Active Directory Certificate¶
You can request a certificate from a Microsoft Certificate Authority (CA) using DCE/RPC and the Active Directory Certificate profile payload instructions detailed at https://support.apple.com/kb/HT5357.
Contents
Summary¶
PayloadType: | com.apple.ADCertificate.managed |
---|---|
Supervised Only: | |
N/A | |
macOS: | N/A |
macOS Deprecated: | |
N/A | |
iOS: | N/A |
iOS Deprecated: | N/A |
Highlander: | N/A |
Keys¶
Description¶
Description
The description of the certificate request as shown in the certificate selector of other payloads such as VPN and Network
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
CertServer¶
Certificate Server
Fully qualified host name of the Active Directory issuing CA.
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
CertTemplate¶
Certificate Template
Template Name as it appears in the General tab of the template’s object in the Certificate Templates’ Microsoft Management Console snap-in component.
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | User | always | N/A | N/A | N/A | N/A |
CertificateAuthority¶
Certificate Authority
Name of the CA. This value is determined from the Common Name (CN) of the Active Directory entry: CN=(your CA name), CN=’Certification Authorities’, CN=’Public Key Services’, CN=’Services’, or CN=’Configuration’, (your base Domain Name).
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
CertificateAcquisitionMechanism¶
Acquisition Mechanism
Most commonly RPC. If using Web enrollment, HTTP.
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
Valid Choices¶
- RPC
- HTTP
CertificateRenewalTimeInterval¶
Certificate Expiration Notification Threshold
The number of days before the certificate expires at which to start showing the expiration notification
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
integer | 14 | N/A | N/A | N/A | N/A | N/A |
Keysize¶
RSA Key Size
The RSA key size for the Certificate Signing Request (CSR).
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
integer | 2048 | N/A | N/A | N/A | 10.11.0 | N/A |
UserName¶
User name
The user name with which to authenticate to the certificate server
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
Password¶
Password
The password with which to authenticate to the certificate server
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
PromptForCredentials¶
Prompt for credentials
Prompt the user for credentials. This setting is not supported for pushed profiles
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | False | N/A | N/A | N/A | N/A | N/A |
Warning
PromptForCredentials seems to have no effect on manually installed profiles. They still ask for credentials.
AllowAllAppsAccess¶
Allow access to all apps
Allow all apps to access the certificate in the keychain
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | False | N/A | N/A | N/A | N/A | N/A |
Troubleshooting¶
Warning
As of approx 10.12.4 you can no longer select a transport. And you will not be able to install the payload if the client is not bound to a directory.
- If you request a User certificate but the payload is in the System PayloadScope, the User certificate will be requested as the computer account. Normally the certificate policy will deny this, so check that you have the correct scope.
Uninstall Behaviour¶
- The certificate is not revoked upon uninstallation.
- The certificate is not removed from keychain, but the private key IS removed. The private key is named after the issuing host.