
Active Directory Certificate MDM payload settings for Apple devices
You can use Active Directory Certificate settings for Mac computers enrolled in a mobile device management (MDM) solution. Use the Active Directory Certificate payload to set authentication information for Active Directory Certificate servers. Active Directory Certificate servers bind a user identity or device to a private key that is stored in a directory server. This payload lets the device or user use the stored key for service encryption and authentication.
To bind a Mac to Active Directory, see the Directory payload.
OS and channel | Supported enrollment types | Interaction | Duplicates |
---|---|---|---|
macOS device macOS user | User Device Automated Device | Exclusive | Multiple |
Setting | Description | Required |
---|---|---|
Description | The description of the certificate request. | Yes |
Certificate hostname | The IP address or fully qualified domain name (FQDN) of the certificate server. | Yes |
Certificate authority | The name of the certificate authority (the common name or CN attribute value of the directory entry at “CN=<your CA>,N=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,<your base DN>” | Yes |
Certificate template | The name of the template. | Yes |
Certificate expiration notification thread | The number of days before the certificate expires at which to begin showing the expiration notification. | Yes |
RSA key size | The key size for the Certificate Signing Request (CSR). | Yes |
Prompt for credentials | You can prompt users to enter their credentials. | No |
Account user name and password | The user name and password credentials (optional for users and groups, unnecessary for devices and device groups). | No |
Allow access to all apps | By default, only selected processes, such as Wi-Fi and VPN, can access this certificate. Enable this option to allow all apps to access this certificate. | No |
Allow export from the Keychain | This allows the private key to be exported from the Keychain. | No |
Enable auto-renewal | Allows the certificate to attempt an auto-renewal from the server. | No |