Security

User running Windows 10 (possily 8.1 as well) run into issues when attempting to install the ArubaQuickConnect application as part on the OnBoarding process. The Windows Smartscreen pops up a window "Windows protected your PC". This is causing confusion and making it difficult for users to onboard. Some research shows I might need an EV signed cert? Has anyone else encountered this and worked through it? Thanks a bunch!

Philip Wightman, ACMP, ACCP

You can upload a code-signing certificate which will be used for the Windows exe and also the Mac/iOS .mobileconfig file.

You also need to be sure to allow access to Microsoft SmartScreen in the onboard enrollment role.

Tim,

Thank you very much for the quick reply. I will look into creating and uploading a code-signing certificate. 

For the SmartScreen URL's, I created a NetDestination with the following URLs and applied it on my Whitelist for the Captive Portal profile. I still seem t be getting blocked. Do you know a better list of domain names to block?

Thanks so much for the help!

Hm. AFAIK, urs.microsoft is the only one you should need. Best thing to do would be fire up wireshark, run QuickConnect and then filter the pcap down to DNS. There may be an additional entry these days.

Thanks again. 

I had to add the following URL as well.

w.apprep.smartscreen.microsoft.com

I am digging into the Cert now. 

Phil

So I have made it a little farther...

I created a Code Signing CSR, bought a Code Signing Cert with GoDaddy and applied the CSR. GoDaddy turned around the Certificate and I have it on hand. 

I am now attempting to Upload the Certificate and it is requiring that I attach the Key. Since I generated the CSR on CPPM, doesnt it already have the Key? If I need to attach it, where do I get it? I cant seem to find a way to export the Key from CPPM so I can attach it. 

In hind-site, I probably should have done this with OpenSSL. 

Thanks again for the help!

Where did you do a signing request in ClearPass? If you did it under certificates, it used an Onboard CA. You need to do the request outside of ClearPass. The DigiCert tool works well: https://www.digicert.com/util/

Ahhh... That would explain it. I wish that was clear in the CPPM documentation. Thanks for the tool. Looks a little easier to use than OpenSSL. Thanks, I will post back when configuration is complete. 

Note - GoDaddy states they need up to 10 business days to process a Code Signing Cert. I was able to get them to push it through much quicker but I was not expecting this. They may not do it so quickly this time around. 

Phil

They'll usually revoke it once for free. Just tell them there was a private key issue.

I hate to be a pain and feel like a complete n00b but I want to make sure I do this right on the second go around.  When I use DigiCert, it generates the CSR but I cannot seem to find the key. I see that in my windows certificate store there is a new CERT that reflects the name I chose when creating the CSR. I could certianly export this but I am not confident this is just a Key and not sure if this will import correctly into CPPM. Can you walk me through this start to finish?

Here is what I think needs to be done:

1. Use DigiCert to create Code Signing CSR

2. Have Public CA (Such as GoDaddy) create a Code Signing Cert from this CSR

3. Using Windows Certificate Manager MMC Snap-in - Export the Certificate created by DigiCert

3a. The only option for export is a .pfx file

3b. Create a password when exporting

4. Download the Certificate from GoDaddy

5. In ClearPass OnBoard / Management and Control / - Upload Code Signing Certificate

5a. Upload the Certificate and Private Key

The New Code Signing Cert will now be available as a selection in the OnBoard Client settings found in the OnBoard Provisioing Settings configuration. Select it and save.

Now when clients with Windows 8.1 / 10 attempt to OnBoard machines, they will no longer receive a SmartScreen pop-up from Windows. (Assuming the whitelisy has allowed the communication to microsoft as discussed earlier in this thread). 

Thanks so much for the help! I hope this will help other users out there running into the same issue that are not intimately familiar with Code Signing Certs!!

Phil

1. Use DigiCert to create Code Signing CSR

2. Have Public CA (Such as GoDaddy) create a Code Signing Cert from this CSR

3. Using Windows Certificate Manager MMC Snap-in - Export the Certificate created by DigiCert

3. Import the signed certificate from public CA back into DigiCert utility

4. Export the certificate from the DigiCert utility as a PFX with password.

5. In ClearPass OnBoard / Management and Control / - Upload Code Signing Certificate

5a. Upload the PFX file and enter the password.

Awesome, thanks so much Tim! I will give this a shot and report back. 

The certificate process works as you stated. I was able to import the code signing cert and apply it to the Provisioing settings for Windows. It however does not correct the SmartScreen issue.

The Smartscreen does now correctly reflect that the publisher is applied but it is still being 'blocked'. 

Anything else you think I could try?

Again, thanks for your time Tim, I very much appreciate it. 

Update.. from my understanding, the Code Signing Cert will hold a reputation with Microsoft depending on who signed the cert. That reputation is what triggers (or not) the Smartscreen filter. I would expect that GoDaddy would have a good reputation with MS. Speaking with them, they say they have no control or influence on how MS handles the reputation or Smartscreen.  I could call MS but I cannot image I will get far. 

My next steps will be to open a TAC case with Aruba but technically this isnt an Aruba issue either. 

I would love to hear from others if they have gotten this to work. 

Tim, thanks again for all the help. Almost there!