Enterprises are widely adopting identity certificate authentication as a secure and trusted access mechanism. It makes configuration of corporate email accounts, WiFi and VPN connections hands-free — i.e., without user intervention. IBM Security MaaS360 provides this capability on Windows 10 devices via “Windows MDM policy.” The tutorial below will guide you through the process.

Pre-requisites

1. MaaS360 Cloud Extender integration with Certificate Integration module configured for your IBM Security MaaS360 account – Here Portal Administrator needs to provide Corporate CA server details while creating Certificate templates in MaaS360 Cloud Extender application, which generates Identity certificates for valid devices/ users of organization.

Configuring Windows MDM policy for Exchange, WiFi and VPN configurations –

1.Create Windows MDM policy and enable required profile configurations (Exchange ActiveSync, WiFi, VPN) from Device Settings section.

2. While configuring choose the required Identity Certificate template from dropdown along with other required details (Profile name, Server details etc.)

Exchange ActiveSync:

In case of Exchange ActiveSync SMIME Signing and Encryption configurations can be used as well if Certificate template configured on MaaS360 Cloud Extender has SMIME Signing and Encryption usages checked along with Identity (client authentication).

Wi-Fi:

VPN:

3. Publish the policy and apply it to the intended devices / groups to push down the ID certificate along with profile.

Verify ID certificate and profile on device

• Identify certificate can be seen installed under Local Computer > Personal > Certificates section (Issued by CA server of Organization)

• If Exchange ActiveSync profile is pushed, it can be seen under ‘Settings > Accounts > Email and accounts’

• If WiFi profile is pushed, it can be seen under ‘Settings > Network & Internet > Wi-Fi > Manage known networks’ section.

• If VPN profile is pushed, it can be seen under ‘Settings > Network & Internet > VPN ’ section

Completing profile configuration:

• If Exchange ActiveSync profile is pushed, Mail app can be used on device to sync email account.
• If WiFi profile is pushed, connection can be done for pushed SSID from ‘Settings > Network & Internet > Wi-Fi > Show available networks’ section.
• If VPN profile is pushed, depending on VPN server associated respective client applications required to be installed on the device for connection. F5/ Junos/ MaaS360 VPN applications can be installed from Microsoft Store. Connection can be done using Connect button from ‘Settings > Network & Internet > VPN’

If you have followed instructions up to this point, you should have succeeded in configuring Exchange ActiveSync, WiFi and VPN profiles for Windows 10 devices via Windows MDM policy with Identity Certificates. If you have any questions or issues please reach out to me or your IBM account representative.