How to get an identity certificate onto a remote user with Workplace client on iOS?

[jimbojimbo]

Has anyone come up with a reasonable way to get an identity certificate onto a Workplace Client on iOS?

Note: the SBC is configured for Mutual TLS so the client cannot make a HTTPS connection until it has an identity certificate. Apparently Apple has them severely locked down. The workplace client is unable to get a certificate from the iOS device so SCEP or 46xxsettings.txt are required. Unfortunately DES doesn't support Workplace client.

 

[kyle555]

That sounds awful.

I know Workplace tries to use its own sandbox for certs.

Maybe have the SBC let HTTPS one way but AADS ties into their SAML/2FA so they get started only with a valid corp login. Then you could push a generic p12 for "iPhones" to use for SIP/PPM

 

[jimbojimbo]

Thanks Kyle but defeats the purpose without MTLS it will let any device connect and download the certificate. The intention is to restrict the remote worker to corporate provided devices only. I went to Avaya and they seem to have covered every aspect of this issue with Apple. The only way I can see this working is by forcing the certificate install on-net. Once the end device has a certificate the SBC can perform proxy relay of any SCEP renewal.

 

[kyle555]

What I mean was if you push the cert as part of the user's dynamic config then they need to authenticate, possibly with SAML 2FA before getting that config with the p12

 

[jimbojimbo]

They can't get to the Dynamic config because Mutual TLS is active on the external proxy so they cannot establish a connection without an identity certificate. A catch-22 for sure.

 

[kyle555]

Oh. Well, OK.

Do they host any other internal apps that require this?

If you're that uptight, I'd think you'd have an MDM solution that lets people onboard and provision theri mobile devices to get their identity cert so every single app they access this way doesn't have this pain to deal with.

Is your problem that the devices DO have an identity cert and there's just no easy way to specify using it?

 

[jimbojimbo]

Kyle555 - Unfortunately Apple doesn't let identity certificates for applications get pushed via MDM.

The issue is the customer only wants corporate devices to be able to login as SIP stations. This means device specific and not user account specific. The only way this seems possible is by identity certificates. I think the only option is to load certificates on-net before the device is sent out. Once the certificate is on the device, the SBC can support the SCEP relay for renewal.

 

[kyle555]

Intersting case.

I don't disagree with anything you're saying.

Once upon a time I poked the product people at Avaya about letting me use my identity certificate to login. I already need that for my company VPN - a 2 way TLS handshake and I present a cert issued to Kyle issued by Corp CA. I can enforce needing that certificate on Workplace to connect to things, but I cannot leverage the identity presented in that certificate to automate the login.

If your requirement is loose and doesn't specify HOW to accomplish that (and I'm sure your requirement is not that loose!) the SBC has a feature to LDAP lookup MAC addresses and only let ones on the list on through. Now, if I were snooping the wifi at Starbucks and knew you worked at the bank and sniffed your MAC and happened to know how to hit your SBC and and and and, well, then I suppose I could sneak a register through the SBC.

But all that being said, where would SCEP be configured on the device? If the Avaya app can't get enroll for a cert in the first place, where would the renewal happen? Or are you saying that SCEP enrollment via Workplace settings works for what you're doing, it's just that you can't start off by needing to get through a mutual TLS handshake to get your cert?

Are these devices being used exclusively for Workplace or are there any other apps that need this kind of security that can guide you a bit?

Otherwise, yeah, identity certs typically do get setup offline. Maybe there's a MDM solution around that, but it sounds like your customer isn't compromising any security for any increased useability or simplicity