11. Implementing SCEP on Windows Server 2008
In the previous chapter, we implemented SCEP and related services on Mac OS X using Casper from JAMF software. In this chapter, we’ll try to do things a little differently by focusing on SCEP without using third-party software.
We are also going to talk about SCEP only in terms of Windows Server 2008. I know a lot of folks are still using Server 2003, but Server 2008 is almost four years old at this point (2011), so I think it’s reasonable to focus on the current version.
Configuring the Server
Using Microsoft servers for all phases of managing iOS devices may not be the easiest thing right now, but using Server 2008 for SCEP is fairly straightforward. Thanks to years of Microsoft support for certificates in the enterprise, the process is fairly well documented (www.microsoft.com/downloads/en/details.aspx?familyid=44315BFF-B744-4637-A66B-E69B4955EE45&displaylang=en and at www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=e11780de-819f-40d7-8b8e-10845bc8d446).
Other individuals have also written awesome articles that you can find at sites like: http://mobilitydojo.net/2010/01/20/sinking-our-teeth-into-scep. This chapter would not exist but for those sites and Microsoft’s documentation.
Setting Up the Roles
First, you’ll need to make sure your server is set up as both a web and certificate server. This is done using the Server Manager application in Windows Server 2008. You should be running Server 2008 Enterprise or Datacenter for this app to work correctly.
On that server you’ll need to be running the Active Directory Certificate Services (ADCS) role installed with the Network Device Enrollment Service (NDES) role service (Figure 11.1).
Figure 11.1. Server Role Services
Installing NDES also installs IIS (Internet Information Services) and related support services. If ADCS is not already installed, NDES installation is a little weird because you can’t install the Certification Authority and the NDES role services at the same time. First install the Certification Authority and configure the CA, and then install NDES.
For this chapter, I’m working with Server 2008 Enterprise in stand-alone mode. If your server is part of an existing Active Directory domain, please, please work with your Active Directory administrators on implementing SCEP. Adding random certificate and device enrollment servers in an existing domain without informing your Active Directory administrators is bad.
(If none of this makes any sense to you, you should stop right now, and get in touch with whoever is responsible for Active Directory in your company. This process is not something for the uninitiated to try on a company network, and if you do try this without your Active Directory administrator’s cooperation, you’ll become his favorite person in the whole world. Or not.)
When you get NDES set up, you’re basically done. There’s only one problem: Getting the server to talk to an iPhone. As it turns out, that’s a bit of a mess caused partially by iOS 4.x issuing calls (such as GetCACaps) that aren’t well supported by Windows native SCEP.
There are ways around this, but they’re all rather painful. So we end up with a well-documented system that just isn’t designed to work with iPhones, and it requires a lot of customization to do so. We also end up with a situation where the customizations aren’t that well documented.
I don’t actually blame Microsoft here. iPhones are not part of their main target market. But, it would be nice to see better documentation since I hear that iOS devices are pretty popular in the Windows world. Since we actually want to get this working, we’ll abandon our original intentions and go third-party again, this time with Absolute Manage for Windows.
If you’re starting to think “Gee, SCEP sounds like a great idea, but there seems to be a lot of pain involved with it, especially if you aren’t already an expert,” then you would be in complete agreement with me. SCEP is, I think, a great idea. But even the best documentation I’ve seen for it is incomplete, and the folks doing the documentation for Microsoft/Cisco/Apple and independent sites seem to be writing for themselves, not for people trying to get a handle on using SCEP. One thing writing this book taught me (the hard way) was that there’s not yet a good way to just set up SCEP. Going with a product that already has it implemented really is the best option for now.
Installing Absolute Manage
The initial install of Absolute Manage is straightforward. You install the server, restart, and then install the management console. The next step is to install the Mobile Device Management server.
As with the Server and the Management console, follow Absolute Manage’s instructions because they work well, with only a few places that might bite you. For example, when you get a website certificate, you have to include the keys with the cert, and export them as a .pfx bundle. No options. That applies to the first certificate you’re asked for. The second one is exported by the Absolute Manage Admin console by clicking the “Save certificate” button in Server Settings in the Server Center (Figure 11.2).
Figure 11.2. Absolute Manage Server Settings page with certificate export button
If you have IIS installed on the same Windows Server 2008 system on which you’re installing Absolute Manage, make sure that you install the complete IIS 6 compatibility service roles sets or the Mobile Device Management server won’t install.
As with Casper, you’ll need to install a push certificate from Apple. You can refer to the documentation referenced in Chapter 10 for doing so. However, when you export the .p12 bundle to import it into Absolute Manage, do not add a password. If you do, Absolute Manage won’t be able to import it (Figure 11.3).
Figure 11.3. Absolute Manage iOS Mobile Device Management settings
At that point, you should be good to go. Point your device to https://<server>/Profile/enrollment.mdm, and you’ll be taken to the enrollment page. By default, Absolute Manage ties itself into Active Directory, so anyone going to this site will need a valid login (Figure 11.4). After login, the system behaves just like every other enrollment. The user sees the Install Profile screen on her device (Figure 11.5), taps the screen a few times, and she’s enrolled!
Figure 11.4. Absolute Manage enrollment login page
Figure 11.5. Absolute Manage enrollment profile installation screen
Wrapping Up
Yes, I know, we still had to use a third party. I’m not really that surprised. If you look at everything that’s going on, particularly with SCEP, it’s not a simple process. You could roll your own, but in the end, why do what you don’t have to? If you have enough iOS devices to justify using SCEP and OTA enrollment, you should recognize that some upfront costs for third-party servers are worth having an easy install and a working system.
There’s a reason why so many companies are practically beating down your door to provide nice, packaged solutions. Setting up SCEP can be hard and tedious. With a plethora of options available, why reinvent the wheel?