03-26-2013 04:14 PM
Trying to figure out how to enable certificate based authentication for SCEP profiles. BDS install document only states that you can use this setting, but doesnt explain how. Do we have to buy something from a CA? I contacted a lot of CA's- SYMANTEC, ENTRUST, DIGICERT- they all say they don't support BB10. can anyone help shed some light on how to go about this?
03-27-2013 11:52 AM
03-27-2013 12:27 PM
I agree, I ran across this issue when my Active Directory pwd expired. Didnt know I had to manually change the Z10 Exchange ActiveSync pwd. When I spoke to BB support, they were unclear as to how to proceed. Users managing AD are going to have to consider these points. The Z10 is basically an additional workstation on their network now.
03-27-2013 12:59 PM
I've been trying to figure it out myself, including directly asking some RIM staff at their events, and everyone seems very unclear as to what actually needs to be done.
What questions are you trying to get answered?
03-28-2013 09:22 AM
03-28-2013 09:29 AM
I asked an Exchange colleague about this, they recommend we set up an Internal CA.
Check this out-
Certificate based authentication- The Exchange team blog
Requires some infrastructure-
03-28-2013 03:20 PM - edited 03-28-2013 09:41 PM
I had asked one of the senior enterprise product managers if they had any documentation or examples of how you might configure BES10 SCEP profiles with a Microsoft CA. I specifically gave examples of what we wanted to do in our environment and his response was "use SCEP" which is fine, however they weren't able to provide much clarity as to how you might actually get the two talking to each other.
My main complaint regarding the way they've handled this is that all they really say in their documents is "use SCEP" but they don't really provide any examples of how someone who is unfamiliar with the concept might get it up and running. As the OP indicates, they don't even really understand what SCEP is or how it might be implemented.
I've reviewed the Microsoft info on NDES, but it would be very helpful if RIM was able to provide more detail on SCEP, what it is for, how you can utilize it within BES10, and perhaps provide some example whitepapers regarding how you might implement this in an enterprise environment.
I get where you're coming from but I've never seen BlackBerry write a whitepaper for somebody elses product. Microsoft however has written a whitepaper for their version of SCEP (NDES).
Here's a basic dataflow of how SCEP is utilized in BDS:
When a user activates their device the BDS server will push out the SCEP profile (minus the challenge key) to the device. The challenge key is left on the server because it doesn’t expire and is reusable so it doesn't get sent outside of your network. The device will read the profile and generate the CSR (certificate signing request). It then sends the CSR back to the BDS server where the challenge key is added to it. BDS then submits the CSR to the SCEP service URL and gets the certificate issued. The completed certificate is then sent out to the device from BDS.