Active Directory Certificate

Template

You can request a certificate from a Microsoft Certificate Authority (CA) using DCE/RPC and the Active Directory Certificate profile payload instructions detailed at https://support.apple.com/kb/HT5357.

Summary

PayloadType:com.apple.ADCertificate.managed
Supervised Only:
 N/A
macOS:N/A
macOS Deprecated:
 N/A
iOS:N/A
iOS Deprecated:N/A
Highlander:N/A

Keys

Description

Description

The description of the certificate request as shown in the certificate selector of other payloads such as VPN and Network

Type Default Required Regex iOS macOS Supervised
string N/A N/A N/A N/A N/A N/A

CertServer

Certificate Server

Fully qualified host name of the Active Directory issuing CA.

Type Default Required Regex iOS macOS Supervised
string N/A N/A N/A N/A N/A N/A

CertTemplate

Certificate Template

Template Name as it appears in the General tab of the template’s object in the Certificate Templates’ Microsoft Management Console snap-in component.

Type Default Required Regex iOS macOS Supervised
string User always N/A N/A N/A N/A

CertificateAuthority

Certificate Authority

Name of the CA. This value is determined from the Common Name (CN) of the Active Directory entry: CN=(your CA name), CN=’Certification Authorities’, CN=’Public Key Services’, CN=’Services’, or CN=’Configuration’, (your base Domain Name).

Type Default Required Regex iOS macOS Supervised
string N/A N/A N/A N/A N/A N/A

CertificateAcquisitionMechanism

Acquisition Mechanism

Most commonly RPC. If using Web enrollment, HTTP.

Type Default Required Regex iOS macOS Supervised
string N/A N/A N/A N/A N/A N/A

Valid Choices

  • RPC
  • HTTP

CertificateRenewalTimeInterval

Certificate Expiration Notification Threshold

The number of days before the certificate expires at which to start showing the expiration notification

Type Default Required Regex iOS macOS Supervised
integer 14 N/A N/A N/A N/A N/A

Keysize

RSA Key Size

The RSA key size for the Certificate Signing Request (CSR).

Type Default Required Regex iOS macOS Supervised
integer 2048 N/A N/A N/A 10.11.0 N/A

UserName

User name

The user name with which to authenticate to the certificate server

Type Default Required Regex iOS macOS Supervised
string N/A N/A N/A N/A N/A N/A

Password

Password

The password with which to authenticate to the certificate server

Type Default Required Regex iOS macOS Supervised
string N/A N/A N/A N/A N/A N/A

PromptForCredentials

Prompt for credentials

Prompt the user for credentials. This setting is not supported for pushed profiles

Type Default Required Regex iOS macOS Supervised
boolean False N/A N/A N/A N/A N/A

Warning

PromptForCredentials seems to have no effect on manually installed profiles. They still ask for credentials.

AllowAllAppsAccess

Allow access to all apps

Allow all apps to access the certificate in the keychain

Type Default Required Regex iOS macOS Supervised
boolean False N/A N/A N/A N/A N/A

Troubleshooting

Warning

As of approx 10.12.4 you can no longer select a transport. And you will not be able to install the payload if the client is not bound to a directory.

  • If you request a User certificate but the payload is in the System PayloadScope, the User certificate will be requested as the computer account. Normally the certificate policy will deny this, so check that you have the correct scope.

Uninstall Behaviour

  • The certificate is not revoked upon uninstallation.
  • The certificate is not removed from keychain, but the private key IS removed. The private key is named after the issuing host.