One of the key features that customers have consistently asked for in Teams Room on Android devices is the support for Simple Certificate Enrollment Protocol (SCEP). This protocol simplifies the process of certificate management, making it easier for devices to obtain and manage digital certificates. With PolyOS version 4.3 released in this month of Aug 2024, Poly's range of Teams Room on Android devices comprising of the Studio X family of collaboration bars as well as the G series modular room codecs, SCEP is supported for both the codec and the TC8/10 touch controllers. In this post, we'll dive into the configuration and usage of these SCEP features |
SCEP is a protocol used for managing digital certificates. It automates the process of certificate enrollment, renewal, and revocation, reducing the administrative burden and enhancing security. SCEP is particularly useful in environments with a large number of devices, as it streamlines the certificate management process. PolyOS, the operating system powering Poly's range of Teams Room on Android devices, has integrated SCEP to enhance security and simplify certificate management. Here are some of the key features:
- Automated Certificate Enrollment: SCEP automates the process of enrolling devices for digital certificates. This means that devices running PolyOS can automatically request and receive certificates from a SCEP server, reducing the need for manual intervention
- SAN Generation: PolyOS can automatically generate the Subject Alternative Name (SAN) based on the configured hostname and domain. This feature is available for PolyOS versions 4.3 and 6.3, making it easier to manage certificates for devices with multiple hostnames
- Network and Web Server Authentication: On voice devices, the certificates obtained through SCEP are used for network authentication. On video devices, these certificates are used for both network authentication and web server authentication, ensuring secure communication across different platforms
- PolyOS is compatible with a wide range of SCEP servers, including Microsoft NDES, Cisco ISE, OpenSCEP, and more. This flexibility allows organizations to choose the SCEP server that best fits their needs1.
- Easy Configuration: Configuring SCEP in PolyOS is straightforward. Users can enable SCEP through the system web interface or provisioned via Poly Lens and specify the SCEP server URL and challenge password along with the necessary certificate attributes.
Things to Note
- The TC8/10 touch controller syncs settings automatically from its paired Poly G7500 system or Poly Studio X video bar. Therefore, it is strongly recommended to configure or pair the touch controller in a staged network before moving to an 802.1x enabled network. Note that SCEP Settings can't be configured via the touch controller which displays SCEP and 802.1x settings as read-only. The touch controller syncs all SCEP and 802.1x settings from the paired codec.
- Only HTTP SCEP server URLs are currently supported. The SCEP challenge password must be configured as a static password. Only a single set of credentials is shared between the Poly G7500 system or Poly Studio X video bar and the Poly touch controller.
- A 3072-bit encryption certificate is a more secure type of digital security key compared to shorter 2048-bit keys, ensuring better security for sensitive information. The 3072-bit certificate identifies the device for network access such as 802.1x, Simple Certificate Enrollment Protocol (SCEP), and web proxy.
- We can provision 3072-bit certification for all devices via SCEP in Poly Lens. When the 2048-bit certificates expire, the SCEP server sends 3072-bit certificates.
- The default Common Name (CN) attribute is the serial number of the device. Customize this setting in the system web interface or via provisioning. The Subject Alternative Name (SAN) must include the host name or Fully Qualified Domain Name (FQDN). The other name attribute is the email address
For this deep dive we have setup Microsoft NDES on Windows Server 2022 standard as the SCEP server. This server also functions as a Domain Controller and an Enterprise Root CA but in production environments, it is recommended that the Enterprise CA, Domain Controllers and NDES servers be run on separate servers. Setup instructions for NDES is beyond the scope of this blogpost but can be referenced here:https://techcommunity.microsoft.com/blog/intunecustomersuccess/support-tip---how-to-configure-ndes-for-scep-certificate-deployments-in-intune/455125
For the configuration of our NDES Lab server, we have the following roles installed:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\UseSinglePassword = 1