02-01-2016 06:08 AM
User running Windows 10 (possily 8.1 as well) run into issues when attempting to install the ArubaQuickConnect application as part on the OnBoarding process. The Windows Smartscreen pops up a window "Windows protected your PC". This is causing confusion and making it difficult for users to onboard. Some research shows I might need an EV signed cert? Has anyone else encountered this and worked through it? Thanks a bunch!
Philip Wightman, ACMP, ACCP
02-01-2016 06:15 AM
You can upload a code-signing certificate which will be used for the Windows exe and also the Mac/iOS .mobileconfig file.
You also need to be sure to allow access to Microsoft SmartScreen in the onboard enrollment role.
02-01-2016 06:28 AM
Thank you very much for the quick reply. I will look into creating and uploading a code-signing certificate.
For the SmartScreen URL's, I created a NetDestination with the following URLs and applied it on my Whitelist for the Captive Portal profile. I still seem t be getting blocked. Do you know a better list of domain names to block?
Thanks so much for the help!
02-01-2016 06:30 AM
02-03-2016 05:43 AM
So I have made it a little farther...
I created a Code Signing CSR, bought a Code Signing Cert with GoDaddy and applied the CSR. GoDaddy turned around the Certificate and I have it on hand.
I am now attempting to Upload the Certificate and it is requiring that I attach the Key. Since I generated the CSR on CPPM, doesnt it already have the Key? If I need to attach it, where do I get it? I cant seem to find a way to export the Key from CPPM so I can attach it.
In hind-site, I probably should have done this with OpenSSL.
Thanks again for the help!
02-03-2016 12:20 PM
Where did you do a signing request in ClearPass? If you did it under certificates, it used an Onboard CA. You need to do the request outside of ClearPass. The DigiCert tool works well: https://www.digicert.com/util/
02-03-2016 12:27 PM
Ahhh... That would explain it. I wish that was clear in the CPPM documentation. Thanks for the tool. Looks a little easier to use than OpenSSL. Thanks, I will post back when configuration is complete.
Note - GoDaddy states they need up to 10 business days to process a Code Signing Cert. I was able to get them to push it through much quicker but I was not expecting this. They may not do it so quickly this time around.
02-03-2016 12:34 PM
02-04-2016 07:14 AM
I hate to be a pain and feel like a complete n00b but I want to make sure I do this right on the second go around. When I use DigiCert, it generates the CSR but I cannot seem to find the key. I see that in my windows certificate store there is a new CERT that reflects the name I chose when creating the CSR. I could certianly export this but I am not confident this is just a Key and not sure if this will import correctly into CPPM. Can you walk me through this start to finish?
Here is what I think needs to be done:
1. Use DigiCert to create Code Signing CSR
2. Have Public CA (Such as GoDaddy) create a Code Signing Cert from this CSR
3. Using Windows Certificate Manager MMC Snap-in - Export the Certificate created by DigiCert
3a. The only option for export is a .pfx file
3b. Create a password when exporting
4. Download the Certificate from GoDaddy
5. In ClearPass OnBoard / Management and Control / - Upload Code Signing Certificate
5a. Upload the Certificate and Private Key
The New Code Signing Cert will now be available as a selection in the OnBoard Client settings found in the OnBoard Provisioing Settings configuration. Select it and save.
Now when clients with Windows 8.1 / 10 attempt to OnBoard machines, they will no longer receive a SmartScreen pop-up from Windows. (Assuming the whitelisy has allowed the communication to microsoft as discussed earlier in this thread).
Thanks so much for the help! I hope this will help other users out there running into the same issue that are not intimately familiar with Code Signing Certs!!