Configuring Enterprise Onboarding
This section covers the configuration for enterprise onboarding. It involves configuring the profiles, SCEP server and CSR templates.
Configuring Enterprise Onboarding for a User Role
Enterprise onboarding is enabled in the user role, and each profile can be applied to all user roles or specific roles. The SCEP server and CSR templates allow certificates to be generated dynamically for device and server authentication.
To enable enterprise onboarding for a user role:
1.In the admin console, choose Users > User Roles > RoleName > General > Overview.
2.In the Enterprise Device Onboarding section, select the Enterprise Onboarding check box.
3.Click Save Changes.
4.Click the Enterprise Onboarding tab or click Options next to the Enterprise Onboarding check box to specify the following:
•Auto launch – Displays the onboarding page when the user logs in to PPS if enterprise onboarding is enabled for the user’s role (the default). If this option is disabled, an onboarding link is displayed on the home page.
•·Install Pulse Secure client – Select this option to automatically install Pulse Secure Client during windows onboarding.
•Use third party MDM for onboarding – Displays a link on the onboarding or home page where the user can download profiles from an MDM server. Enter the URL for the MDM page in the text box.
5.Click Save Changes.
Configuring the SCEP Server
The Simple Certificate Enrollment Protocol (SCEP) server configuration and CSR templates allows each client device to dynamically obtain certificates for authentication. The SCEP server and CSR templates allow certificates to be generated dynamically for device and server authentication.
To define the SCEP server:
1.Select Users > Enterprise Onboarding.
2.Click SCEP Configuration.
3.Complete the configuration as described below
|
Setting |
Description |
|
SCEP Server URL |
Enter the URL for a SCEP server. The following SCEP servers are supported: Microsoft AD 2008 Symantec mPKI |
|
Challenge |
Specify the password required by the SCEP server. |
|
Retries |
Specify the number of attempts to access the server when the first attempt fails. |
|
Retry Delay |
Specify the number of seconds between retry attempts. |
|
Upload Encryption Certificate |
Click Browse to upload the certificate used to encrypt SCEP requests. To upload the certificate automatically, select the Test Enrollment check box, select a CSR template, and click Test Configuration. |
4.Click Save Changes.
Configuring CSR Templates
If the SCEP server is configured, the Certificate Signing Request (CSR) templates can be used in the VPN, Wi-Fi, and certificate profiles to allow each onboarded device to dynamically obtain certificates for authentication on iOS devices. Up to 10 templates can be defined.
All LDAP attributes (such as <ldap.userAttrName>) and variables (such as <user>) can be used in the Subject DN, Email, and Subject Alternative Name Value fields. However, if you enter an LDAP variable with a string vector data type in the Subject Alternative Name Value field, only the first value in the string will be used.
To configure CSR templates:
1.In the admin console, choose Users > Enterprise Onboarding > CSR Templates.
2.To add a template, click New CSR Template or select an existing template that you want to change, duplicate, or delete. Clicking Duplicate creates a copy of the selected template with Copy of before the template name.
3.Specify the following information:
|
Setting |
Description |
|
Name |
Specify the template name displayed in the list of CSR templates. |
|
Subject DN |
Specify the subject distinguished name. For example: CN=<USERNAME>,OU=Engineering,O=Comp All LDAP attributes (such as <ldap.userAttrName>) and variables (such as <user>) can be used. |
|
|
(Optional) Specify an email address with the <USER> variable, such as <USER>@sample.net. |
|
Subject Alternative Name Type |
Select an alternative name type if the CA requires an alternative subject name. The types include RFC-822 Name (an e-mail address), DNS domain name, URI, and IP address. |
|
Subject Alternative Name Value |
Specify one or more values for the selected alternative name type. Multiple values must be separated by a comma or space. If an LDAP variable is specified that has a string vector data type, only the first value in the string will be used. |
|
Key Size |
Select the key size used by the SCEP server. |
4.Click Save Changes.
Configuring VPN Profiles
VPN profiles provide Android and iOS devices with secure access to enterprise networks. One or more VPN profiles can be assigned to specific user roles or to all roles. Up to 10 profiles can be defined.
All LDAP attributes (such as <ldap.userAttrName>) and variables (such as <user>) can be used in the Username, Realm, and Role fields.
To define VPN profiles:
1.In the admin console, choose Users > Enterprise Onboarding > VPN Profiles.
2.To add a profile, click New Profile or select an existing profile that you want to change, duplicate, or delete. Clicking Duplicate creates a copy of the selected profile with Copy of before the profile name.
The first profile that matches a user’s role and client type becomes the default VPN profile on the client. Use the arrow keys to move a profile up or down the list.
3.Specify the following profile information:
|
Setting |
Description |
|
Name |
Specify the name to be displayed in the list of VPN profiles. |
|
Description |
(Optional) Enter a description of the VPN profile. |
|
Apply to Client Types |
Select the device types the profile applies to (Android and iOS only). |
|
Server URL |
Specify the URL of the VPN server (must be a PPS device). |
|
Realm |
Specify the realm name. The realm is required only if the sign-in URL has the User picks from a list of authentication realms option enabled. |
|
Role |
Specify the user role. The user role is required if the role mapping rules for the user realm specify multiple roles and the User must select from among assigned roles option is enabled. |
|
Username |
Specify the <USER> variable for the user name. |
|
Authentication Method |
Select Password or Certificate for the user authentication method. For certificate authentication, specify the following: •Use CSR Template—Select the CSR template used to obtain the certificate. To create a CSR template, see “Defining CSR Templates”.<XREF> •Enable VPN On Demand—Select this option to allow iOS devices to establish the VPN when a specific host or domain is accessed. To specify the first host or domain: •Match Domain or Host—Enter a hostname or a partial domain name. For example, if you enter example.com, a match occurs when the user accesses any domain that ends with example.com, such as www.test-example.com. •On Demand Action—When a match occurs on the specified host or domain, select whether a VPN is always established, never established, or only if the DNS look-up fails (Establish If Needed). Selecting Never Establish does not prevent an existing VPN from being used. To add another domain, click the + button. To remove a domain, select the check box next to the domain and click the - button. Up to 10 domains can be defined. |
|
Roles |
Select one of the following options: •Policy applies to ALL roles—To apply this profile to all users. •Policy applies to SELECTED roles—To apply this profile only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. •Policy applies to all roles OTHER THAN those selected below—To apply this profile to all users except for those who map to the roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. |
4.Click Save Changes.
Configuring Wi-Fi Profiles
Wi-Fi profiles provide Android, iOS, MAC OS X, and Windows devices with secure access to wireless networks. One or more Wi-Fi profiles can be assigned to specific user roles or to all roles. Up to 10 profiles can be defined.
All LDAP attributes (such as <ldap.userAttrName>) and variables (such as <user>) can be used in the Username and Password fields for the WPA Enterprise and WPA2 Enterprise security types.
To define Wi-Fi profiles:
1.In the admin console, choose Users > Enterprise Onboarding > WiFi Profiles.
2.To add a profile, click New Profile or select an existing profile that you want to change, duplicate, or delete. Clicking Duplicate creates a copy of the selected profile with Copy of before the profile name.
3.Specify the following profile information:
|
Setting |
Description |
|
Name |
Specify the name to be displayed in the list of Wi-Fi profiles. |
|
Description |
(Optional) Enter a description of the profile. |
|
Apply to Client Types |
Select the device types the profile applies to (Android, iOS, MAC OS X, and Windows). |
|
SSID |
Specify the server set ID of the wireless network. |
|
Non-Broadcast SSID |
Select the check box if the wireless network does not broadcast its identity. |
|
Auto Connect |
Select the check box to connect the client automatically when the network is detected (not supported by Android clients). |
|
Security Type |
Select the type of authentication used by the network, and specify the password or enterprise settings, as required: •None—No authentication required. •WEP—Wired Equivalent Privacy used for a non-enterprise network. Enter the network shared key in the displayed text box. •WPA Personal or WPA2 Personal—Wi-Fi Protected Access used for a non-enterprise network. You can select the encryption method (AES or TKIP) and enter the network shared key in the displayed text box (applies to Windows clients only). •WPA Enterprise or WPA2 Enterprise—Wi-Fi Protected Access used for an enterprise network. Select the Extensible Authentication Protocols (EAP) supported by the network’s RADIUS authentication server. For Android devices, note the following: •Android 4.3 or later is required •For the EAP-TLS protocol, the CA certificate must be configured (along with the client certificate) on Samsung devices for authentication. •An 802.1x RADIUS server certificate must be signed by a private root CA. Authentication fails if the certificate is signed by an intermediate root CA. |
|
EAP |
For the WPA Enterprise and WPA2 Enterprise security types, select the supported EAP protocols and specify the associated authentication settings: •None—If none of the EAP protocols is selected (Android devices only), enter the <USER> and <PASSWORD> variables in the Username and Password fields. iOS, MAC OS X, and Windows clients require at least one of the EAP types to be selected (PEAP, EAP-TLS, or EAP-TTLS). |
|
PEAP |
The PEAP protocol is supported by all clients. Specify the following: •Inner Authentication Method—Select the protocol used to authenticate the username and password (None or MSCHAPv2). The None option is valid only for Android devices. •Username and Password—Enter the <USER> and <PASSWORD> variables. •Outer Identity—Specify an alternate username to be used outside the encrypted tunnel, such as anonymous, to conceal the user’s identity in unencrypted packets. •Trusted Server Name(s)—Specify the IP address or fully qualified domain name of one or more trusted RADIUS servers used by the network. Multiple servers must be separated by a semicolon. •Trusted CA Certificate—For Windows clients, select the Trusted Root CA of the RADIUS server certificate, even if the device certificate is signed by an intermediate CA. The Trusted Root CA must be configured in a certificate profile before it can be selected here (see “Defining Certificate Profiles”)<XREF>. For iOS, MAC OS X, and Android clients, if the RADIUS server certificate is signed by an intermediate CA, create a certificate profile for the intermediate CA, and then select the certificate here. The certificate profile ensures that the intermediate CA is downloaded to the client. |
|
EAP-TLS |
The EAP-TLS protocol is supported by all clients. Specify the following: •Username—Enter the <USER> variable. •Use CSR Template—Select the CSR template used to obtain the certificate. To create a CSR template, see “Defining CSR Templates”.<XREF> •Trusted Server Name(s)—Specify the IP address or fully qualified domain name of one or more trusted RADIUS servers used by the network. Multiple servers must be separated by a semicolon. •Trusted CA Certificate—For Windows clients, select the Trusted Root CA of the RADIUS server certificate, even if the device certificate is signed by an intermediate CA. The Trusted Root CA must be configured in a certificate profile before it can be selected here (see “Defining Certificate Profiles”)<XREF>. On Windows 7 clients that have multiple certificates, users are prompted to select the certificate for 802.1x connections that use EAP-TLS. For iOS, MAC OS X, and Android, if the RADIUS server certificate is signed by an intermediate CA, create a certificate profile for the intermediate CA, and then select the certificate here. The certificate profile ensures that the intermediate CA is downloaded to the client. |
|
EAP-TTLS |
The TTLS protocol is supported by all clients. Specify the following: •Inner Authentication Method—Select the protocol used to authenticate the username and password (None, PAP, or MSCHAPv2). The None option is valid only for Android devices. •Username and Password—Enter the <USER> and <PASSWORD> variables. •Outer Identity—Specify an alternate username to be used outside the encrypted tunnel, such as anonymous, to conceal the user’s identity in unencrypted packets. •Trusted Server Name(s)—Specify the IP address or fully qualified domain name of one or more trusted RADIUS servers used by the network. Multiple servers must be separated by a semicolon. •Trusted CA Certificate—For Windows clients, select the Trusted Root CA of the RADIUS server certificate, even if the device certificate is signed by an intermediate CA. The Trusted Root CA must be configured in a certificate profile before it can be selected here (see “Defining Certificate Profiles”)<XREF>. Also, if the RADIUS server certificate is signed by an intermediate CA, then the public intermediate CA must be configured in a certificate profile to ensure that the intermediate CA is downloaded to the client along with the Wi-Fi TTLS profile configuration. For iOS, MAC OS X, and Android clients, if the RADIUS server certificate is signed by an intermediate CA, create a certificate profile for the intermediate CA, and then select the certificate here. The certificate profile ensures that the intermediate CA is downloaded to the client. |
|
Roles |
Select one of the following options: •Policy applies to ALL roles—To apply this profile to all users. •Policy applies to SELECTED roles—To apply this profile only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. •Policy applies to all roles OTHER THAN those selected below—To apply this profile to all users except for those who map to the roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. |
4.Click Save Changes.
Configuring Certificate Profiles
Certificate profiles specify the device certificates sent to each client device during onboarding. Up to 10 profiles can be defined.
For security reasons, certificate profiles cannot be included in the XML export or import.
To define certificate profiles:
1.In the admin console, choose Users > Enterprise Onboarding > Certificate Profiles.
2.To add a profile, click New Profile or select an existing profile that you want to change, duplicate, or delete. Clicking Duplicate creates a copy of the selected profile with Copy of before the profile name.
3.Specify the following information:
|
Setting |
Description |
|
Client Types |
Select the device types the profile applies to (Android, iOS, MAC OS X, and Windows). |
|
Import and Use Global Certificate |
Select this option to use the PPS global certificate to authenticate the client device. Click Import Certificate & Key, click Browse to locate the certificate file, and then click Import. For more information about device certificates, see “Using Device Certificates”. |
|
Import and Use CA Certificate |
Select this option to import any CA certificate (public Root CA, private Root, public intermediate CA, or private intermediate CA). These CA's can be used in Wi-Fi profiles and must be downloaded to the client devices. Click Import and Use CA Certificate, click Browse to locate the certificate, and then click Import CA Certificate. |
|
Generate per User Certificate |
Select this option to use the SCEP server and a CSR template to generate a certificate for each client. Select a CSR template from the Use Certificate Template list. To create a CSR template, see “Defining CSR Templates”<XREF>. |
|
Roles |
Select one of the following options: •Policy applies to ALL roles—To apply this profile to all users. •Policy applies to SELECTED roles—To apply this profile only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. •Policy applies to all roles OTHER THAN those selected below—To apply this profile to all users except for those who map to the roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. |
Click Save Changes.
Viewing Onboarded Devices
The Device Management page lists the following types of devices:
•Onboarded devices— Devices that have Enterprise Onboarding enabled in the user’s role and have been onboarded during device registration. After a device is onboarded, it is displayed on the Device Management page until it is deleted.
The username, user roles, operating system, and registration date are shown for each device, along with the onboarded, and access status. Devices that become inactive or invalid must be deleted manually.
To view the Device Management page:
1.Select System > Status > Devices.
2.Use the controls described in table to view and manage the devices.Device Management Page
|
Buttons |
Administrative Actions |
|
|
Update |
To view a specific user, enter the username in the Show Users Named box and click Update. If you do not know the exact username, use an asterisk (*) as a wildcard character. To change the number of displayed devices, enter a number in the Show N devices box and click Update. To change the sort, click a column header. |
To refresh the page, click Update. |
|
Delete |
To delete one or more devices, select the check box next to the appropriate devices and click Delete. If an onboarded device is deleted in error, the user must re-onboard the device. ActiveSync-only devices that are deleted in error are added automatically by the next ActiveSync. |
|
|
Delete All |
To delete the all devices, click Delete All. |
|