UCPrimer
  • UCprimer
  • About

Issuing SCEP certificates to Teams Room on Android

8/29/2024

0 Comments

 
Picture
One of the key features that customers have consistently asked for in Teams Room on Android devices is the support for Simple Certificate Enrollment Protocol (SCEP). This protocol simplifies the process of certificate management, making it easier for devices to obtain and manage digital certificates. With PolyOS version 4.3 released in this month of Aug 2024, Poly's range of Teams Room on Android devices comprising of the Studio X family of collaboration bars as well as the G series modular room codecs, SCEP is supported for both the codec and the TC8/10 touch controllers. In this post, we'll dive into the configuration and usage of these SCEP features 
What is SCEP?
SCEP is a protocol used for managing digital certificates. It automates the process of certificate enrollment, renewal, and revocation, reducing the administrative burden and enhancing security. SCEP is particularly useful in environments with a large number of devices, as it streamlines the certificate management process. PolyOS, the operating system powering Poly's range of Teams Room on Android devices, has integrated SCEP to enhance security and simplify certificate management. Here are some of the key features:
  1. Automated Certificate Enrollment: SCEP automates the process of enrolling devices for digital certificates. This means that devices running PolyOS can automatically request and receive certificates from a SCEP server, reducing the need for manual intervention
  2. SAN Generation: PolyOS can automatically generate the Subject Alternative Name (SAN) based on the configured hostname and domain. This feature is available for PolyOS versions 4.3 and 6.3, making it easier to manage certificates for devices with multiple hostnames
  3. Network and Web Server Authentication: On voice devices, the certificates obtained through SCEP are used for network authentication. On video devices, these certificates are used for both network authentication and web server authentication, ensuring secure communication across different platforms
  4. PolyOS is compatible with a wide range of SCEP servers, including Microsoft NDES, Cisco ISE, OpenSCEP, and more. This flexibility allows organizations to choose the SCEP server that best fits their needs1.
  5. Easy Configuration: Configuring SCEP in PolyOS is straightforward. Users can enable SCEP through the system web interface or provisioned via Poly Lens and specify the SCEP server URL and challenge password along with the necessary certificate attributes.

Things to Note
  • The TC8/10 touch controller syncs settings automatically from its paired Poly G7500 system or Poly Studio X video bar. Therefore, it is strongly recommended to configure or pair the touch controller in a staged network before moving to an 802.1x enabled network. Note that SCEP Settings can't be configured via the touch controller which displays SCEP and 802.1x settings as read-only. The touch controller syncs all SCEP and 802.1x settings from the paired codec.
  • Only HTTP SCEP server URLs are currently supported. The SCEP challenge password must be configured as a static password. Only a single set of credentials is shared between the Poly G7500 system or Poly Studio X video bar and the Poly touch controller.
  • A 3072-bit encryption certificate is a more secure type of digital security key compared to shorter 2048-bit keys, ensuring better security for sensitive information. The 3072-bit certificate identifies the device for network access such as 802.1x, Simple Certificate Enrollment Protocol (SCEP), and web proxy.
  • We can provision 3072-bit certification for all devices via SCEP in Poly Lens. When the 2048-bit certificates expire, the SCEP server sends 3072-bit certificates.
  • The default Common Name (CN) attribute is the serial number of the device. Customize this setting in the system web interface or via provisioning. The Subject Alternative Name (SAN) must include the host name or Fully Qualified Domain Name (FQDN). The other name attribute is the email address

For this deep dive we have setup Microsoft NDES on Windows Server 2022 standard as the SCEP server. This server also functions as a Domain Controller and an Enterprise Root CA but in production environments, it is recommended that the Enterprise CA, Domain Controllers and NDES servers be run on separate servers. Setup instructions for NDES is beyond the scope of this blogpost but can be referenced here:https://techcommunity.microsoft.com/blog/intunecustomersuccess/support-tip---how-to-configure-ndes-for-scep-certificate-deployments-in-intune/455125

For the configuration of our NDES Lab server, we have the following roles installed:
Picture
After installing the roles, we configured the NDES server with the default settings. To configure the SCEP challenge password as a static password, we need to modify the following registry setting

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\UseSinglePassword = 1
Picture
To confirm that the NDES SCEP service is running, we can navigate to the URL http://<NDESServerFQDN>/certsrv/mscep and we should get the page as shown below:
Picture
We can now get the SCEP server URL and Challenge password from the URL: http://<NDESServerFQDN>/certsrv/mscep_admin/ as shown below:
Picture
With this password, we can now proceed to enroll for a SCEP certificate. This can be done either via the system web interface or provisioned via Lens. For the system web interface, navigate to Security->Certificates and we enable the "Enable SCEP" checkbox under the SCEP section, we click on "View and Update" to input the SCEP parameters.
Picture
In the SCEP configuration page, we need to input the necessary parameters. The SCEP challenge password needs to be copied from the MSCEP_Admin webpage. Note that the SCEP Server URL needs to have the mscep.dll appended. eg http://<serverFQDN>/certsrv/mscep/mscep.dll. Not all fields are necessary and we only need to fill in those marked as required:
Picture
When ready, click on the "Save" button at the bottom of the page and the system will submit the request to our NDES server to enroll for a certificate. When successful, the web browser will logout and refresh with the newly acquired certificate used for the https connection which will display a warning that the connection is not private. Simply ignore this and click to proceed to login: We will now see that the certificate is shown along with the CA Root certficate and that the SCEP Status states "SCEP Certificate is installed" as shown below:
Picture
Similarly, we can see the certificates installed on the TC8 touch controller as well as shown below:
Picture
As mentioned earlier, SCEP can also be provisioned in a similar manner via Lens. To do this, navigate to the Lens portal inventory page, select the device required, then go to Security->SCEP and enter the required parameters and click "Apply":
Picture
​In conclusion, the integration of SCEP in PolyOS enhances security and simplifies certificate management for organizations. By automating the process of certificate enrollment and renewal, SCEP in PolyOS provides a robust and flexible solution for your certificate management needs.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    UCPrimer

    Picture
    Picture
    Picture
    View my profile on LinkedIn

    Important Links

    Microsoft Teams Docs
    Microsoft Learn

    Archives

    October 2025
    September 2025
    August 2025
    June 2025
    April 2025
    March 2025
    February 2025
    January 2025
    December 2024
    November 2024
    October 2024
    August 2024
    July 2024
    May 2024
    April 2024
    March 2024
    February 2024
    December 2023
    November 2023
    October 2023
    September 2023
    July 2023
    March 2023
    February 2023
    January 2023
    November 2022
    October 2022
    September 2022
    August 2022
    July 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    June 2021
    April 2021
    March 2021
    December 2020
    October 2020
    September 2020
    August 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    March 2019
    November 2018
    October 2018
    September 2018
    August 2018
    June 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    August 2017
    July 2017
    April 2017
    March 2017
    February 2017
    January 2017
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    January 2016
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    September 2012
    August 2012

    Categories

    All
    Edge
    Exchange 2013
    Hybrid
    Lpe
    Lync 2010
    Lync 2013
    Mobility
    Oauth
    Office365
    Polycom
    Ucs

    RSS Feed

    This website uses marketing and tracking technologies. Opting out of this will opt you out of all cookies, except for those needed to run the website. Note that some products may not work as well without tracking cookies.

    Opt Out of Cookies