Why would you not want every user to be able to request a certificate? Since certificates are just used as authentication and they don't grant any rights inherently I'm having trouble understanding the problem. If you don't want that user to have access to a resource that authenticates via the certificate then you would just not grant them rights to that resource.
i see your point, but i don't want to have the user certificate beeing spread accross devices i do not manage. Therefore it would be good if this happens purely over the enrollment agent of the MDM. There i know that this cert will be only published on the device. I read somewhere that the certificate is not exportable to an other device.
all the best
When the device connects to EMM you do manage it:)
What do you mean that "it would be good if this happens purely over the enrollment agent of the MDM"? Can you please explain how you are enrolling device certificates if not through the enrollment agent? Maybe something isn't working right.
And yes to my knowledge there is no way to export a cert from the iphone. I suppose there is likely a way to export from android and there is most definately a way from export from PC/Mac so... it's really about educating the users to report a lost or stolen device ASAP and about having appropriate password requirements on all devices which match the security requirements or your business.
the point is that in the way how it works at the moment i cannot configure my CA to limit the access just for the enrollment agent. I need to allow everyone. This give the possibility that users can also request certificates for example over the webinterface of the CA. is this case you can get the cert and import it to any device (also the ones which do not get manged).
For sure i could limit the access over f firewall functionalities etc.. nevertheless we understood the function of the enrollment agent in a different way. That it requests the certs on behalf of the user. You also have the setting on the CA called "Restrict enrollment agents " to limit the access in the way we want it.
and i agree educating the users to report lost and stolen devices is a key task
You're saying that the enrollment agent doesn't request certs on behalf of the user?
We see that the "requester name" is always the respective user id and not the one we specified for the enrollment agent. "Requester Common Name" is the Variable we specify in the "Subject Template " on the MDM. The Requester Common name variable will be afterwards the information which will be in the "Issued to" field of the certificate.
So if the enrollment agent would take it's account as "requester name" together with the defined "requester Common name" of the MDM all of this should start working.
I don't have much experience with PkI but I'm sure that you generally want each user to request an individual certificate. Otherwise everyone would have the same permissions and you would not be able to diable an individual user.
What you are describing sounds like it is working properly to me. The requester name being the individual user and the issued to being the agent.
The PKI agent is requesting the certificate for the user that is logged on to the mobile device. The PKI Agent is only proxying the request to the CA.
The certificate is bound to a user and is ment for user authentication.
Whenever the user is unable to request a certificate (as you suggested) it cannot have a certificate for authentication.
IF a user knows the url for the website, it can only request certificates where the user is granted permissions for. Mostly, this is only a user certificate. AFAIK, a user has this permission by default. However, when the user is requesting the certificate and is clicking on the link to install the certificate, the certificate is installed into the users certificate store immediately and it cannot export it...
So I don't see the security breach that you are seeing.
finaly we have been able to figure it out together with McAfee who has visited us.
We have been able to configure it now in the way as we have defined it at the beginning, that only the serviceuser is able to request certificates for all EMM users. The pitfall was that we have configured the application policy within the issuance requirements on the pki for "any purpose" . You have to specify it to "Certificate Request Agent".
Would be nice thing for the docs...
Nevertheless thanks for all the reponds!