How to distribute Active Directory user certificates with Workspace ONE UEM

This blog describes the step-by-step guide on how to distribute Active Directory user certificates via Workspace ONE Access. The steps involve integration between Active Directory Certificate Services (ADCS) with Workspace ONE UEM.

This article assumes you already have an Active Directory with Certificate Services configured. If you haven’t done this yet, please follow this article from the official Microsoft documentation.

Active Directory Certificate Services

Open the Certificate Authority console and write down the Authority Name. You will need this later for the Workspace ONE UEM configuration.

Right-click the Certificate Authority, and choose Properties. Give a service-account, which you will use later for the Workspace ONE UEM configuration, allow permission for Read and Enroll.

In our case, we are creating a User Certificate Template, which we will use for authenticating users with the Workspace ONE Access portal.

Right-Click Certificate Templates, choose Manage 

In the General tab, give the template a name and de-select Publish certificate in Active Directory, because we are going to publish this certificate via Workspace ONE UEM.

Click the tab Subject Name, and choose the option Supply in the request. We are going to configure these settings in Workspace ONE UEM.

In the tab Security, add the same service account you’ve added earlier in the Certificate Authority. Give the allow permission Read and Enroll.

The template is now correctly configured. Click Apply.

Next, we are required to issue the template. Right-click the Certificate Templates folder in the Certification Authority menu, choose New, Certificate Template to Issue.

Select the newly created template and click OK.

Workspace ONE UEM Admin Console

In the Workspace ONE UEM Admin Console, check if the Cloud Connector is enabled for Microsoft Certificate Services.

Go to the System menu, Enterprise Integration, Cloud Connector, Advanced tab.

Scroll down and enable Microsoft Certificate Services (if not done already)

Next, go to Settings, Enterprise Integration, Certificate Authorities. Add a new Certificate Authority.

Fill in a (friendly) name, the server hostname in FQDN and the Authority Name we have written down earlier.

Next, fill in the service account we have configured with read and enroll permission in ADCS and click TEST CONNECTION. 

If the test is successful, you will see this message on top:

Click the “Save” or “Save and Add Template” button.

If you have selected “Save”, go to the Certificate Template tab and click Add.

Fill in the following details: Name = (friendly) description of the Certificate Template

Certificate Authority = the ADCS server we added in the previous step

  • Issuing Template = certificatetemplate:
  • Subject Name = CN={EnrollmentUser} 
  • Note: CN=UserPrincipalName will also work
  • Private Key Length = 2048 (be sure to match the ADCS settings)
  • Private Key type: Enable the Signing and Encryption checkboxes
  • Disable the Include Security Identifier (SID) in certificate option
  • SAN Type
    • User Principal Name = {UserPrincipalName}
    • Email Address = {EmailAddress}
    • DNS Name = UDID={DeviceUid} 
    • Note: When device compliance check is configured with Kerberos authentication, if you did not configure the DeviceUid as the Subject Name lookup value, add a new SAN type to include the device unique identifier (UDID).
  • In our case, we left the rest of the settings on Default. Please verify these settings with your Security Officer.

Click SAVE. 

As a next step, we will push this certificate to the WS1 enrolled devices. In the WS1 UEM Admin Console, click Devices -> Profiles & Resources -> Profiles -> Add -> Add Profile

In our case, we are going to push this certificate to Windows 10 devices.

Select Windows 

Select Windows Desktop 

Since this is a user certificate, we are choosing User Profile

Give the new User Profile a name and deploy it to a Smart Group. Decide yourself if you want to configure the Assignment Type (Optional or Compliance) and if you want to Allow Removal for this user profile.

Next, click Credentials -> Configure

Configure the following settings:

  • Credential Source = Defined Certificate Authority
  • Select the newly created Certificate Authority and Certificate Template
  • Key Location = In our case this is software, but you can optionally also choose to store this in the TPM chip, if this is available.
  • Certificate Store = This is a user certificate so set this to Personal
  • S/MIME = S/MIME Signing Certificate

Click SAVE 

The next screen shows all devices from the Smart Group you’ve selected earlier. Verify if these are indeed the devices you want to push the user certificate to and click Publish

To verify if the certificate is correctly installed, click the Devices -> List View menu and select the device. In the tab Profiles I can see my user certificate is not yet installed. We can force this by selecting the Profile and click the Install button

After a few seconds/minutes, we see the status is now green, which means the certificate is installed!

We can also verify this in the Monitor -> Reports and Analytics -> Device Events menu.

And looking at our target desktop, we indeed see the certificate is installed!

This certificate can now be used to authenticate in Workspace ONE Access via the Cloud Certificate authentication policy! Please read my next blog on how to configure this!