Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H

101

102

103

104

105

106

107

108

109

110

GlobalProtect Administrator’s Guide 101

Set Up the GlobalProtect Mobile Security Manager Define Deployment Policies

Create Deployment Policies

After a device successfully enrolls and checks in, the Mobile Security Manager uses the username of the device

user and/or the reported HIP data to match a deployment policy.

Step 4 Specify attributes of the certificates to be

generated.

1. Enter a Subject name for the certificates generated by the SCEP

server. The subject must be a distinguished name in the

<attribute>=<value> format and must include the common

name (CN) key. There are two ways to specify the CN:

• (Recommended) Token-based CN—Enter one of the

supported tokens—

$USERNAME or $UDID—in place of the

CN portion of the subject name. When the Mobile Security

Manager pushes the SCEP settings to the device, the CN

portion of the subject name will be replaced with the actual

username or device UDID of the certificate owner. This

method ensures that each certificate that the SCEP server

generates is unique for the specific user or device. For

example,

O=acme,CN=$USERNAME.

• Static CN—The CN you specify will be used as the subject

for all certificates issued by the SCEP server. For example,

O=acme,CN=acmescep.

2. (Optional) Define any certificate extensions you want to include

in the certificates:

•

Subject Alternative Name Type—If you plan to supply a

subject alternative name (SAN), specify the format of the

SAN by selecting one of the following values:

rfc822Name,

dnsName, or uniformResourceIdentifier.

•

Subject Alternative Name Value—The SAN value to

include in the certificate, in the format specified above.

•

NT Principal Name—A user object for the device that can be

used to match the user certificate to an account.

3. Set the

Key Size to match the key size defined in the certificate

template on the SCEP server.

4. (Optional) If the mobile device will obtain its certificate over

HTTP, enter the CA certificate

Fingerprint (SHA1 or MD5) for

the device to use to authenticate the SCEP server. The

Fingerprint must match the Thumbprint value on the SCEP

server.

Step 5 Save the SCEP profile. 1. Click

OK to save the configuration settings you defined and

close the iOS Configuration dialog.

Commit your changes.

Set Up a SCEP Configuration (Continued)