This section will describe how the vSEC:CMS can be configured to allow for the central management of devices where VSCs can be managed for these devices.
If this feature is to be used it is necessary to Enable automatic device registration checkbox. If it will be required to check that the device that is to be managed has a UUID in Active Directory then enable the checkbox Verify computer UUID in AD. From the dropdown list select the AD that should be checked for the device UUID. This will result in the vSEC:CMS running the following LDAP query:
Where <COMPUTER-NAME> is the name of the computer/device in AD as stored in the attribute sAMAccountName and <COMPUTER-UUID> is the UUID of the computer/device as stored in AD in the attribute netbootGUID. The UUID will be checked against the value stored on the client. The client UUID will be retrieved using Windows WMI command:
wmic path win32_computersystemproduct get uuid
For the Trusted certificate(s) section enable the Filter for key usage checkbox which will configure the vSEC:CMS to check the device certificate that is sent from the client to the server via the vSEC:CMS RSDM service. The certificate key usage can be checked to ensure specific key usage is set for the device certificate. For example, if the filter is set to 128 (decimal) in the Must have field this means that the certificate should have key usage of digital signature. It is possible to add the root or sub CA certificate of the issuer CA to validate that the device certificate is issued from the same CA. Click the Add button and select the root or sub CA to get the issuer information. The setting Import device certificates to vSEC:CMS managed certificates repository is for future functionality and shown here for information purpose only.
If the device does not have a machine certificate then this functionality should be disabled and this section configuration should be skipped. In order to disable this a registry key needs to be set on the vSEC:CMS server. Open up regedit on the vSEC:CMS server and set a DWORD with a name of rsdm.registration.forceCerts and a value of 0 in this location:
In the TPM section enable the Export endorsement key certificate if it is required to store the certificate if it is required to be used in the future for key attestation. Enter the full path on the vSEC:CMS server where these certificates will be stored in the Export to (server) field.
Currently it is only possible to store the certificates. The vSEC:CMS will not do anything further with these certificates. Additionally, the certificate name will be made up of the device ID and the computer name of the device.
If it is required to not allow the issuance of VSC where the TPM is vulnerable to the Return of the Coppersmith Attack, commonly referred to as ROCA, then enable the checkbox Blacklist devices with ROCA affected TPM for VSC enrollment. During the registration of the device if the TPM is vulnerable to ROCA then the device will be enabled as black listed. This will mean that it will not be possible to issue a VSC on the device while in this state. If it is required to allow the device to be issued then from Repository – Device Management – Managed Devices select the device and right click and select Edit Flags. Uncheck the flag Device is black listed to allow the device to be issued with a VSC.
In the Device name section, it is possible to configure specific information about the name for the device if required. If it is required to have a specific name for the specific device, where the device name is stored in registry on the device, enable the Read device name from registry check box and enter the path to the registry key. The registry key will need to be in HKEY_LOCAL_MACHINE. For example, if the device name registry key was:
Then you would enter in the Registry key field: device\mydevicename
Where mydevicename is the key that stores the device name. This key should be of type String.
Alternatively, you can read the device name from system environment variable. The variable needs to be a System variable in this case.
In the UDP Broadcast Setting enable the Use computer name which will result in the server side sending the UDP broadcast message only to the device hostname that was used during the registration of the device. Enable the Use broadcast address and enter an IP address in the field provided. It is possible to enter lists of IP addresses that you want the broadcast message to be sent to. For example, if your client devices are in a 192.168.0.255 and 172.16.0.255 range then all clients with an IP address of 192.168.0.XXX or 172.16.0.XXX will receive the broadcast message. In this case the IP addresses should be separated by ';' (semi-colon) character. If the Use computer name and Use broadcast address check boxes are enabled the vSEC:CMS will first try to send a broadcast message to the computer device that is selected. If this fails for whatever reason then the vSEC:CMS will send a broadcast message to every computer device in the IP range configured in Use broadcast address . The broadcast packet will contain the device ID which each device will then check to see that the device ID matches their ID and only the device that has the corresponding device ID in the packet will send a response to the server requesting details on what it needs to perform.
Click the Test button to perform a test UDP message. This can be useful when troubleshooting a communication issue. For example, if a device that was registered as MYPC.MYDOMAIN.local then enter this value in the Hostname field and enter the port number that the client is configured to listen on in the Port field.
On clicking Ok if the message is successfully sent you will see a success dialog.
On the client device in the event viewer you should see Source entries from vSEC:CMS RSDM indicating that the communication channel is functional as required.
In the Secure Device Management Setting section, you can configure the management around the behavior when a device is managed through the RSDM mechanism. By default, a device that is managed through the RSDM mechanism will be automatically set to a blocked state once an issuance request has been sent from the server side to the managed device. Therefore, the setting Automatically block devices for new issuance after issuance has been performed will be enabled. An operator will need to reset the blocked flag if it is required to send a new issuance command to the device. If it is required to not use this feature then uncheck this setting. If it is required to check that the user on the device is assigned as the primary user of that device in an attribute in AD then enable Verify primary user assignment in AD when issue credentials check box. Select the AD to be used from the available list of ADs in the drop-down box.
Please sign in to leave a comment.