Onboard Android devices with certificates using SOTI MobiControl and SCEP
In this topic, you will learn how to deploy Portnox™ Cloud certificates to Android devices via SOTI MobiControl and SCEP.
Turn on the Portnox Cloud SCEP services
In this section, you will configure Portnox™ Cloud to provide SCEP services to your devices.
If you have previously turned on the Portnox Cloud SCEP services, skip to the later steps.
Portnox Cloud SCEP services let devices contact the Cloud SCEP server and get a unique certificate for the device or for the specific user of the device.
-
In the Cloud portal top menu, click on the Settings option.
-
In the Cloud portal left-hand side menu, click on the
option.
-
Enable integration with SCEP services.
- Click on the Edit link.
- Activate the Enable integration checkbox.
- Click on the Save button.
- Click on the ⧉ icon next to the SCEP URL field to copy the SCEP URL, and paste it in a text file for later use.
-
Click on the ⧉ icon next to the Password field to
copy the SCEP password, and paste it in a text file for later use.
Download the root CA certificate from Portnox Cloud
In this section, you will download the Portnox™ Cloud root CA certificate from the Cloud portal.
You need the root CA certificate so that your managed devices can verify the validity of cloud RADIUS servers, which have certificates signed by this root CA certificate. If the root CA certificate is not distributed to managed devices, some devices may show a security warning each time that the user connects to networks managed by Portnox Cloud.
-
In the Cloud portal top menu, click on the Settings option.
-
In the Cloud portal left-hand side menu, click on the
option.
The right-hand pane shows the list of active servers.
- Click on any of the active RADIUS services to show its configuration.
-
Click on the Download root certificate link to download the root CA certificate.
Save the file on your disk to use it later. The default name of the file is rootCertificate.cer.
Copy the tenant CA certificate thumbprint from Portnox Cloud
In this section, you will copy the tenant CA certificate thumbprint from the Cloud portal and save it, so you can use it later in SOTI MobiControl configuration.
-
In the Cloud portal top menu, click on the Settings option.
-
In the Cloud portal left-hand side menu, click on the
option.
-
n the Trusted Root Certificates section, select the value of the
Thumbprint next to the certificate that you are currently using (if more than one) and
use your operating system’s copy function to copy this value to the clipboard.
- Save the value from the clipboard in a temporary text file to use it later during configuration.
Create the SCEP CA configuration and the SCEP request template
In this section, you will create the SCEP CA configuration and the SCEP request template in SOTI MobiControl. This configuration and this template will be used by the profiles that you will create later.
- Open your SOTI MobiControl tenant dashboard in your browser, and log in as the administrator.
-
In the Certificate Authority window, click on the +
button.
-
In the CERTIFICATE AUTHORITY window:
-
Scroll down the CERTIFICATE AUTHORITY window to the Certificate
Templates section and click on the + button.
-
In the Template Details section:
- Click on the SAVE button to save the SCEP configuration.
Result: You created a configuration for the Portnox Cloud SCEP CA and the SCEP request template.
Create a profile for Android
In this section, you will create a profile in SOTI MobiControl for Android devices. This profile will contain the necessary certificates as well as SCEP and Wi-Fi configurations.
-
In the top-right corner of the Profiles pane, click on the NEW PROFILE
button.
-
In the ADD PROFILE window, click on the Android icon, and then select
the type of profile that your Android devices use.
Note: Android devices can be managed using three different profile types. Work Managed is a profile where the entire device is owned by the enterprise and managed by the enterprise. Work Personal is a personal device that has a separate work profile, which is managed by the enterprise. Corporate Personal is a device owned and managed by the enterprise, where the user has a separate personal profile not managed by the enterprise and not accessible to the enterprise.Important: You must select the type of profile that your Android devices use. If you have Android devices with different profile types, you must create a separate Android profile in SOTI for each of these profile types.
-
In the CREATE PROFILE window, in the GENERAL tab, in the
Profile Name field, enter a name for the profile.
In this example, we used the name Portnox Cloud Android Profile, but you can use any name you like.
-
Click on the CONFIGURATIONS tab and then click on the + button in the top-right corner. Then, select the
Certificates option.
-
In the Certificates window, in the Add Certificates row, click on the
button on the right-hand side to import a new certificate.
-
In the Add Certificate window, click on the Browse button, find the
root CA certificate file that you downloaded earlier from Portnox Cloud, and then click on the IMPORT button.
-
In the Certificates window, activate the switches next to the DigiCert Trusted Root
G4 certificate (root CA certificate) and the SCEP request template that you added earlier. Then, click on the
Save button.
-
In the CONFIGURATIONS tab, click on the + button in
the top-right corner. Then, select the WiFi option.
-
In the WIFI window:
-
In the CONFIGURATIONS tab, click on the + button in
the top-right corner. Then, select the Authentication option.
-
In the AUTHENTICATION window, configure your device authentication policy according to your
preferences.
Note: This configuration is not required by Portnox Cloud but it is required by SOTI MobiControl if you add certificates. Therefore, you must add this payload but you can configure it any way you like.
- Click on the SAVE AND ASSIGN button to save your configuration profile and assign it to your managed devices.
Result: You created a profile for Portnox Cloud and Android devices.
After you created your profile, you can use your regular SOTI MobiControl procedures to push it to managed devices immediately and see if it works correctly. For information on managing devices, pushing profiles, and troubleshooting, consult the SOTI MobiControl documentation.