Create a Certificate Template for Mac Auto-Enrollment

This step only needs to be completed if your Keyfactor Command license includes Mac auto-enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). and you plan to use this feature.

To create the certificate templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. that will be used for Mac auto-enrollment:

  1. On the CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. that will issue the Mac auto-enrollment certificates, open the Certification Authority management tool.
  2. In the Certification Authority management tool, drill down to locate the Certificate Templates folder. Right-click the Certificate Templates folder and choose Manage. This will open the Certificate Templates Console.
  3. In the Certificate Templates Console, right-click the User template and choose Duplicate Template.
  4. If prompted with a Duplicate Template dialog (some versions of Windows), choose Windows Server 2003 Enterprise and click OK.
  5. General Tab: In the Properties of New Template dialog on the General tab, enter Mac Auto-Enrollment (or an alternate name of your choosing) in the Template display name field. The Template name will be auto-populated based on the text you enter in the Template display name. Select a Validity period for the certificate that’s appropriate for your environment.
  6. Extensions Tab: If you plan to use the certificates to authenticate to enterprise systems, you will need to ensure that Client Authentication is set as the only application policy in the certificate. To do this, in the Extensions included in this template section of the Extensions tab, highlight Application Policies and click the Edit… button. In the Edit Application Policies Extensions dialog, remove the Encrypting File System and Secure Email policies and click OK.
  7. Security Tab: In the Properties of New Template dialog on the Security tab, add the Active Directory group of users who will be allowed to auto-enroll from Macs and grant this group Read, Enroll, and Autoenroll permissions on the template.
  8. Click OK to save the new template.
  9. Back in the Certification Authority management tool, right-click the Certificate Templates folder and choose New->Certificate Template to Issue. Select the Mac Auto-Enrollment template from the list presented and click OK.