Configuring a certificate template on the Cloud Extender

Follow these steps to configure the certificate template on the Cloud Extender®.

Procedure

  1. Open the Cloud Extender Configuration Tool and select the Certificate Integration module. If this is your first template, you will be prompted to create a new template. If you are adding an additional template, select Add New Template.
    Template Configuration window
  2. Enter Certificate Authority Server details.
    ce cert integration
    Template Name The name of your template. The template name is displayed in the MaaS360® policies under various configuration sections that use identity certificates.
    Hostname of SCEP server The host name of your NDES server.
    SCEP Server challenge type NDES requires a challenge password to authenticate certificate requests before the service issues an identity certificate.

    Use a static password each time or a dynamic challenge password that the Cloud Extender parses from the MSCEP Admin page.

    Use one of the following values in this field:
    • Dynamic: The default value for Basic mode.
    • Static: Used for Verizon MCS integration.
    Challenge Username The credentials of the Device Administrator for SCEP transactions.
    Challenge Password The credentials of the Device Administrator for SCEP transactions.
  3. Enter the certificate properties.
    ce cert integration
    Option Description
    Subject Name Use the subject name to configure the certificate template to pass specific attributes of the user or device to the certificate request so that the returned certificate uses these values.

    The default string for the subject name is /CN=%uname%/emailAddress=%email%.

    The template supports any of the following dynamic parameters:
    Parameter name Description
    %udid% The UDID of the device.
    %csn% The MaaS360 device ID.
    %uname% The user name of the device owner.
    %domain% The domain of the user.
    %email% The email address for the user.
    %imei% The IMEI number of the device.
    %model% The device model.
    %sim% The SIM number of the device.
    %phnumber% The phone number of the device.
    User Visibility module attributes
    • %ou% (Organizational Unit)
    • %cn% (Common Name)
    • %dc% (Domain Component)
    • %dn% (Distinguished Name)
    The template also supports the following static values:
    • CN (commonName)
    • C (countryName)
    • L (localityName)
    • ST (stateOrProvinceName)
    • O (organizationName)
    • OU (organizationUnitName)
    • G (givenName)
    • S (Surname)
    • I (Initials)
    • UID (uniqueIdentifier)
    • SN(serialNumber)
    • T (title)
    • D (description)

    The Cloud Extender also supports User Custom Attribute variable names for the subject name of the certificate. If you define the User Custom Attribute and read its value from LDAP or set the value locally on MaaS360, you can pass this value to the certificate request.

    Subject Alternate Name Use this field to uniquely identify the user for authentication. This field is one of the most common fields that is used for the subject alternative name.
    Use one of the following values in this field:
    • None
    • UPN
    • UPN and Email
    • Other: Open ended configuration that supports all variables as the subject name.
    Cache certs on Cloud Extender If the user reenrolls a device, the Cloud Extender caches certificates locally and repurposes the certificates, instead of contacting the CA for a new certificate.

    Use this option to select a local storage path or a UNC network path that stores certificates.

    Location of Certificate Cache The local storage path or a UNC network path that stores certificates.
  4. Test your configuration.
    ce cert int
    If your test is successful you will see the following prompt:
    ce cert test

What to do next

Configuring MaaS360 policies to use the Cloud Extender certificate templates