Windows 8.1 Device Identity Certificate

Similar Messages

• Device Identity Certificate - what will happen when it expires?

  Hi everybody,
  when enrolling an iPad within osx server device manager (..\mydevices) a payload is sent to the device, if inspected under General preferences / Remote Management / More details it reveal itself as composed by
  1) Mobile Device Management - that's the endpoint of management - the osx server in short
  2) A Device Identity Certificate, expiration one year from the enrollment
  Basically my question is: what's going to happen after one year?
  The certificate will be auto-renewed, or all of the remote management profile will have to be removed, and the device re-enrolled from scratch?
  It may seem an easy question, but I haven't be able to find a definitive answer to the question, and with 1.000 iPads already enrolled I'm starting to be a bit worried.
  Thank you for any help!

  It is now known that iWeb, and iDVD, has been discontinued by Apple. This is evidenced by the fact that new Macs are shipping with iLife 11 installed but without iWeb and iDVD.
  On June 30, 2012 MobileMe will be shutdown. However, iWeb will still continue to work but without the following:
  Features No Longer Available Once MobileMe is Discontinued:
  ◼ Password protection
  ◼ Blog and photo comments
  ◼ Blog search
  ◼ Hit counter
  ◼ MobileMe Gallery
  All of these features can be replaced with 3rd party options.
  I found that if I published my site to a folder on my hard drive and then uploaded with a 3rd party FTP client subscriptions to slideshows and the RSS feed were broken.  If I published directly from iWeb to the FPT server those two features continued to work correctly.
  There's another problem and that's with iWeb's popup slideshows.  Once the MMe servers are no longer online the popup slideshow buttons will not display their images.
  Click to view full size
  However, Roddy McKay and I have figured out a way to modify existing sites with those slideshows and iWeb itself so that those images will display as expected once MobileMe servers are gone.  How to is described in this tutorial: #26 - How to Modify iWeb So Popup Slideshows Will Work After MobileMe is Discontinued.
  It now appears that the iLife suite of applications offered on disc is now a discontinued product and the remaining supported iApps will only be available thru the App Store from now on. However, the iLife 11 boxed version that is still available at the online Apple Store (Store button at the top of the page) and those still on the shelves of retailers will include iWeb and iDVD. Those two apps were listed in small, gray text on the iLife 11 box that I bought.
  Personally, if I didn't already have a copy I would purchase one to have it for reinstallation purposes if ever needed.
  This may be of some interest to you: Life After MobileMe.
  OT

• The enrollment server did not provision a valid identity certificate

  I'm working on rolling my own MDM service, and I'm trying to combine the SCEP and MDM payloads as the MDM protocol document from Apple suggests. I created my own SCEP web service in C# .Net and I know that the device can get a valid certificate when I just send the SCEP payload. However when I also include an MDM payload that points to the SCEP payload's UUID via the IdentityCertificateUUID key, I get the following error, "The enrollment server did not provision a valid identity certificate." This configuration is the one that is sent after the user chooses to install the initial enrollment configuration (step 1 of phase 2 in this diagram).
  The device doesn't appear to even make an attempt at connecting to my server, and thanks to server side logging I know that it never reaches my SCEP web service page. This seems to indicate that there's something wrong with the certificate I use to sign the payload. I've separately tried signing it with my SSL certificate (from a pre trusted root authority), my customer MDM push certificate (chained from our vendor cert), and my self-signed root certificate authority certificate (created via makecert.exe) that the SCEP service uses to issue new certificates (i.e. device identity certificates).
  I've looked at the output from the iPCU (iPhone Configuration Utility) when I create a profile with both the MDM and SCEP payloads, and it isn't a valid profile (I've even tried copying it nearly wholesale). However when I install the profile via the iPCU the error doesn't come up and it begins the SCEP enrollment process without issue.
  A side note - using a preexisting MDM vendor is not an option here.
  Below is the profile I'm using:
  <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
        <plist version="1.0">
          <dict>
            <key>PayloadContent</key>
            <array>
              <dict>
                <key>PayloadContent</key>
                <dict>
                  <key>Challenge</key>
                  <string>this is a challenge</string>
                  <key>Key Type</key>
                  <string>RSA</string>
                  <key>Key Usage</key>
                  <integer>5</integer>
                  <key>Keysize</key>
                  <integer>1024</integer>
                  <key>Name</key>
                  <string>mycompany</string>
                  <key>Retries</key>
                  <integer>3</integer>
                  <key>RetryDelay</key>
                  <integer>0</integer>
                  <key>Subject</key>
                  <array><array><array>
                    <string>CN</string>
                    <string>mycompany</string>
                  </array></array></array>
                  <key>URL</key>
                  <string>https://mysite.com/scep.aspx</string>
                </dict>
                <key>PayloadDescription</key>
                <string>Configures SCEP</string>
                <key>PayloadDisplayName</key>
                <string>SCEP (mycompany)</string>
                <key>PayloadIdentifier</key>
                <string>com.mycompany.mdm.scep1</string>
                <key>PayloadOrganization</key>
                <string></string>
                <key>PayloadType</key>
                <string>com.apple.security.scep</string>
                <key>PayloadUUID</key>
                <string>57225d3d-0758-4d23-8093-e4d8c9bbd47c</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
              </dict>
              <dict>
                <key>AccessRights</key>
                <integer>3</integer>
                <key>CheckInURL</key>
                <string>mysite.com/checkin.aspx</string>
                <key>CheckOutWhenRemoved</key>
                <false/>
                <key>IdentityCertificateUUID</key>
                <string>57225d3d-0758-4d23-8093-e4d8c9bbd47c</string>
                <key>PayloadDescription</key>
                <string>Configures MobileDeviceManagement.</string>
                <key>PayloadIdentifier</key>
                <string>com.mycompany.mdm.mdm2</string>
                <key>PayloadOrganization</key>
                <string></string>
                <key>PayloadType</key>
                <string>com.apple.mdm</string>
                <key>PayloadUUID</key>
                <string>ed0ae41d-1aa7-4721-9fe9-139c1072132c</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>ServerURL</key>
                <string>https://mysite.com/checkin.aspx</string>
                <key>SignMessage</key>
                <false/>
                <key>Topic</key>
                <string>com.apple.mgmt.mypushsubject</string>
                <key>UseDevelopmentAPNS</key>
                <true/>
              </dict>
            </array>
            <key>PayloadDescription</key>
            <string>Profile description.</string>
            <key>PayloadDisplayName</key>
            <string>Test Profile</string>
            <key>PayloadIdentifier</key>
            <string>com.mycompany.mdm</string>
            <key>PayloadOrganization</key>
            <string>mycompany</string>
            <key>PayloadRemovalDisallowed</key>
            <false/>
            <key>PayloadType</key>
            <string>Configuration</string>
            <key>PayloadUUID</key>
            <string>13321058-4037-478c-9b1e-ef6f810065cb</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
          </dict>
        </plist>

  I got in touch with Apple about this.
  Apparently you want to send the combined MDM & SCEP payload in step 2 of phase 3 of the diagram I linked in my question, which is the profile that's sent after OTA enrollment.  According to Apple you need two separate certificates (which means two SCEP enrollments) - one for OTA enrollment, and one for MDM enrollment.

• How to globally set WiFi to use device management identity certificate for all users?

  I'm using Apple's Profile Management service in Mountain Lion, and discovered through serendipity that an enrolled device can authenticate on EAP-TLS to our WPA2-Enterprise Wifi using the Device Managment Identity Certificate instead of an individually-generated-for-user x509 cert. This is extremely convenient, because then we can effectively revoke a device's cert by unenrolling the device.
  However, I haven't been able to figure out how to make WiFi always designate EAP-TLS and select the Device Management Identity Certificate globally (whether through /usr/bin/networksetup or through the Profile Manager).
  Does anybody have any pointers on how to do this? My goal is to have an OS X >= 10.7 machine at a network login prompt capable of logging into the machine, authenticated against the Open Directory server the machine is already bound to. At present a wireless user cannot do this, as the machine's Wifi preferences haven't yet been set to use the aforementioned device management cert.
  Thanks!

  Making customisation from the default profile is generally considered poor practice and quite often doesn't work out as planned. (If you're interested in some more information on this, [http://mockbox.net/windows-7/227-customise-windows-7-default-profile.html see here] see here)
  This article should help you with developing and deploying your customised Firefox 4 installation (without touching the Windows 7 default user profile):
  http://mockbox.net/configmgr-sccm/174-install-and-configure-firefox-silently.html

• How would i setup certificate authenticated activesync on a windows phone 8 device? Without intune or sccm?

  I've searched all over for this and can find no clues in the interface.
  We have certificate authentication to activesync, via tmg working well for IOS devices and android, we issue the user a certificate, they use it to authenticate, boom no problems.
  We're considering a move to issuing windows phone 8 devices as well, yet i see no way, or instructions on how to actually set these things up to authenticate with a certificate? I see some rumblings about airwatch and sccm with intune, but i don't want to
  pay for a subscription just to use this when it works fine without on other platforms.
  Can anyone shed any light?
  Many thanks,
  Jim

  Hi - we're authenticating with internally issued certificates against a TMG listener, not sure if that is or isn't mutual certification - I have installed the root on the devices so they are trusted, works great with ios, android etc.
  The main issue is there is no place in the setup where you can specify the certificate to use, i have a feeling they (like blackberry) are railroading you into using a paid for mdm solution for cert auth. Be delighted if that isn't the case tho. It is easy
  enough to do this for WP8 with SCCM and InTune but i'm not keen on taking out a subscription just for WP8 devices when we can do it gratis with ios and android.
  Thanks for the reply.
  Jim

• Java.io.IOException: Invalid identity certificate signature

  Hi,
  My WebLogic 11g is running on a Windows Server 2008 64 bit server. I have obtained a certificate with private key for this Windows server. Now I would like to use this certificate and private key for my WebLogic server.
  What I have done:
  1. Exported server certificate using mmc.exe to my_domain.pfx
  2. Extracted my certificates and key with OpenSSL:
  openssl pkcs12 -in my_domain.pfx -out tempcertfile.crt -nodes
  3. Cut and pasted the section
  -----BEGIN RSA PRIVATE KEY-----
  (Block of Encrypted Text)
  -----END RSA PRIVATE KEY-----
  of the generated tempcertfile.crt to file my_domain.key
  4. Copied the second set of -----BEGIN CERTIFICATE----- & -----END CERTIFICATE----- from tempcertfile.crt to file TrustedRoot.crt
  5. Used keytool to create a new trust certificate keystore:
  keytool -import -trustcacerts -file TrustedRoot.crt -alias server -keystore new_trust_keystore.jks -storepass NEWPASSWORD
  where NEWPASSWORD is the new password of the keystore
  6. Used utils.ImportPrivateKey to create a new identity certificate keystore:
  java utils.ImportPrivateKey -keystore new_identity_keystore.jks -storepass NEWPASSWORD -storetype JKS -keypass NEWPASSWORD -alias server -certfile tempcertfile.crt
  -keyfile my_domain.key -keyfilepass PFXPASSWORD
  7. Configured WebLogic to use the new trust and identity certificate keystores
  When I try to start the WebLogic server it shuts down again with the following log:
  ####<22-03-2012 07:10:42 CET> <Critical> <WebLogicServer> <HID-1041559> <AdminServer> <main> <<WLS Kernel>> <> <> <1332396642889> <BEA-000362> <Server failed. Reason:
  There are 1 nested errors:
  java.io.IOException: Invalid identity certificate signature: [***]
  at weblogic.server.channels.DynamicSSLListenThread.<init>(DynamicSSLListenThread.java:64)
       at weblogic.server.channels.DynamicListenThreadManager.createListener(DynamicListenThreadManager.java:296)
       at weblogic.server.channels.AdminPortService.bindListeners(AdminPortService.java:76)
       at weblogic.server.channels.EnableAdminListenersService.start(EnableAdminListenersService.java:39)
       at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
  Caused by: weblogic.management.configuration.ConfigurationException: Invalid identity certificate signature: [***]
  Does anybody know what I'm doing wrong?
  Thanks in advance, Steffen

  The solution is that the certificates in tempcertfile.crt must be in the correct order. The order must be:
  Identity certificate
  Intermediate certificate
  Root certificate
  The identity certificate can be located easily in tempcertfile.crt since there must be header that shows the identity--information such as the name of a person or an organization, their address, and so forth. The intermediate certificate will be the last certificate in the tempcertfile.crt.
  After I changed the order of the certificates it worked fine.
  Regards Steffen

• Using iPCU, how to select an identity certificate

  When using iPCU, the option to select an identity certificate within the VPN configuration payload is greyed out (even though certificates have been defined in the Credentials section). Is there a different underlying requirement to be able to specify which certificate should be used for the VPN connection? (Windows 7 running iPCU version 3.6.2.300).
  Thanks.

  Umer, thanks for your response.
  It seems like other applications are locking the card/reader for few seconds.
  For listening to card-insertion, I am using terminals.waitForChange(); inside while (true) loop.
  If I execute my code communicating to card immediately after terminals.waitForChange(); returns then my code fails(select applet still works but other card communication fails with ResponseAPDU: 2 bytes, SW=6d00).
  But if I add sleep for 7 seconds or so before communicating to card then my code is able to communicate with card.
      static class EventWaitThread extends Thread {
          public void run() {
              while (true) {
                  CardTerminals terminals = factory.terminals();
                  try {
                      for (CardTerminal terminal : terminals.list(CardTerminals.State.CARD_INSERTION)) {
                          Card card = terminal.connect("*");
                          CardChannel channel = card.getBasicChannel();
                          selectApplet(channel);
                          printCardStatus(channel);
                      terminals.waitForChange();
                      sleep(7000);
                  } catch (CardException e) {
                      e.printStackTrace();  //To change body of catch statement use File | Settings | File Templates.
          }

• Reference identity certificate in EAP-TLS setting

  How to reference identity certificate that was provisioned thru SCEP in the final configuration profile send to the device. The device signs the final request with the identity certificate, but it doesn't send the UUID so that we can insert it into EAP-TLS wi-fi payload as "PayloadCertificateUUID". Appreciate any help/pointers on this matter.
  Thanks.

  Refresh your Cisco ISE trusted certificate.
  This issue can also arise if the Cisco ISE FQDN2 changes and/or the name of the
  certificate imported on the client machine has changed
  The supplicant or client machine is not accepting the certificate from Cisco ISE.
  The client machine may be  configured to validate the server certificate, but is not
  configured to trust the Cisco ISE certificate.

• Device Central Certificate

  Hi there - everytime time the Adobe Updater attempts to
  update the Device Central Certificate, get the following error:
  Adobe Updater
  c:\Program Files\Adobe\Adobe Device Central
  CS#\AMT\AUMProduct.cer failed to install'.
  Any suggestions?
  This is on WinXP - fully updated
  Thanks!!

  Whenever I change the permission to all users > total control for all the folder containing the file AUMProduct.cer, I still obtain the same error message : Installation of C:\Pro [...] \AUMProduct.cer has failed... I am working under windows XP Pro 32b SP3 FR.
  I tried to delete all files from temp folders and then apply the upgrade without any success. Same thing by uninstalling and installing again adobe, the update still finish by an error.
  Any advice ?

• How to run an application on windows mobile 6 device ?

  Hi everybody,
  How can you run an application on a windows mobile 6 device with the new SDK 3.0 ?
  Can you launch a MIDLET like any other program ? or running your MIDLET on windows mobile 6 is only for testing while you are developing.
  When you finished your MIDLET, can you copy the jar file to the mobile device with windows mobile 6 and to run it anytime ?
  Thank you.

  Its simply a matter of opinion, but I'm 3-months-in, developing for WM5 + WM6 and the only usable solution I've found that has the correct look and feel on Windows Mobile as well as JSR support is IBM's J9.
  It's not free, but I searched high and low, and it's the only product that I was happy with.
  Here's a [screenshot of it running my application on WM6 emulator|http://3.bp.blogspot.com/_9hmP3Ho0t14/S7eDTXfkE9I/AAAAAAAAAa0/ISZ-HohZQDs/s1600/wm6.png] .
  Here's a [quick article I wrote for it.|http://fatbuttlarry.blogspot.com/search?updated-max=2010-02-16T11%3A34%3A00-08%3A00&max-results=7] Remember, it's NOT free. Pricing is very fair, but you'll have to license it to use and distribute it.
  -Tres

• Windows Server 2008 R2 Standard "Certificate Authority Service" / Exchange Server 2010 EMC not starting and no AD connectivity for authentication.

  Hello,
  I am a new IT Manager at this company and need assistance big time. Their environment looks as follows:
  Server 1. Domain Controller Server (Windows Server 2008 R2 Standard) running active directory.
  Server 2. Email Server (Windows Server 2008 R2 Standard) running Exchange Server 2010 .
  * Note. No back ups to work with aside from whats mentioned below.
  DC had a virus infection causing a lot of issues on the shared network drives 2 days ago locking up all the files with a crypto ransom virus. Running Avast suppressed the infection. Had to recover the file shares which luckily had a back up. 
  The issue is that the Exchange Server 2 post this lost connectivity with the AD Server 1. Exchange Server 2 when launching EMC could not launch the console stating the following:
  "No Exchange servers are available in any Active Directory sites. You can’t connect to remote
  Powershell on a computer that only has the Management Tools role installed."
  Shortly after I found that it is possible the EMC launcher was corrupt and needed to be reinstalled following another blog post. I deleted the exchange management console.msc  per instructions only to discover I couldnt relaunch it because there was
  no way how. So I copied another msc file that happened to be on the DC Server 1  back to Exchange Server 2 and got it to launch again. 
  Another post said that it might be an issue with the Domain Account for the Computer, so to delete it in the AD Server 1 only to find that rejoining it from Exchange Server 2 using Computer>Properties> Chage Settings > Change is greyed out because
  it is using the Certificate Authority Service.
  I tried manually re-adding the computer in AD and modeling permissions after another server in group settings but no go. After this I was unable to login to the Exchange Server 2 with domain accounts but only local admin, receiving the following Alert:
  "The Trust Relationship between this workstation and primary domain failed."
  I tried running the Power Shell tools on Exchange Server 2 to rejoing and to reset passwords for domain accounts as noted in some other blogs but no luck as the Server 2 could not make the connection with Server1 or other errors it kept spitting out.
  I also during the investigation found the DNS settings were all altered on both the Server 1 and Server 2 which I luckily was able to change back to original because of inventorying it in the beginning when I started. 
  I need help figuring out if I need to rejoin the Exchange Server 2 manually by disabling the Certificate Authority Service (or removing the CA as listed here:
  https://social.technet.microsoft.com/Forums/exchange/en-US/fb23deab-0a12-410d-946c-517d5aea7fae/windows-server-2008-r2-with-certificate-authority-service-to-rejoin-domain?forum=winserversecurity
  and getting exchange server to launch again. (Mind you I am relatively fresh to server managing) Please help E-Mail has been down for a whole day now!
  Marty

  I recommend that you open a ticket with Microsoft Support before you break things more.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• SAP B1 on Windows Handheld Smart device

  Dear Experts,
  The following is my requirement...
  I have Windows based smart devices (Barcode scanner integrated), they run on Windows CE, I want to write an application which can be installed on these devices and Users can post transactions (Inventory Transfer, GR, GI).
  I have started a windows Smart Devic+e project in VS 2005, And I have added the SAP B1 DI API 8.8 as a reference. Now when I am trying to connect in the Emulator, I am getting the error. "Class is not Registered".
  This is my first smart device project. Please advice on how to proceed further.
  Thanks In advance,
  Vasu Natari.

  Hi Vasu
  Download B1WSSourceCode_1.1 - it has the source for B1WS and includes samples.
  The services default to localhost and in the sample, you have to change the app.config file to point them to your web server (if indeed it is not your localhost).
  In a smart device application, which has not app.config, set the URL property.
      Public Sub New()
          _Service = New StockTransferService
          _Service.Url = "http://192.168.0.250/B1WS/Service.asmx"
          Dim msgHeader As MsgHeader = New MsgHeader()
          msgHeader.SessionID = GlbData.SessionID
          msgHeader.ServiceName = MsgHeaderServiceName.StockTransferService
          msgHeader.ServiceNameSpecified = True
          _Service.MsgHeaderValue = msgHeader
      End Sub
  That is the typical example of a service you will find in the samples - note the _service.url setting.
  Hope this helps.
  Regards

• Availabili​ty of Windows 7 Beta Device Drivers for some Lenovo Thinkpads

  Good Day
     Lenovo will be posting 10 Windows 7 Beta device drivers* to it's public
  Windows 7 beta webpage before the end of May. The drivers posted will be:
    1)  Lenovo System Interface Driver
  2)  ThinkVantage Active Protection System
  3)  UltraNav Driver with support for single and multi touchpad systems
  4)  UltraNav Utility
  5)  ThinkVantage Power Manager
  6)  ThinkVantage Power Management Driver
  7)  FingerPrint Driver
  8)  Hotkey Features
  9)  ThinkVantage Access Connections ver 5.40
  10) WWAN 
     The drivers will be available at   www.lenovo.com/windows7beta
     These drivers are STRICTLY beta and have NO public support.  Please do not
  call the Lenovo HelpCenter seeking support as they will not assist you.
  Feedback on driver issues via this thread is encouraged and those concerns will
  be send back to the individual device driver development teams. 
    There will be 32 bit and 64 bit versions of some device drivers are available.
    *Drivers are supported on RC Build 7100 and later. The drivers may work on earlier builds
  Terry  Lenovo Win 7 TestLenovo Enterprise System Experts  

  <chuckle> we are all excited to try them
  Message Edited by Darksaber on 05-16-2009 10:28 AM
  x200 7454-CTO; 320GB HD; 4GB; Win 7 64bit - Now on RTM.
  - 2nd SSD with Win 7 Enterprise RTM
  T61p - RTM - Win 7 Enterprise
  S10 4231 for my wife - now on Win 7 Ultimate RTM

• Window 8.1 device mdm enrolment issue

  Window 8.1 device(Laptop and Tablet) doesn't shows the option of entering enrollment server address while enrolling it through Network->Workplace Settings.
  Windows Phone 8.1 doesn't have this issue. 

  Did you try the Nokia Software Recovery Tool already?

• [Windows] Captive runtime bundle package certificate signing don't work when icons included

  Here is the bugbase ticked: Bug#3949990 - [Windows] Captive runtime bundle package certificate signing don't work when icons included
  Application signing don't work when you build captive runtime bundle package which include icons. Don't matter application icons or associated file types icons. It works fine when you build application bundle without icons.
  It's a very critical issue, please fix it ASAP.
  Also application signing don't work if you using AIR SDK beta: Bug#3950022 - [Windows] Application signing don't work with AIR SDK beta
  I'd like to ask everyone affected by this issue to take a minute and vote for the following bugs.
  Thanks.

  I received feedback from our QA team this morning that they were able to reproduce the bugs but they are requesting access to the .as code if possible.  If you'd like to keep this private, please feel free to email it to me directly at [email protected]