 17
Configure Good MSM to Access your CA 17
Creating an Identity Certificate 18
Creating a Wi-Fi Configuration 19
Creating a VPN Configuration 20
Creating an Exchange ActiveSync Configuration 21
01
Good MSM Certificates: Technical Overview
There a few important items to understand about Good’s certificate management functionality for Apple iOS devices before starting to configure Good MSM to support your internal CA environment:
Good MSM will automatically discover enterprise Certificate Authority (CA) servers that are
members of the same Domain as the Good MSM server.
Good MSM will automatically validate certificate templates installed on the CA server so that only
templates appropriate to the specific use case of client authentication will be exposed.
Good MSM does not require SCEP to be turn on at the CA server itself, and does not require that
the CA server be directly exposed to devices. Good MSM acts as a registration authority, and sets up its own SCEP server to handle the process of issuing authentication certificates to a device that needs to be provisioned to access an enterprise CA server. Only the Good MSM server needs to talk directly to the CA server and it does so using a secure protocol other than SCEP.
Good MSM does more than simply remove the authentication cert from the device when the device
is retired. Good MSM revokes the certificate so that if it is restored via a backup, the CA server will reject the certificate when the user attempts to use it to access a corporate Wi- Fi network.
Good MSM will automatically renew a certificate before it expires based on the expiration date. Good MSM certificates support Wi- Fi Access Points configured with WPA2 Enterprise EAP- TLS.
BoxTone Certificates Technical Overview 5
02
BoxTone Certificates Technical Overview 5
Certificate Prerequisites
In order to configure Good MSM to deliver certificates to iOS devices, an authoritative Microsoft PKI infrastructure needs to be in place. The following section is a detailed overview of Good’s requirements.
Field Description
CA Environment The Good MSM server and Microsoft CA PKI infrastructure must be members of the same domain.
The CA must have access to directory services and be able to issue and
manage certificates
The CA must have the ability to issue it’s own self signed certificates.
The CA must have the ability to create a new private key in order to generate
and issue certificates to a client
The CA must have the ability to configure a cryptographic service provider
and pick a hash algorithm that will create a new private key with a specific key length
Common Name The CA must have the ability to configure the CA name.
This is required to specify a Common Name (CN) with distinguished name prefixes.
Good MSM recommends creating a CA Common Name specific to the Good
MSM installation
Certificate Authority Validity Period and renewal
The CA validity period needs to be renewed before it expires. If it is not, all certificates that have been issued will need to be reissued. Be sure to set you CA validity period such that you will have enough time to renew
Good MSM Service Account
The Good MSM service account must have the following access to the Certificate Authority:
Read
Issue Certificates Manage Certificates Request Certificates
Field Description
Registration Authority (RA)
Good MSM functions as the Registration Authority for certificates. The Good MSM RA uses two sets of credentials for signing and encryption. Good MSM uses CEP for encryptions and the Exchange Enrollment Agent (Offline Requests) for signing the certificates. Both the CEP and Exchange Enrollment agent templates must be configured and published for the Good MSM service to pick up and validate the services.
CEP Encryption Template
The Good MSM service account must have read and enroll permissions to the CEP Encryption Template
Exchange Enrollment Agent (Offline
Requests)
The Good MSM service account must have read and enroll permissions to the Exchange Enrollment Agent
Wi-Fi Templates Permissions
The Good MSM Service account must have read and enroll permissions to Wi-Fi templates.
Wi-Fi Templates: Configuration Requirements
Wi-Fi Templates should be configured as follows:
The Wi-Fi template must be configured to have the subject name supplied in
the request.
The Wi-Fi template must have the application policy of at least one authorized
signature set to certificate request agent for issuing certificates. This policy must be set for re-enrollment
Wi-Fi template must be published before the Good MSM service will be able
to pick up and use the template.
Wi-Fi Access Points The Wi-Fi Access Point must be configured to
communicate with the Active Directory Domain that contains the CA via
Radius
Users that will access the Wi-Fi Access Point must be a member of a group
that has permission to access the AP
Good MSM supports WPA2-Enterprise EAP-TLS
Exchange Templates Permissions
The Good MSM Service account must have read and enroll permissions to
Exchange templates.
Certificates Overview 7
Field Description
Exchange Templates: Configuration
Requirements
Exchange Templates should be configured as follows:
The Exchange template must be configured to have the subject name
supplied in the request.
The Exchange template must have the application policy of at least one
authorized signature set to certificate request agent for issuing certificates. This policy must be set for re-enrollment
Exchange template must be published before the Good MSM service will be
able to pick up and use the template.
VPN Templates Permissions
The Good MSM Service account must have read and enroll permissions to
VPN templates.
The VPN template can be very similar to Wi-Fi templates
VPN Templates: Configuration Requirements
VPN Templates should be configured as follows:
The VPN template must be configured to have the subject name supplied in
the request.
The VPN template must have the application policy of at least one authorized
signature set to certificate request agent for issuing certificates. This policy must be set for re-enrollment
VPN template must be published before the Good MSM service will be able to
pick up and use the template.
VPN Connection Types
Good MSM supports Cisco Any Connect and Juniper SSL
Either Cisco or Juniper connection must be configured to support certificate
based authentication
Depending upon the connection type appropriate VPN client must be installed
Configure the Certificate Authority
The following section is a high level overview of the tasks needed to configure a CA within your
environment. As certificate management is an integral part of an enterprise’s overall security infrastructure, Good MSM strongly recommends reviewing CA documentation from Microsoft before making any changes to your internal CA environment.
Grant the Good MSM Service Account rights to the CA
The following step Follow these steps to configure the new CA for use in the Good MSM certificate management workflow:
Right click on CA, choose properties. Select the Security tab.
Add Good MSM service account and select the Read, Issue and Manage Certificates, and Request
Certificates rights as displayed below
Grant the Good MSM service account rights to Exchange Enrollment Agent (Offline Request) and CEP
Certificates Overview 9
Encryption Services
Follow these steps to allow the Good MDM server to act as a Registration Authority on behalf of the CA:
Go to Certificate Templates (under Active Directory Certificate Services) Right click on Exchange Enrollment Agent (Offline Request)
Select the Security tab.
Add Good MSM service account and set the Read and Enroll rights as displayed below:
Right click on CEP Encryption Select the Security tab.
Add Good MSM service account and set the Read and Enroll rights as displayed below:
Publish the CEP Encryption and Exchange Enrollment Agent
(offline request) templates
Perform the following under the CA that was created within the domain:
Right click in the list of Certificate Templates and select New Choose Certificate Template to Issue
In the dialog, select the CEP Encryption and Exchange Enrollment Agent (offline request) templates as shown below.
Certificates Overview 11
Click OK
Create Wi-Fi CA templates
Performing the following steps on your CA will allow you to create a template that will create identity certificates provide the rights to authenticate users to a Wi-Fi network:
Create CA templates
Click Certificate Templates (under Active Directory Certificate Services) Right click on User and choose “Duplicate template”
You will be prompted to select a user template type, select Windows 2003 Server, Enterprise
Edition.
Provide a name for the template display name. Select the Security tab.
Add Good MSM service account to the dialog and select the Read and Enroll rights. Select the Subject Name tab and select Supply in the request.
Select the Issuance Requirements tab. Check the field labeled This number of authorized
signatures to 1.
Certificates Overview 13
Set the field labeled Application Policy to Certificate Request Agent
Publish template
Performing the following steps on your CA will allow you to publish the templates you created in the previous steps:
Right click in the list of Certificate Templates and select new. Choose Certificate Template to Issue”.
Select the Wi-Fi template just created.
Click OK
Configure the Good MSM Service Account to be a restricted CA manager Performing the following steps on your CA will allow the Good MSM Service Account to be a restricted CA manager.
Right click on the CA and choose properties.
Select the tab labeled Certificate Managers. Choose Good MSM service account in the list of
Certificate Managers
In the field labeled Certificate Templates select All (if listed) and click Remove. Click Add… and add the Wi- Fi certificate template that was created above.
Click OK
Certificates Overview 15
Create VPN CA templates
Follow the steps under create Wi-Fi CA template.
Create Exchange CA templates
Follow the steps under create Wi-Fi CA template.
Configure Good MSM to Access your CA
General Setup
To configure Good MSM to use your CA the following steps should be performed:
Log into the Good MSM web console
In the menu under the tab labeled SECURITY select Certificates.
Under Certificate Authorities highlight the name of the CA you wish to configure. The CA being
used in this example is named demo- DEMO- DC- CA
In the right hand pane perform the following steps:
Request the Encryption certificates into Good MSM by clicking the button labeled Request in the
row entitled Encryption.
Request the Encryption certificates into Good MSM by clicking the button labeled Request in the
row entitled Signing
Once the requests have been completed, refresh your browser. Once the page refresh is complete,
the screen will appear as below:
Creating an Identity Certificate
Before you create a Wi-Fi device configuration that will authenticate with certificates, Good MSM must be configured to use the Identity Certificate that was created on your CA.
To do this:
In the menu under the tab labeled SECURITY select Device Configurations. Select a Device Configuration and go into Edit Mode
Within the box labeled Add Configuration select Identity Certificate
Good MSM will automatically populate the fields with a simple Display Name, the Certificate
Authority, and the Certificate Template to use. If desired you can optionally configure the subject template to match a key value pair to track the user. In the example below the user’s CN is being matched to their Principle name.
Certificates Overview 17
Creating a Wi-Fi Configuration
After adding in the Identity Certificate you need to configure a Wi-Fi configuration to use the identity certificate. To do this:
Within the box labeled Add Configuration under device configuration select Wi-Fi Enter the SSID for the Wi-Fi network in the field labeled SSID
Check Hidden Network and Automatically join the network if appropriate in your environment. In the field labeled Security Types select WPA / WPA2 Enterprise.
Check the box labeled TLS.
In the field labeled Identify Certificate, select the identity certificate configured above.
The field labeled Trusted Certificate Names is optional. If needed in your environment, add the list
of server certificate common names that will be accepted by your Wi-Fi Access Points.
Check the box labeled Allow trust exceptions if appropriate in your environment. (not
recommended)
After setting up the Wi-Fi configuration click Save & Publish to deploy the configuration.
More information on creating device configurations can be found within the Good MSM Security Management Guide
Creating a VPN Configuration
After adding in the Identity Certificate you need to configure a VPN configuration to use the identity certificate. To do this:
Within the box labeled Add Configuration under device configuration select VPN Enter the connection name for the VPN network in the field labeled Connection Name In the field labeled Connection Type select VPN AnyConnect from the drop down In the field labeled Server enter the server domain name that accepts certificate In the field labeled User Authentication select Certificate from the drop down
In the field labeled Identify Certificate, select the identity certificate configured above.
Enable VPN On Demand is optional and do not check that field. If you need to restrict access,
check this box and provide the server domain names
Group Name field is optional and leave it blank Proxy Type field is optional. This field defaults to None
Certificates Overview 19
Creating an Exchange ActiveSync Configuration
After adding in the Identity Certificate you need to configure a Email configuration to use the identity certificate. To do this:
Within the box labeled Add Configuration under device configuration select Email Enter the account name for the Email network in the field labeled Account Name
certificate based authentication
Leave the default settings for other field selections
In the field labeled User Authentication select Certificate from the drop down
BoxTone Certificates Technical Overview 21
01
BoxTone Certificates Technical Overview 21
Appendix A
Configuring a Certificate Authority (CA) on
Windows Server 2008
The following section provides a brief overview of how a CA is configured in a Windows 2008 Environment. This is only an example of one method that can be
followed to configure a CA. Before you configure a CA within your environment you should work with the various stakeholders within your organization to identify your overall requirements and a certificate infrastructure should be designed to meet
those needs. Install CA Role
Follow these steps to configure Windows Server 2008 to act as a Certificate Authority:
Open Server Manager
In the Server Manager, click Role, Add Roles.
In the Wizard, select Active Directory Certificates Services. Select “Certification Authority”
Select Enterprise
Select “Root CA”
Select “Create a new Private Key”
Certificates Overview 23
The next screen lists various Cryptographic Service Provides (CSP). Select the hash algorithm
that works best in your environment. Good MSM supports them all algorithms supported by the Microsoft CA.
Enter the common name that will be used to identify the CA in the next screen. This name will be
synchronized with Good MSM and appear in the Good MSM UI.
Configure Expiration date of the CA on this page.
Click next until the installation finishes and finally select close.
Close and re- open the Server Manager application. The CA role you just added should appear
