Using a PKI certificate for gateway authentication

Enable a public key infrastructure (PKI) certificate for authentication with Mobile Enterprise Gateway (MEG).

Mobile Enterprise Gateway (MEG) version 2.90 supports the following items for PKI certificate authentication.
  • Device identity certificates and user identity certificates
  • Microsoft CA installed on 2016+
  • Microsoft AD configured as Active Directory or LDAP profile for Active Directory.
  • Certificate attributes that contain user identification are Subject Name and Subject Alternative Name.
  • Directory attributes for Username are UPN, sAMAccountName, CN, UID (not supported in Active Directory), and name.
  • Format of certificate attribute.
    • UPN and DN
    • Multiple LDAP profiles for Active Directory
Prerequisites
  • Configure the Microsoft CA in the Cloud Extender® Certificate Integration module. For more information, see Microsoft CA integration.

PKI certificate authentication configuration workflow

  1. Configure the Device Certificate from the Cloud Extender Certificate Integration module and define the Subject Name or the Subject Alternative Name that contains the corresponding username attributes from the User Registry verification.
    • If you are using Subject Name, enter the following settings.
      • To set the certificate subject name as DN, enter /CN=%dn% in the Subject Name field of the certificate template.
      • To set the certificate subject name as UPN, enter /CN=%upn% in the Subject Name field of the certificate template.
    • If you are using Subject Alternative Name, enter the following settings.
      • To set the certificate subject alternative name as DN, select Other as the Subject Alternative Name Type and set %dn% as the Subject Template. Set a valid Subject Name (/emailAddress=%email%).
      • To set the certificate subject name as UPN, select UPN as the Subject Alternative Name Type of the certificate template. Set a valid Subject Name (/emailAddress=%email%).
  2. Configure authentication on the Cloud Extender by following the steps in the Cloud Extender Active Directory Configuration page.
  3. Configure Enterprise Gateway Certificate Authorization details by using the Cloud Extender Configuration Tool.
    For Certificate Authentication Mode, select one of the following options.
    • If Validate information on the certificate against user attributes on Corporate Directory is enabled, then Certificate Field Name used for validation is displayed.
    • If Check for certificate revocation status is enabled, then In case of failure to check certificate revocation status options are displayed.
  4. Configure a WorkPlace Persona policy that uses a certificate and the newly created template identifier for Mobile Enterprise Gateway (MEG) authentication.
    1. Log in to the customer portal, and go to Workplace Persona Policy > Enterprise Gateway. The Authentication Type for Gateway field is displayed with the default value of Password.
    2. Select Certificate from the Authentication Type for Gateway list, and then confirm that the Identity Certificate for Gateway Authentication field is displayed.
  5. Enroll a new device with the WorkPlace Persona policy, and then wait until you receive a notification that the new identity certificate is pushed to the device.
  6. Import the Certificate Authority Signing certificate to the Windows trust store on the Cloud Extender.
    1. Export the Certificate Authority Signing certificate to a file. For the Microsoft certificate authority, see https://support.microsoft.com/en-us/help/555252 for the procedure.
    2. Import the Certificate Authority Signing certificate to the Windows trust store on the Cloud Extender. See https://technet.microsoft.com/en-us/library/cc754489(v=ws.11).aspx for the procedure.
  7. Restart the gateway.
    1. Go to the Cloud Extender installation directory on the Mobile Enterprise Gateway (MEG) server. For example, C:\Program Files (x86)\<path to MaaS360>\Cloud Extender.
    2. Browse for, and then select the stopMobileGateway.bat file. The file extension is displayed if you configured Windows folder options to display file names.
    3. Wait around 30 seconds for the Mobile Enterprise Gateway (MEG) to stop.
    4. Browse for, and then select the startMobileGateway.bat file to restart the Mobile Enterprise Gateway (MEG).