Requirements:
- NDES Server URL and Challenge
- Creating a SCEP Profile
- Addigy Custom MDM Configurations
NDES Server URL and Challenge
The first step to having your NDES push certificates to your macOS devices is to collect the necessary credentials needed for your device to make the CSR request to your services in order to generate the unique certificate.
The two items that will be required from your NDES are
-
URL
-
Challenge
The URL will follow this structure, replace DOMAIN_HERE with your windows server domain.
http://DOMAIN_HERE.com/certsrv/mscep
Note: The URL should be accessible by the macOS devices to request a certificate.
When you navigate to this URL, you’ll be prompted to enter credentials and will land on a page that looks like the image below which contains the challenge. Take note of both the URL and the Challenge as this will be used later in the setup process.
Creating the SCEP Profile
Now that we have our SCEP Url and Challenge it's time to build the SCEP payload that will be deployed to the macOS devices from Addigy MDM.
Note: In this walkthrough, we will use Apple Configurator 2 to build out the profile but you can use any profile creator tool or XML for this process.
In Apple Configurator 2, create a new profile and search for SPEC on the left-hand side.
Once you select to configure a SCEP payload, you will be presented with the following screen. Here is where we will drop in the URL and Challenge that we gathered from NDES. You’ll also have to enter other information such as your Instance Name, and the properties that will be used to generate the Certificate Signing Request.
Addigy uses special syntax to be able to pull unique information from each device. As an example, passing in {{.Fact “udid” }} will populate that field with the devices UUID upon deployment. You can use any device fact being recorded by Addigy.
To learn more: Setting up an MDM Payload using Device Facts as variables
Once you finish populating the SCEP payload. Press File > Save and then give your profile a name. This will create the mobile configuration file that we will upload and deploy via Addigy.
Deploying Profile via Addigy Custom MDM Configuration
Now that we have our SCEP profile ready and pointing to our NDES, it's time to deploy that to devices.
Once you are on the Addigy Platform, Navigate to the Policies > Catalog > MDM Profiles.
Create a new configuration, select macOS, and then select Custom Profile. Then, upload your custom .mobileconfig file
You should then see the profile populate on the Addigy UI, you can look at the contents of the profile and validate the URL and Challenge by selecting the “Show raw XML” option.
Now that our profile is uploaded to Addigy it is ready to deploy. Navigate to a policy that has your test devices, select Profiles, find the profile we just uploaded, and add it to the policy.
For a detailed walkthrough on uploading Custom MDM Profiles: Configuring and Deploying Any MDM Profile
Within a few minutes, the profile will be deployed to the devices that are in that policy, and the certificates will be created and viewable/revocable from NDES.