Export (0) Print
Expand All
1 out of 1 rated this helpful - Rate this topic

Deploying Certificates to Mobile Device Clients

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

Microsoft System Center Configuration Manager 2007 can be used to deploy certificates to mobile devices. Common scenarios for certificate deployment to mobile devices include the following:

  • Deploying root certificates and any required intermediate certification authority certificates for native mode or server authentication mode mobile device client installation

  • Deploying client certificates when migrating from mixed mode to native mode

  • Deploying certificates for third-party applications

  • Deploying the Configuration Manager 2007 site server signing certificate

Before deploying certificates, you must acquire exported certificates for your root certification authority and any intermediate certification authorities in the form of X.509 .cer files.

Configuration Manager 2007 can deploy certificates using the following methods:

  • Certificate Installation configuration item

  • Mobile device client installation or upgrade

For more information about certificate installation on mobile devices, see Deploying the PKI Certificates Required for Native Mode.

Deploying Certificate Using the Certificate Installation Configuration Item

Certificates can be deployed to Configuration Manager 2007 managed mobile device clients using the Certificate Installation configuration item. For more information about using the Configuration Items Wizard, see How to Create Configuration Items for Mobile Devices.

Certificate Stores on Mobile Devices

Windows Mobile devices include the following stores for certificates:

  • Root—The root certificates for the mobile device. Root stores are primarily used to validate that a presented certificate successfully chains to a trusted root authority. This store is not used for code execution. A copy of the site server signing certificate is stored here.

  • Software Publishing Certificate (SPC)—SPC certificates define the level of privilege for third-party software programs. There are two types of SPC certificates:

    • Privileged—Privileged certificates have manager rights on the mobile device and unrestricted access to the registry.

    • Unprivileged—Unprivileged certificates have restricted rights on the mobile device and cannot access certain portions of the registry.

  • Intermediate—Intermediate certificates authenticate an uninterrupted chain of authority to the root authority.

Deploying Certificates During Mobile Device Client Installation or Upgrade

The Configuration Manager 2007 mobile device client installation or upgrade process uses an enroller program to deploy certificates to mobile devices. For more information about certificates required by mobile devices in native mode, see About Native Mode Certificates for Mobile Device Clients.

Deploying certificates during mobile device client installation or upgrade requires the following:

For more information about mobile device client installation or upgrade, see How to Install or Upgrade the Mobile Device Management Client.

Certificate Values in DMCommonInstaller.ini and ClientSettings.ini

The DMCommonInstaller.ini and ClientSettings.ini files define values for certificate deployment and must be edited for your specific environment. The following are categories of values for deploying certificates to devices:

  • Certificate enroller

  • Importing certificates

  • Renewing the site server signing certificate

Certificate enroller values

The following values in the DMCommonInstaller.ini file or the ClientSettings.ini file are used to define certificate enrollment during client installation or upgrade. Define these values for the site environment if certificates are to be enrolled:

  • CertEnrollAction=Enroll

  • CertEnrollServer=certserver.contoso.com

  • CertEnrollServerPort=80

    noteNote
    HTTPS is not supported by the Configuration Manager 2007 mobile device certificate enroller.

  • CertRequestPage=/certsrv/certfnsh.asp

  • CertDownloadPage=/certsrv/certnew.cer

  • CertChainDownloadPage=/certsrv/certnew.p7b

If the CertEnrollAction value is Enroll, the enroller application (Enroll_ARM.exe, Enroll_WinCE5.0_x86.exe, or Enroll_WinCE5.0_ARM.exe) will check for a valid client authentication certificate on the mobile device in the personal store. If no client authentication certificate is found, the mobile device user will be prompted to authenticate and a client authentication certificate is enrolled in the personal store of the mobile device. Additional values in the DMCommonInstaller.ini file or ClientSettings.ini file define the parameters for the enrollment process. For more information, see How to Edit the DMCommonInstaller.ini File for Mobile Device Management or How to Edit the ClientSettings.ini File for Mobile Device Management.

Importing certificates values: ImportCerts

If the ImportCerts value in the DMCommonInstaller.ini file or ClientSettings.ini file is set to True, the setup program will import certificate files (.cer) located in the client transfer directory into the root store on the mobile device. This option is not required to set up native mode if the necessary certificates are already on the mobile device. Certificates to be imported must be in distinguished encoding rules (DER)-encoded binary X.509 format. Base64-encoded X.509 certificates are not supported.

Renewing site server signing certificates

The EnableSSSCRenewal value in the DMCommonInstaller.ini file or ClientSettings.ini file specifies whether a site server signing certificate should be downloaded and installed when a new certificate becomes available on the site server. If EnableSSCRenewal is set to false, the administrator will need to deploy an updated site server signing certificate manually.

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.