Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

Symantec Mobile Device Management 7.1 Proof of Concept - Part IV: Installing and Configuring SCEP For a Mobile Management 7.1 Proof of Concept

Created: 20 Oct 2011 • Updated: 21 Oct 2011
Language Translations
InsentraCameronM's picture
+2 2 Votes
Login to vote

Warning

THIS WALKTHROUGH is PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE WALKTHROUGH IS WITH YOU. SHOULD THE WALKTHROUGH PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 

Installing SCEP for POC (Mobile Management 7.1 - Installing SCEP Components)

Note: The steps specified here are not Microsoft best practice and are suitable to only for a proof of concept environment. Please contact Microsoft for help configuring SCEP for a production environment.

Installing Active Directory Certificate Services

  1. Browse Start > Administrator Tools > Server Manager.
  2. Click on Roles in the top left corner.
  3. In the right hand pane click on Add Roles and then click Next.
  4. Click on the tick box beside Active Directory Certificate Services and then click Next.
  5. On the Introduction to Active Directory Certificate Services page click Next.
  6. On the Select Role Services page click Next.
  7. On the Specify Setup Type page choose Enterprise and then click Next.
  8. On the Specify CA Type page choose Root CA and then click Next.
  9. On the Set Up Private Key page choose Create a new private key and then click on Next.
  10. On the Configure Cryptography for CA page accept the defaults and click on Next.
  11. On the Configure CA Name page accept the defaults and click on Next.
  12. On the Set Validity Period page accept the defaults and click on Next.
  13. On the Configure Certificate Database page accept the defaults and click on Next.
  14. On the Confirm Installation Selections page, review the setting and then click on Install.
  15. When the Installation Results page displays click on Close.

Configuring Network Device Enrollment Service

  1. In Server Manager select Active Directory Certificate Service and on the bottom right hand side of the page click on Add Role Services.
  2. On the Select Role Services page click on Network Device Enrollment Service and then click on Next.
  3. If the Add Role Services page pops up click on Add Required Role Services and click Next.
  4. On the Specify User Account page click on Select User… and enter the credentials of the user who will authorize certificate requests. In our case, the user will be domain\administrator.
  5. Username: domain\administrator (see Note below)
  6. Password: password
  7. Click OK
  8. ClickNext
  9. On the Specify Registration Authority Information page enter the following information:
  10. RA Name: Keep default
  11. Country/Region: Keep default
  12. E-mail: MyCompany contact email, ie: info@mycompany.com
  13. Company: MyCompany
  14. Department: MyDepartment
  15. City: MyCity
  16. State/Province: MyState
  17. Click Next.
  18. On the Configure Cryptography for Registration Authority page change the Key Character Length for both Signature key CSP and Encryption key CSP to 1024 and then click Next
  19. On the Confirm Installation Selections page review the settings and click Install.
  20. When the Installation Results page displays click on Close.

Configuring Certificate Enrollment Web Service

  1. In Server Manager under Active Directory Certificate Services, click on Add Role Services.
  2. On the Select Role Services page click on Certificate Enrollment Web Service and then click on Next.
  3. On the Specify CA for Certificate Enrollment Web Service page choose the defaults and click Next.
  4. On the Select Authentication Type page choose Client certificate authentication and then click Next.
  5. On the Specify Account Credentials for Certificate Enrollment Web Service page select the user who will be used when Certificate Enrollment Web Service is communicating with CA and other services.
  6. Username: domain\administrator (see Note below)
  7. Password: password
  8. Click OK
  9. ClickNext
  10. On the Confirm Installation Selections page review the settings and then click on Install.
  11. When the Installation Results page appears click Close.
  12. Close Server Manager.
  13. Open IIS Manager by clicking Start > Administrative Tools > Internet Information Services (IIS) Manager
  14. When IIS Manger opens drill down servername >  Sites > Default Web Site
  15. Right click on Default Web Site and choose Edit Bindings…
  16. There may be two entries for https. If there are, click on the second https entry and then click on Remove.
  17. On the Site Binding popup click Yes and then click on Close.
  18. Right click on Default Web Site and choose Manage Web Site > Start.
  19. Close IIS Manger.

Configuring SCEP Certificate

  1. Open Internet Explorer and browse to http://localhost/certsrv/mscep_admin.
  2. On the Network Device Enrollment Service page notice:
  3. The thumbprint
  4. The enrollment challenge password
  5. And that the challenge password can only be used once and will expire within 60 minutes.
  6. We need to be able to enroll multiple devices over a long period of time. We need to edit a registry key to enable this functionality.
  7. Open Regedit.
  8. Click Start > Run.
  9. Type in regedit and click OK.
  10. Browse to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP and click on UseSinglePassword.
  11. Double click on UseSinglePassword, set the Value data to 1, and click OK.
  12. Close regedit.
  13. Restart IIS.
  14. Click Start > Run.
  15. Type in iisreset and click OK.
  16. Open Internet Explorer and browse to http://localhost/certsrv/mscep_admin.
  17. Notice that the password can be used multiple times and will not expire.
  18. Close Internet Explorer.

Part I: Installing and Configuring Windows Server 2008 R2 Enterprise For a Mobile Management 7.1 Proof of Concept

Part II: Installing Mobile Management 7.1 For a Mobile Management 7.1 Proof of Concept

Part III: Obtaining and Installing an Apple APNS Certificate For a Mobile Management 7.1 Proof of Concept

Part IV: Installing and Configuring SCEP For a Mobile Management 7.1 Proof of Concept

Part V: Configuring Mobile Management 7.1 For a Mobile Management 7.1 Proof of Concept