Configure Certification Authority for MDM

  • Article

10/3/2008

Before you deploy System Center Mobile Device Manager (MDM), make sure that a certification authority server that is running Windows Server® 2003 Enterprise Edition operating system with Service Pack 2 (SP2) is available that meets MDM requirements. To successfully install and operate the MDM system, follow the requirements and steps in this section.

Note

MDM does not support multiple root certificate authorities.

To review the system requirements for the certification authority, see System Requirements for MDM Servers and Managed Devices.

Requirements for Certification Authority Configuration

Review the following requirements when you configure a certification authority that the MDM system components will access:

  • Enable issuing Secure Sockets Layer (SSL) certificates: You must configure the certification authority to issue Web server SSL certificates. The ability to issue Web server SSL certificates is required to enable all MDM certificates. This includes certificates for managed Windows Mobile powered devices and MDM system components, to roll up to a single root certification authority. A rollup to a single root certification authority is required for MDM.
  • Configure required client certificate renewal settings: You must enable the following settings on the certification authority to support client certificate renewal directly by using the certification authority server Web site:
    • Accept client certificates
    • Enable client certificate mapping
  • Restart MDM Enrollment Service NT service after updating group membership: If you add a new member to the CERTSVC_DCOM_ACCESS group, you must restart the Microsoft® Windows NT® service on servers running MDM Enrollment Server. This updates the new group membership information Kerberos ticket on MDM Enrollment Server.
  • Make sure that Request Certificates permissions are configured: If you have changed the default permissions on the certification authority to disable Request Certificates for authenticated users, MDM Setup might be unable to obtain required certificates. To enable Setup to obtain certificates, you must manually grant Request Certificates permissions to the SCMDM2008ServerAdministrators group.

Enable Client Certificate Renewal

To support client certificate renewal directly against the certification authority server Web site, follow these steps on the certification authority server.

To enable client certificate renewal

  1. On the Start menu, choose All Programs, choose Administrative Tools, and then choose Internet Information Services (IIS) Manager.

  2. In IIS Manager, expand the server name, right-click Web Sites, and then choose Properties.

  3. In the Web Sites Properties dialog box, on the Directory Security tab, select the Enable the Windows directory service mapper box, and then choose OK.

  4. In IIS Manager, expand Web Sites, expand Default Web Site, right-click CertSrv, and then choose Properties.

  5. In the CertSrv Properties dialog box, on the Directory Security tab, in the Secure Communications box, choose Edit.

  6. In the Secure Communications dialog box, in the Client certificates box, select Accept client certificates, and then choose OK.

  7. In the CertSrv Properties dialog box, choose Apply, and then choose OK.

Co-Locate MDM with a Certification Authority or Domain Controller

To install MDM on a certification authority or an Active Directory® domain controller, follow these steps.

Note

This is not a recommended configuration.

To assemble MDM together with a certification authority or domain controller

  1. On the Active Directory domain controller, choose Start, choose All Programs, choose Administrative Tools, and then choose Active Directory Users and Computers.

  2. In Active Directory Users and Computers, choose View, and then choose Advanced Features.

  3. Expand the domain and then choose SCMDM2008 Infrastructure Groups.

  4. Right-click SCMDM2008EnrolledDevices and then select Properties.

  5. In the SCMDM2008EnrolledDevices Properties dialog box, on the Security tab, choose Advanced.

  6. In the Advanced Security Settings for SCMDM2008EnrolledDevices dialog box, choose Add.

  7. In the Select User, Computer, or Group dialog box, choose Object Types.

  8. In the Object Types dialog box, select the Computer box, and then choose OK.

  9. In the Select User, Computer, or Group dialog box, in the Enter the object name to select box, type the computer name, and then choose Check Names.

  10. After Active Directory verifies the computer name, choose OK.

  11. In the Permission Entry for SCMDM2008EnrolledDevices dialog box, on the Object tab, select the This object only box.

  12. In the Permissions box, in the Allow column, select the Read Permissions box.

  13. On the Properties tab, in the Apply onto list, select This object only.

  14. In the Permissions box, in the Allow column, select the Read Members and Write Members boxes, and then choose OK.

  15. Repeat steps 6 through 14 but in step 9, replace <computer name> with Network Service.

  16. In the Advanced Security Settings for SCMDM2008EnrolledDevices dialog box, choose Apply, and then choose OK.

  17. In the SCMDM2008EnrolledDevices Properties dialog box, choose OK.

  18. In Active Directory Users and Computers, expand the domain, right-click SCMDM2008 Managed Devices, and then choose Delegate Control.

  19. On the Welcome to the Delegation of Control Wizard page, choose Next.

  20. On the Users or Groups page, choose Add.

  21. In the Select Users, Computers, or Groups dialog box, choose Object Types.

  22. In the Object Types dialog box, select the Computer box, and then choose OK.

  23. In the Select User, Computer, or Group dialog box, in the Enter the object name to select box, type the server name of the enrollment server, and then choose Check Names.

  24. After Active Directory verifies the computer name, choose OK.

  25. On the Users or Groups page, choose Next.

  26. On the Tasks to Delegate page, select Create a custom task to delegate, and then choose Next.

  27. On the Active Directory Object Type page, select the Only the following objects in the folder box, select the Computer objects box, select the Create selected objects in this folder box, select the Delete selected objects in this folder box, and then choose Next.

  28. On the Permissions page, select the General, Property-specific, and Creation/deletion of specific child objects boxes.

  29. On the Permissions page, select the following boxes:

    • Read
    • Write
    • Create All Child Objects
    • Delete All Child Objects
    • Read All Properties
    • Write All Properties

  30. Choose Next.

  31. On the Completing the Delegation of Control Wizard page, choose Finish.

You must grant the Network Service and Local Service accounts Full Control to the Temp folders.

To grant permissions to the Temp folders

  1. On the Start menu, choose Run, type explorer, and then choose OK.

  2. In Windows Explorer, browse to the %SystemDrive%\Windows folder. Typically, the system drive is [C:].

  3. Right-click Temp, and then choose Properties.

  4. In the Temp Properties dialog box, on the Security tab, choose Add.

  5. In the Select Users, Computers, or Groups dialog box, in the Enter the object name to select box, type network service, and then choose Check Names.

  6. After Active Directory verifies the computer name, choose OK.

  7. In the Permissions for NETWORK SERVICE box, in the Allow column, select the Full Control box, and then choose Add.

  8. In the Select Users, Computers, or Groups dialog box, in the Enter the object name to select box, type local service, and then choose Check Names.

  9. After Active Directory verifies the computer name, choose OK.

  10. In the Permissions for LOCAL SERVICE box, in the Allow column, select the Full Control box, and then choose OK.

  11. Repeat steps 1 through 10 to grant the Network Service and Local Service accounts Full Control permissions to the %SystemDrive%\Documents and Settings\<username>\Local Settings\Temp folder.

Enable Certificate Templates on a Certification Authority Server

Generally, you enable certificate templates by running the ADConfig /enabletemplates command. If you want to enable certificate templates on a certification authority (CA) manually, follow these steps on the certification authority server.

To enable certificate templates on a certification authority server

  1. On the Start menu, choose All Programs, choose Administrative Tools, and then choose Certification Authority.

  2. In Certification Authority, right-click <CA server name>, and then choose Properties.

  3. In the <CA server name> Properties dialog box, on the Security tab, in the Group or user names box, select SCMDM2008ServerAdministrators.

  4. In the Permissions for SCMDM2008ServerAdministrators box, in the Allow column, select the Request Certificates box.

  5. In the <CA server name> Properties dialog box, on the Security tab, in the Group or user names box, select SCMDM2008EnrolledDevices.

  6. In the Permissions for SCMDM2008EnrolledDevices box, in the Allow column, select the Request Certificates box.

  7. In the <CA server name> Properties dialog box, on the Security tab, in the Group or user names box, select SCMDM2008EnrollmentServers.

  8. In the Permissions for SCMDM2008EnrollmentServers box, in the Allow column, select the Issue and Manage Certificates box.

  9. In the <CA server name> Properties dialog box, on the Certificate Managers Restrictions tab, select Restrict certificate managers.

  10. In the Available certificate managers drop-down list, select <domain>\SCMDM2008EnrollmentServers.

  11. In the Groups, users, or computers to manage box, make sure that the SCMDM2008EnrolledDevices group has its Access set to Allow. If this group does not appear in the box, choose Add.

    This setting restricts the SCMDM2008EnrollmentServers group to manage certificates for the SCMDM2008EnrolledDevices group only.

  12. Choose OK.

  13. In certification authority, expand <CA server name>, and then choose Certificate Templates.

  14. In the details pane, make sure that the following MDM templates are listed:

    • SCMDM2008GCM
    • SCMDM2008WebServer
    • SCMDM2008MobileDevice