02-01-2016 06:08 AM
User running Windows 10 (possily 8.1 as well) run into issues when attempting to install the ArubaQuickConnect application as part on the OnBoarding process. The Windows Smartscreen pops up a window "Windows protected your PC". This is causing confusion and making it difficult for users to onboard. Some research shows I might need an EV signed cert? Has anyone else encountered this and worked through it? Thanks a bunch!
Philip Wightman, ACMP, ACCP
02-01-2016 06:15 AM
You can upload a code-signing certificate which will be used for the Windows exe and also the Mac/iOS .mobileconfig file.
You also need to be sure to allow access to Microsoft SmartScreen in the onboard enrollment role.
02-01-2016 06:28 AM
Thank you very much for the quick reply. I will look into creating and uploading a code-signing certificate.
For the SmartScreen URL's, I created a NetDestination with the following URLs and applied it on my Whitelist for the Captive Portal profile. I still seem t be getting blocked. Do you know a better list of domain names to block?
Thanks so much for the help!
02-01-2016 06:30 AM
Hm. AFAIK, urs.microsoft is the only one you should need. Best thing to do would be fire up wireshark, run QuickConnect and then filter the pcap down to DNS. There may be an additional entry these days.
02-03-2016 05:43 AM
So I have made it a little farther...
I created a Code Signing CSR, bought a Code Signing Cert with GoDaddy and applied the CSR. GoDaddy turned around the Certificate and I have it on hand.
I am now attempting to Upload the Certificate and it is requiring that I attach the Key. Since I generated the CSR on CPPM, doesnt it already have the Key? If I need to attach it, where do I get it? I cant seem to find a way to export the Key from CPPM so I can attach it.
In hind-site, I probably should have done this with OpenSSL.
Thanks again for the help!
02-03-2016 12:20 PM
Where did you do a signing request in ClearPass? If you did it under certificates, it used an Onboard CA. You need to do the request outside of ClearPass. The DigiCert tool works well: https://www.digicert.com/util/
02-03-2016 12:27 PM
Ahhh... That would explain it. I wish that was clear in the CPPM documentation. Thanks for the tool. Looks a little easier to use than OpenSSL. Thanks, I will post back when configuration is complete.
Note - GoDaddy states they need up to 10 business days to process a Code Signing Cert. I was able to get them to push it through much quicker but I was not expecting this. They may not do it so quickly this time around.
02-04-2016 07:14 AM
I hate to be a pain and feel like a complete n00b but I want to make sure I do this right on the second go around. When I use DigiCert, it generates the CSR but I cannot seem to find the key. I see that in my windows certificate store there is a new CERT that reflects the name I chose when creating the CSR. I could certianly export this but I am not confident this is just a Key and not sure if this will import correctly into CPPM. Can you walk me through this start to finish?
Here is what I think needs to be done:
1. Use DigiCert to create Code Signing CSR
2. Have Public CA (Such as GoDaddy) create a Code Signing Cert from this CSR
3. Using Windows Certificate Manager MMC Snap-in - Export the Certificate created by DigiCert
3a. The only option for export is a .pfx file
3b. Create a password when exporting
4. Download the Certificate from GoDaddy
5. In ClearPass OnBoard / Management and Control / - Upload Code Signing Certificate
5a. Upload the Certificate and Private Key
The New Code Signing Cert will now be available as a selection in the OnBoard Client settings found in the OnBoard Provisioing Settings configuration. Select it and save.
Now when clients with Windows 8.1 / 10 attempt to OnBoard machines, they will no longer receive a SmartScreen pop-up from Windows. (Assuming the whitelisy has allowed the communication to microsoft as discussed earlier in this thread).
Thanks so much for the help! I hope this will help other users out there running into the same issue that are not intimately familiar with Code Signing Certs!!