Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Mac OS X/macOS Administration Guide

One Identity Privileged Access Suite for Unix Installation The Authentication Services Mac OS X components Configuring the Authentication Services client Special Mac OS X features Authentication Services limitations on Mac OS X Authentication Services Group Policy for Mac OS X Certificate Autoenrollment

Configuring Certificate Autoenrollment manually

Once Certificate Autoenrollment is installed, you must configure your machine to use it. If you are using One Identity Authentication Services with Group Policy, then skip the manual configuration described in this section as Group Policy performs these tasks automatically.

NOTE: Group Policy functionality is not available when used with the Apple Directory Services plug-in. When Group Policy is not available, you must manually configure certificate enrollment policy servers and schedule machine certificate enrollment to run on an interval if desired.

Related Topics

Configure a machine for Certificate Autoenrollment

Configure a user for Certificate Autoenrollment

Trigger machine-based Certificate Autoenrollment

Configure a machine for Certificate Autoenrollment

Use the vascert command line utility to configure your machine for Certificate Autoenrollment. Your computer must be joined to the Active Directory domain where your certificate enrollment policy server resides.

NOTE: Unless you are using Group Policy, machine processing must be triggered manually using the vascert trigger command. You can schedule this command to run at an interval.

To configure your machine for Certificate Autoenrollment

  • As root (or using sudo), run the following command to configure a machine for Certificate Autoenrollment:

    /opt/quest/bin/vascert server add -r <policy server URL>

    Where <policy server URL> is the actual http URL for your certificate enrollment policy server.

    For example: https://example.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP

    NOTE: You can configure more than one certificate enrollment policy server. Certificate Autoenrollment will choose the most appropriate server automatically when performing certificate enrollment.

Configure a user for Certificate Autoenrollment

Use the vascert command line utility to configure a user for Certificate Autoenrollment. The user must be an Active Directory user. Certificate Autoenrollment is not supported for local users. Your computer must be joined to the Active Directory domain where your certificate enrollment policy server resides.

NOTE: Certificate Autoenrollment will run automatically when users log in based on the /Library/LaunchAgents/com.quest.qcert.UserApply.plist file. You can change this behavior by modifying this file.

To configure a user for Certificate Autoenrollment

  • As root (or using sudo), run the following command to configure a user for Certificate Autoenrollment:

    /opt/quest/bin/vascert server add -u <username> -r <policy server URL>

    Substitute the actual http URL for your certificate enrollment policy server for example:

    https://example.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP

    NOTE: You can configure more than one certificate enrollment policy server. Certificate Autoenrollment will choose the most appropriate server automatically when performing certificate enrollment.

Trigger machine-based Certificate Autoenrollment

Normally Group Policy triggers Certificate Autoenrollment. If you are not using Group Policy, use the vascert command line utility to manually trigger Certificate Autoenrollment processing for the machine. This will result in certificates being added to the System.keychain according to enrollment policy. You can schedule this command to run periodically if desired.

To manually trigger Certificate Autoenrollment

  • As root (or using sudo), run the following command to manually trigger Certificate Autoenrollment:

    /opt/quest/bin/vascert trigger

Certificate Autoenrollment will proceed in the background. When complete, newly enrolled certificates will be installed in the System.keychain automatically. To troubleshoot Certificate Autoenrollment, run the vascert pulse command as root.

Related Documents