Active Directory Certificate ¶

../../_images/com.apple.ADCertificate.managed.png

Template

You can request a certificate from a Microsoft Certificate Authority (CA) using DCE/RPC and the Active Directory Certificate profile payload instructions detailed at https://support.apple.com/kb/HT5357.

Supervised Only:
PayloadType:	com.apple.ADCertificate.managed
	N/A
macOS:	N/A
macOS Deprecated:
	N/A
iOS:	N/A
iOS Deprecated:	N/A
Highlander:	False

Contents

Active Directory Certificate

Keys ¶

Description ¶

Description

The description of the certificate request as shown in the certificate selector of other payloads such as VPN and Network

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	always	N/A	N/A	N/A	N/A

CertServer ¶

Certificate Server

Fully qualified host name of the Active Directory issuing CA.

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	always	N/A	N/A	N/A	N/A

CertTemplate ¶

Certificate Template

The name of the certificate template as it appears in the General tab of the template’s object in the Certificate Templates’ Microsoft Management Console snap-in component. Usually Machine or User

Type	Default	Required	Regex	iOS	macOS	Supervised
string	User	always	N/A	N/A	N/A	N/A

CertificateAuthority ¶

Certificate Authority

Name of the CA. This value is determined from the Common Name (CN) of the Active Directory entry: CN=(your CA name), CN=’Certification Authorities’, CN=’Public Key Services’, CN=’Services’, or CN=’Configuration’, (your base Domain Name).

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	always	N/A	N/A	N/A	N/A

CertificateAcquisitionMechanism ¶

Acquisition Mechanism

Most commonly RPC. If using Web enrollment, HTTP.

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	N/A	N/A	N/A	N/A

Valid Choices¶

RPC
HTTP

CertificateRenewalTimeInterval ¶

Certificate Expiration Notification Threshold

The number of days before the certificate expires at which to start showing the expiration notification

Type	Default	Required	Regex	iOS	macOS	Supervised
integer	14	always	N/A	N/A	N/A	N/A

Keysize ¶

RSA Key Size

The RSA key size for the Certificate Signing Request (CSR).

Type	Default	Required	Regex	iOS	macOS	Supervised
integer	2048	always	N/A	N/A	10.11	N/A

UserName ¶

User name

The user name with which to authenticate to the certificate server

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	N/A	N/A	N/A	N/A

Password ¶

Password

The password with which to authenticate to the certificate server

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	N/A	N/A	N/A	N/A

PromptForCredentials ¶

Prompt for credentials

Prompt the user for credentials. This setting is not supported for pushed profiles

Type	Default	Required	Regex	iOS	macOS	Supervised
boolean	False	N/A	N/A	N/A	N/A	N/A

Warning

PromptForCredentials seems to have no effect on manually installed profiles. They still ask for credentials.

AllowAllAppsAccess ¶

Allow access to all apps

Allow all apps to access the certificate in the keychain

Type	Default	Required	Regex	iOS	macOS	Supervised
boolean	False	N/A	N/A	N/A	N/A	N/A

EnableAutoRenewal ¶

Enable auto-renewal

Allows the certificate to attempt an auto-renewal from the server.

Type	Default	Required	Regex	iOS	macOS	Supervised
boolean	False	N/A	N/A	N/A	10.13.4	N/A

Links ¶

Troubleshooting ¶

Warning

As of approx 10.12.4 you can no longer select a transport. And you will not be able to install the payload if the client is not bound to a directory.

If you request a User certificate but the payload is in the System PayloadScope, the User certificate will be requested as the computer account. Normally the certificate policy will deny this, so check that you have the correct scope.

Uninstall Behaviour ¶

The certificate is not revoked upon uninstallation.
The certificate is not removed from keychain, but the private key IS removed. The private key is named after the issuing host.