Chat now with support
Chat with Support

Safeguard Authentication Services 4.2 - Mac OS X/macOS Administration Guide

One Identity Privileged Access Suite for Unix Installation The Authentication Services Mac OS X components Configuring the Authentication Services client Special Mac OS X features Authentication Services limitations on Mac OS X Authentication Services Group Policy for Mac OS X Certificate Autoenrollment

Configure a user for Certificate Autoenrollment

Use the vascert command line utility to configure a user for Certificate Autoenrollment. The user must be an Active Directory user. Certificate Autoenrollment is not supported for local users. Your computer must be joined to the Active Directory domain where your certificate enrollment policy server resides.

NOTE: Certificate Autoenrollment will run automatically when users log in based on the /Library/LaunchAgents/com.quest.qcert.UserApply.plist file. You can change this behavior by modifying this file.

To configure a user for Certificate Autoenrollment

  • As root (or using sudo), run the following command to configure a user for Certificate Autoenrollment:

    /opt/quest/bin/vascert server add -u <username> -r <policy server URL>

    Substitute the actual http URL for your certificate enrollment policy server for example:

    https://example.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP

    NOTE: You can configure more than one certificate enrollment policy server. Certificate Autoenrollment will choose the most appropriate server automatically when performing certificate enrollment.

Trigger machine-based Certificate Autoenrollment

Normally Group Policy triggers Certificate Autoenrollment. If you are not using Group Policy, use the vascert command line utility to manually trigger Certificate Autoenrollment processing for the machine. This will result in certificates being added to the System.keychain according to enrollment policy. You can schedule this command to run periodically if desired.

To manually trigger Certificate Autoenrollment

  • As root (or using sudo), run the following command to manually trigger Certificate Autoenrollment:

    /opt/quest/bin/vascert trigger

Certificate Autoenrollment will proceed in the background. When complete, newly enrolled certificates will be installed in the System.keychain automatically. To troubleshoot Certificate Autoenrollment, run the vascert pulse command as root.

Troubleshooting Certificate Auto-Enrollment

To help you troubleshoot Certificate Autoenrollment, One Identity recommends the following resolutions to some of the common errors, and methods for finding and correcting configuration problems.

Enable full debug logging

You can enable full debug logging for all Certificate Autoenrollment components using the vascert command line utility.

If debug logging is configured, Group Policy extensions, the vascert tool, and launchd write log files in /Library/Preferences/com.quest.X509Enrollment/log for machine enrollment and ~/Library/Preferences/com.quest.X509Enrollment/log for user enrollment. You can enable debug logging for all of these components.

To enable debug logging

  1. As root, run the following command to configure debug logging for all users:

    /opt/quest/bin/vascert configure debug

  2. To configure debug logging for a specific user, log in as that user and run the same command.

    NOTE: Enabling debug logging causes the vascert command to write debug messages to a file in addition to stdout. Even after you enable debug logging, you must set the debug level using the -d command line option when running vascert commands manually.

  3. When you are finished debugging, run the following command as root to turn off debug logging for all users. One Identity recommends that you turn off debug logging to improve performance and conserve disk space.

    /opt/quest/bin/vascert unconfigure debug

  4. To turn off debug logging for a specific user, log in as that user and run the same command.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating