Even if you protect your corporate email with Wi-Fi and VPN with strong passcodes and other restrictions, your infrastructure remains vulnerable to brute force and dictionary attacks or employee error. For greater security, you can implement digital certificates to protect corporate assets.

Prerequisites

To do this, you must first define a certificate authority. Then configure a Credentials payload alongside your Exchange Web Service, Wi-Fi, or VPN payload. Each of these payloads has settings for associating the certificate authority defined in the Credentials payload.

To push down certificates to devices, you must configure a Credentials or SCEP payload as part of the profiles you created for EAS, Wi-Fi, and VPN settings. Use the following instructions to create a credentials payload:

Procedure

  1. Navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device (User Profile), or the entire device (Device Profile).
  2. Configure the profile's General settings.
  3. Select either the Exchange Web Services, Wi-Fi, or VPN payload to configure. Configure the payload you selected.
  4. Select the Credentials (or SCEP) payload and Upload a certificate or select Defined Certificate Authority from the Credential Source drop-down menu.
    Note: Certificate Preference and Identity Preference options are available only if you have selected User Profile in Step 1.
    1. Select the Credential Source as Upload. Enter the Credential Name and Certificate.
      The Certificate Preference option is available only if you have selected Credential Source as Upload.
      Note: If you have multiple servers or emails that use the same certificate, you can create a Certificate Preference to define the URLs or email which automatically use this certificate.

      A Certificate Preference specifies which certificate to be automatically used when users access specified URLs, emails, or domains through Safari or other applications that use WebKit or native macOS URL APIs. When the profile gets installed, the certificate and corresponding Certificate Preference are installed in the user’s keychain. In a profile, you can add multiple Certificate Preference payloads as needed.

      Certificate Preference payload is available for macOS 10.12 and later.

    2. Select Credential Source as Defined Certificate Authority and enter Certificate Authority and Certificate Template.
      The Identity Preference option is available only if you have selected Credential Source as Defined Certificate Authority.
      Note: If you use multiple client identity certificates, you can create an Identity Preference to define the URLs which must automatically use this preference.

      An Identity Preference specifies which SSL client certificate to be automatically used when users access specified URLs, emails, or domains through Safari or other applications that use WebKit or native macOS URL APIs. When the profile gets installed, the certificate and corresponding Identity Preference are installed in the user’s keychain. In a profile, you can add multiple Identity Preference payloads as needed.

      Identity Preference payload is available for macOS 10.12 and later.

  5. Navigate back to the previous payload for Exchange Web Services, Wi-Fi, or VPN. Specify the Identity Certificate in the payload:
    1. Exchange Web Service – Select the Payload Certificate under Login Information.
    2. Wi-Fi – Select a compatible Security Type (WEP Enterprise, WPA/WPA2 Enterprise or Any (Enterprise)) and select the Identity Certificate under Authentication.
    3. VPN – Select a compatible Connection Type (for example, CISCO AnyConnect, F5 SSL) and select Certificate from the machine/User Authentication drop-down. Select the Identity Certificate.
  6. Return to the Credentials payload and choose the following allowances:
    1. Allow access to all applications – Select to allow or prevent applications to access the certificate in the Keychain. When this option is enabled, it is not required for the end users to explicitly select the 'allow access to all applications' to access the installed SCEP Certificate and enter credentials to grant access.
    2. Allow export of private key from Keychain – Select whether to allow or prevent users from exporting the private key from the installed certificate.
  7. Select Save and Publish.