NOTE - You may need to scroll to the right to view the full screen button on the video above.
NOTE - The video contains no sound.  Please note the subtitles for details the installation process.

The embedded video will showcase the configurations to the Certificate Authority used for this lab to integrate with AirWatch.  After finishing the video, click here to continue.

In this section, you will utilize a local Certificate Authority provided to better learn how to configure the Certificate Authority to interact with AirWatch.

NOTE - The Certificate Authority that this lab accesses to issue certificates has already been configured, you are only editing a local Certificate Authority that will not impact the ability to issue certificates for this lab.

On the Main Console server, double-click the Certificate Authority shortcut on the desktop.

The first item that you will need when integrating AirWatch to ADCS is the name of CA. The name of the instance is the top most attribute on the configuration screen, in this case it is CONTROLCENTER-CA as we have already pre-configured it to be a Certificate Authority.

1. Right click on CONTROLCENTER-CA.
2. Click on Properties.

1. Click Security
2. Click Add

1. Type "imaservice" in the "Enter the object names to select" embedded window.
2. Click the Check Names button to validate.
3. If no errors appear, click the OK button to add the IMASERVICE user account.

After completing the previous step to add the IMASERVICE user to the CONTROLCENTER-CA Properties permissions, you need to modify the permissions to allow the user to issue, manage, and request certificates.

1. Click on the ima service ([email protected]) user in the Group or user names embedded window.
2. In the Permissions for Authenticated Users check box. ensure the Request Certificates box is checked.
3. Check the Issue and Manage Certificates box.
4. Click the OK button.

Now you will create a new certificate template for use with AirWatch. In order to do so, you need to open the Manage Certificate Templates menu.

1. In the left pane, click on CONTROLCENTER-CA to select it.
2. Right-click on the Certificate Templates folder to bring up the context menu.
3. Select Manage. This will open a new MMC Snap-in window titled Certificate Templates Console.

The Certificate Templates Console window displays.

1. In Template Display Name column, scroll down and select the User template.
2. Right-click on the User template.
3. From the context menu, select Duplicate Template.

NOTE -This duplicate certificate template will be used by AirWatch. The template you choose depends on the function being configured in AirWatch. For example, for Wi-Fi, VPN, or Exchange Active Sync (EAS) client authentication you would select the CEP Encryption template instead.

The Duplicate Template dialog box displays.

1. Click on the General tab.
2. In the Template display name field, type the name of the template that will display to users. For this lab, type "Mobile User".
3. The Template name field auto-fills with the same name as above, only without spaces. For this lab, leave it as "MobileUser".
4. Un-check the Publish certificate in Active Directory checkbox.
5. Click OK.

1. Right click on the new template Mobile User which was just created
2. Select Properties from the context menu. The Mobile Users Properties window will appear.

1. Select the Security tab in the Mobile User Properties window.
2. Click the Add... button below the embedded Group or user names window. The "Select Users, Computers, Service Accounts, or Groups" dialog box displays.

1. Type the previously created user service account IMASERVICE in the "Enter the object names to select" embedded window.
2. Click the Check Names button to verify the account was typed correctly. If typed correctly, you will see it change to ima service ([email protected]).
3. Click the OK button on the Select Users, Computers, Service Accounts, or Groups dialog box.

1. Back on the "Mobile User Properties" window, select the ima service ([email protected]) user account.
2. In the Permissions for ima service embedded window, ensure the the Allow checkbox for Read permissions is selected.
3. In the Permissions for ima service embedded window, click the Allow checkbox for Enroll permissions to enable it.
4. Click the Apply button. DO NOT click OK yet.

1. Select the Subject Name tab in the Mobile User Properties window.
2. Select the Supply in the request radio button.
3. Click the OK button on the Certificates Templates prompt.
4. Click the OK button on the Mobile User Properties window.

Close the Certificate Template Console by clicking on X sign.

Switch back to the CERTSRV - Certificate Authority window shown in this step.

In the left window pane, single click to select the Certificate Template folder.

1. Click on the twisty to expand options for CA.
2. Right click the Certificate Template folder
3. Select New in the context menu which appears.
4. Click on Certificate Template to Issue which appears to the right of New.

1. In the Enable Certificates Templates dialog box, select the name of the certificate template - in this case, Mobile User - which you previously created.
2. Click the OK button.

If you see a prompt for Updating Templates, click Yes to continue.

If your AirWatch Console login session has expired, enter your AirWatch Admin Account information and click the Login button.  Otherwise, skip this step and continue.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

1. Enter your Username. This is you email address that you have associated with your VMware Learning Platform (VLP) account.
2. Enter "VMware1!" for the Password field.
3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the AirWatch Hands On Labs server.

1. Click Groups & Setting.
2. Click All Settings.

1. Click System.
2. Expand Enterprise Integration.
3. Click Certificate Authorities.
4. Ensure the Certificate Authorities tab is selected.
5. Click the + Add button.

1. Enter "CONTROLCENTER-CA" for the Name.
2. Enter "Control Center Certificate Authority" for the Description.
3. Select Microsoft ADCS for the Authority Type.
4. Select ADCS for the Protocol.
5. Enter "controlcenter.corp.local" for the Server Hostname.
6. Enter "CONTROLCENTER-CA" for the Authority Name.

NOTE - Do NOT click Save yet!  There are additional CA settings that need to be configured in the next step.

1. Select Service Account for the Authentication.
2. Enter "imaservice" for the Username.
3. Enter "VMware1!" for the Password.
4. Enter "VMware1!" for the Confirm Password.
5. Select None for Additional Options.
6. Click Test Connection and ensure the "Test is Successful!" prompt displays at the top of the menu.
7. Click Save and Add Template.

1. Enter your VLP email address for the Name.
2. Enter "Mobile User" for the Description.
3. Select CONTROLCENTER-CA for the Certificate Authority.
4. Enter "MobileUser" for the Issuing Template.
   NOTE - Enter "MobileUser" as one word without spaces!
5. Enter "CN={EnrollmentUser}" for the Subject Name.
6. Select 2048 for the Private Key Length.

NOTE - Do NOT click Save yet!  The next step includes additional settings.

1. Enable Signing for the Private Key Type.
2. Enable Encryption for the Private Key Type.
3. Enable Automatic Certificate Renewal.
4. Enter "5" for Auto Renewal Period (days).
5. Enable the Enable Certificate Revocation option.
6. Click Save.

Click Close on the Certificate Authorities page.