Diffusion of iTechnology in Corporations (or: Certificates for iPhones)

[Jump to technical stuff]

Some clichés are true. One I found confirmed often is about how technologies are adopted within organizations: One manager meets another manager at a conference / business meeting / CIO event. Manager X show off the latest gadget and/or brags about presents a case-study of successful implementation of Y.

Another manager becomes jealous inspired, and after returning home he immediately calls upon his poor subordinates and have them implement Y – absolutely, positively, ASAP.

I suspect that this is the preferred diffusion mechanism for implementing SAP at any kind of organization or for the outsourcing hype (probably also the insourcing-again movement that followed it).

And I definitely know this works that way for iSomething such as iPhones and iPads. Even if iSomething might be not the officially supported standard. But no matter how standardized IT and processes are – there is always something like VIP support. I do remember vividly how I was one told that we (the IT guys) should not be so overly obliging when helping users –  unless I (the top manager) need something.

So trying to help those managers is the root cause for having to solve a nice puzzle: iThings need to have access to the network and thus often need digital certificates. Don’t tell me that certificates might not be the perfect solution – I know that. But working in some sort of corporate setting you are often not in the position to bring up these deep philosophical questions again and again, so let’s focus on solving the puzzle:

[Technical stuff – I am trying a new format to serve different audiences here]

Certificates for Apple iPhone 802.1x / EAP-TLS WLAN Logon

The following is an environment you would encounter rather frequently: Computer and user accounts are managed in Microsoft Active Directory – providing both Kerberos authentication infrastructure and LDAP directory. Access to Wireless LAN is handled by RADIUS authentication using Windows Network Protection Server, and client certificates are mandatory as per RADIUS policies.

You could require 802.1x to be done by either user accounts and/or machine accounts (though it is a common misunderstanding that in this way you can enforce a logon by 1) the computer account and then 2) the user account at the same machine.) I am now assuming that computers (only) are authenticated. This the iDevice needs to present itself as a computer to the logon servers.

Certificates contain lots of fields, and standards either don’t enforce clearly what should go into those fields and/or applications interpret standards in weird ways. Thus the pragmatic approach is to tinker and test!

This is the certificate design that works for iPhones according to my experience:

  • We need a ‘shadow account’ in Active Directory whose properties will match fields in the certificates. Two LDAP attributes needto be set
    1. dnsHostName: machine.domain.com
      This is going to be mapped onto the DNS name in the Subject Alternative Name of the certificate.
    2. servicePrincipalNames: HOST/machine.domain.com
      This makes the shadow account a happy member of the Kerberos realm.

    According to my tests, the creation of an additional name mapping – as recommended here – is not required. We are using Active Directory default mapping here – DNS machine names work just as user’s UPNs (User Principal Name – the logon name in user@dmain syntax. See e.g. Figure 21 – Certificate Processing Logic – in this white paper for details.)

  • Extensions and fields in the certificate
    1. Subject Alternative Name: machine.domain.com (mapped to the DNS name dnsHostName in AD)
    2. Subject CN: host/machine.domain.com. This is different from Windows computers – as far as I understood what’s going on from RADIUS logging the Apple 802.1x client sends the string just as it appears in the CN. Windows clients would add the prefix host/ automatically.
    3. If this is a Windows Enterprise PKI: Copy the default template Workstation Authentication, and configure the Subject Name as to be submitted with the Request. It is not required (and dangerous) to configure the CA needs to accept custom SANs via enabling the EDITF_ATTRIBUTESUBJECTALTNAME2 flag. – unless you insist on adding those SANs in the /certsrv web application. Keys need to be configured as exportable to carry them over to the iDevice.
  • Create the key, request and certificate on a dedicated enrollment machine. Note that this should be done in the context of the user rather than the local machine. Certificates/key could be transported to another machines as PKCS#12 (PFX files).
  • Import the key and certificate to the iPhone using the iPhone Configuration Manager – this tools allows for exporting directly from the current user’s store. So if the user does not enroll for those certificates himself (which makes sense as the enrollment procedure is somewhat special, given the custom names), the PFX files would be first imported to the user’s store and then exported from there to the iPhone.

The point I like to stress in relation to certificates is that logon against AD is based on matching strings – containing the DNS names – not on a binary comparison of a file presented by the client versus a certificate file in the directory.

I have encountered that misconception often as there is an attribute in AD – userCertificate – that is actually designed for holding users’ (or machines’) certificates. But this is more of a Alice-tries-to-get-Bob’s-public-key-phonebook-style attribute, and it is not intended to be used for authentication but rather for encryption – Outlook is searching for S/MIME e-mail recipients’ public keys there. Disclaimer: I cannot vouch for any custom application that may exist.

Authentication is secure nonetheless as the issuing CA’s certificate needs to be present in a special LDAP object, the so-called NTAuth object in Active Directory’s Configuration Container, and per default it can only be edited by Enterprise Admins – the ‘root admins’ of AD. In addition you have to configure the CA for accepting arbitrary SANs in requests.


Further reading – why this can be dangerous.

21 Comments Add yours

  1. Peter Mander says:

    So Elke, which did you choose – Samsung or iThing, or neither?

    1. elkement says:

      I haven’t made a choice for a long time: I do use a Samsung phone (as another commentator concluded from the meta-tags of the images anyway :-)) but it is a stone-age, Blackberry-style phone from 2010. It can sync E-mail using Microsoft’s ActiveSync protocol but this is the smartest thing it can do.

  2. The only iThing I own is an iPhone and I love it because I wanted a smartphone that is easy to use so that I can email and use the internet. It’s cool that you can have access to these type of things at your fingertips, but nowadays I feel like the phones are turning into mini computers. Some of these smartphones are huge. As long as my phone can still fit in my pocket I’m fine. If it doesn’t the phone is no longer a phone (to me).

    1. elkement says:

      I am currently using what I call a stone-age Blackberry-style phone (actually the Windows equivalent of a Blackberry – it can sync e-mail but most of the apps. don’t run.)
      I was or still am considering to make a big leap and replace it by a “phablet”, a very large phone or phone/tablet cross-over. But as you said, it should probably not be that big – I think I’d miss one-handed operation.

  3. Now you’ve made me feel bad as I jumped ship from PC to a Mac almost a year ago. In your view … is a Mac equivalent to an iThing … I hope not. I don’t see myself as an iHumanoid. D

    1. elkement says:

      Enjoy your Mac, Dave :-) … or even an iPad / iPhone! It just was a great symbol to illustrate something more general!

  4. I had to chuckle at your introductory paragraphs to this post. So true, all of it. No manager, especially male, wants to feel like their devices are inadequate or second rate. The business case comes down to “I want it, that’s why”. I also like your comment about the helpdesk being helpful. We have the ridiculous proportion in our organisation that there is an executive help desk person, meaning that’s the person the executives go to get IT help. You can’t ring this person, he can only ring you. To me this is plainly divisive and quite unnecessary as it sends the wrong message about the helpdesk generally being not up to executive standards. I suppose it my have something to do with executive’s perceived lack of technological skills, but really, in this day and age?

    1. elkement says:

      Thanks, Judy! I have generalized from anecdotal evidence but did not do serious research. What baffled me is that both ASAP implementations driven by “what the top manager wants” and executive helpdesk haven’t changed that much since I first encountered that (more than 15 years ago).

      Helpdesk / “ticket” systems can be quite obnoxious when you are a normal user (same as being a customer of some big telco, bank, airline etc.) – I know people who had to wait for months and exchanges of numerous messages and approvals in a kafkaesque system until they got access to a network as external consultants.

      I guess the VIP helpdesk thing comes up when helpdesk / IT managers really have to talk to their customers, in this case the executives, eye to eye.
      But to be fair – it is of course really difficult to run corporate IT, meeting quite tough goals in terms of costs (the so-called CIO still often reports to the CFO…) and provide a great end user experience.

  5. M. Hatzel says:

    I got the Samsung mega for a BYOD job requirement, but there was no access to the network at work with our mobile devices. So the BYOD also came with a BYO Network through which work emails arrived via personal accounts and privately paid for servers. It was difficult to have everything mixed together, so I opted out of the work data on the mobile device and suspended my availability to calls only. The batteries on these new smart phones can’t sustain the device for the day if there is too much incoming email, or even if the phone is used to hotspot for the laptop unless there is a power connection.

    And the entire VIP incentive thing sounds spot-on. My husband’s company changed from the old Blackberry devices to new iPhones this winter. Most employees rebelled against the new keypad, hating the change until the IT staff began introducing employees to the wonderful world of apps. Getting the latest hockey stats or other little personalized goodies tamed the disgruntled workforce and now they are largely compliant with the tech updates. :)

    1. elkement says:

      Thanks, Michelle for sharing these stories! I have been on both sides of the negotiation table so to speak – I can also relate to the architects of the security solution and “policy enforcers” I think I learned a lot about diplomacy and psychology. It is difficult to communicate to users why their equipment needs to be standardized or needs to download corporate policies if all they “want” is actually working for a company in their spare time.

      It is good when there is an official BYOD policy – cases I have encountered were often not like that … but this is probably due to the fact that people ask me when there are issues with certificates. If they would have been a solution managing these devices I’d never tinkered with them.

      1. M. Hatzel says:

        Official BYOD policies arise because of income tax; to claim the expense of using one’s own device, the employer’s accountant must provide employees with a government form which states the equipment required to do the job. This provides the employees opportunity to claim the expenses and recover some of their pre-paid income tax deducted from their monthly pay cheques (so long as they have kept their bills and receipts for the devices and their services). It seems that money dictates most policies and how they are regulated, either through taxation or insurance. I wonder how IT security would change if insurance companies began to systematically underwrite businesses in a way that is normal operating procedure? Perhaps such policies are already in place in some companies?

        1. elkement says:

          Thanks – really interesting! Remotely similar to the way tax-related aspects of company cars impact the way they are used… e.g. how they are offered to employees as benefits.

          I figured that BYOD was often triggered by the lack of procedures to deal with more and more contingent staff. Those very large corporations are typically not flexible enough to give an external contractor access to the network for only a few days – even if their “security policy” might permit it, it takes to long to submit a “ticket”, collect approvals etc.

          1. M. Hatzel says:

            I do think contingent and contracted staff do drive the presence of BYOD, but I guess I’ve seen more small organizations with little HR or IT resources to invest in equipment, service contracts, or policy creation, so simply use the government processes already in place to request staff bring phones, computers, cars, etc. (I guess I haven’t been with a large organization for quite a few years, so tend to forget how slowly they work, or what pressures motivate policy within them.)

  6. This comes back around to the increasing usage/blurring of lines between work equipment and home equipment. That iphone, for instance can be company property–in which case the company, as owner, can completely control the environment. More likely, though, it’s personal property carrying heaven-knows-what into the corporate network: virus/malware, apps that report back and forth as well as bandwidth-hungry apps. Blackberries offer a way to segment out your personal and business life but just about everything else, and that includes iOS and Android, does not. In the end that eaves the IT people caught between on the one hand, unrestricted usage with significant security threats but happy people in the short term (until their devices cause significant breaches or degrade general network performance) and on the other hand a complete lockdown with only company owned assets allowed, good performance and generally disgruntled employees because they cannot handle any of their private business and, besides, the business practices are likely too restrictive fro innovation anyway.
    Of course IT people try and walk that middle ground where they offer up enough access to be helpful but not too much that they compromise overall security and performance. And that’s where the fun starts, specifically that ongoing dance where we constantly seek that sweet spot.

    1. elkement says:

      Yes – BYOD / Bring Your Own Device – is a big trend. I don’t claim I have in-depth knowledge about many commercial products I think this has been definitely sort of a “disruption” in the past years that hardly any IT department could deny. BYOD solutions are offered by some major vendors, e.g. CISCO, and I feel the trend is (or probably what vendors hope for) is one large solution that can accommodate very different devices through a layered approach – using various technologies to enforce policies at the client. BYOD solutions interface with mobile device management solutions that support all kinds of devices – I am not sure if Blackberry has still a competitive advantage here. Just picking a solution at random, Airwatch supports Android, Windows, iOS and Blackberry.

      From anecdotal experience I think the challenge is: You try to support device X. Device X is supported by a solution provided by vendor of X that is fairly easy to deploy. Now you might have / want to support devices Y and Z. You (IT) now has the option to support either maintain different management solutions provided by the respective vendors or go for one of the big overarching solutions that support X, Y, and, Z.

      Anyway, I think “VIP support” will never go away :-)

      I have tacitly assumed hin my post that those iDevices would finally be officially supported – yet the certificate rollout (or any sort of management) can still be painful unless you implement the full-blown server-side management solution that does “on principle” exist for most devices (“on principle” = requiring customization).

      1. Indeed. And like most complex problems the solutions are likely to remain equally complex for a while.

      2. Joseph Nebus says:

        One of the strong pieces of advice my brother gave me was to find out what kind of cell phone my boss has, and write a little app that does anything, anything, for that model phone. Unfortunately the boss goes through phones so fast (he leads a dynamic life) that it’s impossible to keep track of what he does have.

        1. elkement says:

          Great advice indeed!! But you could still sell your app to other executives and get rich, Joseph!

  7. Has it already been 7 years? I haven’t had an iThing either. It’s how I identify spoiled kids, hipsters and phoneys ;-)

    1. elkement says:

      ;-) But aren’t all touchscreen-based smartphones today so similar anyway? I am still using a stone age Blackberry-style Windows smartphone that can’t run most of the apps. properly – I was mainly interested in syncing e-mails using Microsoft’s ActiveSync protocol and this phone was marketed as a non-nonsense business phone. I really like the keyboard, I admit, but it would be nice to have a browser that does support common websites and social networks now so I will most likely move to something like Samsung Galaxy soon.
      And I need to test the certificate stuff of course!

      1. Exactly. They’re so similar, but adding an i increases the price twofold. Want to spend € 800 on electronics? Buy a solid desktop computer, or upgrade the one you’ve got. Or get good surveillance tech.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.