Video Screencast Help

NDES_Admin account deletion after implementation of SCEP for iOS enrollment

Created: 13 Jun 2013 | 2 comments

Hello,

I'm hoping somone might have an answer for this.  Is the NDES_Admin account (per Microsofts SCEP configuration guide) needed after NDES has been fully deployed and Mobile Manager functionality has been proven?  We are fully live with Mobile Manager and are able to enroll iOS devices without any issues.  However, the NDES_Admin account which was used during the setup of the NDES service, recently came up due to an audit.  So now the question is, do we really need this account?  Does it need to be an Enterprise Admin account at this point?  Any advice would be helpful.

Thanks.

Operating Systems:

Comments 2 CommentsJump to latest comment

ziggy's picture

You can disable it and see if it still works.  If not, then you can quickly re-enable it.  Or change the password, test it, change it back if need be.

adam_burner's picture

Option1:

Use an account which has been granted sufficient priveleges over the SCEP certificate template used in HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP

 (in most cases it is the IPSECIntermediateOffline template)

Option2:

You can leave the NDES credentials blank and use a challenge passphrase instead.  On the NDES server go to localhost/certsrv/mscep_admin to view the challenge passphrase. Note: you may need to use HTTPS.  If the challenge password is set to expire, use regedit to edit the following data:

HKLM \SOFTWARE\Microsoft\Cryptography\MSCEP\UseSinglePassword

Set UserSinglePassword to "1" and restart the server.  This way you no longer need to use any kind of admin account to send SCEP requests.  Enter the challenge password in the Altiris console:

For Mobile SP2.1 go to Home > Mobile Management > Device Management > Configuration Editor and edit the SCEP settings profile with the challenge password.

For Mobile SP3 go to Home > Mobile Management > Settings > SCEP Servers (Uncheck "Use unique challenge) and enter the password there.  Once that is done got to the Configuration Editor and Select that SCEP server settings profile from the list.

Adam Burner 
Senior Technical Support Engineer
Mobility and Workforce Applications
Symantec Corporation