AWS re:Inforce 2024 -Secure and increase mobile workforce productivity with AWS for MDM (DAP201-NEW)

00:01

All right, good morning everyone.

00:03

Thank you for joining. Hope

00:06

you've had a good conference so far.

00:08

Uh We're here. Uh My name is Daniel

00:10

Choi. I'm a product manager

00:12

for Aws Private C A

00:14

and with me is, hi, I'm Dave

00:16

Gupta. I'm a senior software engineer on the private

00:18

C A team. And today we're gonna be talking

00:21

about securing and increasing the

00:23

productivity of your mobile workforce

00:25

by using Aws

00:26

with mobile device management or MD

00:28

M solutions.

00:31

So

00:32

let me get started here.

00:35

So yesterday, we happily announced

00:38

the launch of public preview of

00:40

Aws private C A or certificate

00:43

authority connector for

00:45

basically what this allows you to do is

00:47

use Aws private CAA managed

00:50

cloud C A solution where

00:52

every private key is HSM backed

00:54

and use it with your mobile

00:57

device management solution to enroll

00:59

mobile devices, whether it is phones,

01:02

tablets or laptops,

01:05

you know, by using Aws Private C A,

01:07

you get to reduce your PK I operational

01:10

cost and complexity is a managed

01:12

solution.

01:13

Um And not only that the ske

01:15

service that we launch is also managed

01:17

giving you everything you need.

01:19

You know, the end point, the challenge pass was

01:21

all of that without you having to do

01:23

anything to build out the

01:26

underlying infrastructure

01:28

and our maintenance of it.

01:30

And lastly, the connector for S CE

01:32

is part of a portfolio of connectors that

01:34

AWS private C A offers. This

01:36

means it allows you to have

01:38

a single private C A solution for your

01:40

enterprise, whether it is for

01:43

securing your Aws resources,

01:45

users and machines and active directory

01:47

workloads and

01:49

Kernes and now mobile devices.

01:52

So before we jump into that, just to give you a high

01:54

level of what we're talking about today,

01:56

just to ground everyone on this topic,

01:59

we're gonna talk about certificates, certificate,

02:02

authorities. Then we'll jump right into

02:04

connector first step. Why use mobile

02:06

device management solutions?

02:08

Um And how does the connector actually

02:10

work as well as providing a quick

02:12

demo?

02:14

Then we'll wrap up overview

02:16

of the other connectors within the private

02:18

C connector family and a quick

02:20

couple slides on AWS private

02:22

C A itself just so you get a better understanding

02:25

of what it is.

02:28

So just to ground, like I said, just to ground

02:30

folks, why do, why do you need certificates?

02:32

Really? Two main use cases, right.

02:34

Encrypting data and transit

02:36

and identifying authenticating end points.

02:39

When you talk about encrypting data and transit,

02:41

you know, we're very familiar with public certificates,

02:44

right? This is what websites like amazon.com

02:48

gets so that your browser can trust

02:50

that when you visit it, it's, it's a legitimate

02:53

trusted website,

02:54

right? If you've ever gone to a website where the certificate

02:56

expired, you'll see that big

02:58

error in your browser that says, hey, are you sure you want

03:00

to proceed?

03:02

Right. And uh similar to

03:04

public certificates that are used

03:06

to secure

03:07

communication with websites and web

03:10

applications, private certificates,

03:12

secure and identify things

03:14

within your enterprise, like

03:17

devices, users, machines,

03:20

uh containers, uh and so forth.

03:25

So, Debbie, can you tell us a little bit about

03:27

the certificate services at Aws?

03:29

Definitely. So Aws has

03:32

uh a number of certificate services that are offered that can

03:34

fit your organization's needs.

03:36

The first one is AC M

03:38

so AC M is Amazon certificate manager.

03:40

Amazon certificate manager will let you easily provision,

03:43

manage and deploy public and private

03:45

certificates. What that means is you can hook

03:47

up uh AC M with your Aws

03:49

private C A which we'll talk about next

03:51

and it'll let you issue private certificates as well.

03:54

And once you've issued a certificate through AC

03:56

M, you can actually use it to

03:59

uh deploy certificates out to

04:01

other A TS integrating partners such

04:03

as uh

04:05

API gateway and A lb. Amazon

04:07

load bouncer

04:09

next. You have IDI was private C A.

04:11

So it was private C A is what

04:13

this talk is going to be all about. It's a highly available

04:16

uh C A service. It lets you set

04:18

up A PPK I hierarchy without

04:20

the ongoing cost maintenance, specialized

04:23

staff that's usually required to have your

04:25

own PK I system.

04:27

And then finally, with a of a signer, this is, this

04:30

is code signing. So uh this allows

04:32

organizations to really check where does their

04:34

code packages come from and make sure it's from a trusted

04:36

uh verified source. A very common

04:38

use case for this we see in our customers is

04:41

uh with containers.

04:43

So again, the talk today is really gonna be focused on

04:45

Abu Private C A. So before

04:48

we talk about Abu Private C A though, I want to talk a little

04:50

bit about the challenges of not

04:52

using Abu Private C A if you're self managing

04:54

your certificate authorities.

04:56

So first of all PK I is complex.

04:58

Um a story I like to tell on this

05:00

one is there's customers

05:03

that we've talked to a customer anecdote we

05:05

have is they came to us and

05:07

said before we're using eight of us private C A, they

05:09

were not sure where all their

05:11

cas were.

05:12

They talked to their PT I team and

05:14

their PK I team also told them that

05:16

there's CAS that are kind of scattered throughout the organization.

05:19

And some of those uh cas were root cas that

05:21

were actually issuing

05:23

uh

05:24

and entity certificates. So if you manage your

05:26

own PT I, you might know that's, that's usually

05:28

against best practice. Root root C

05:30

A should be issuing subordinate uh C A certificates.

05:33

And so they decided, hey, we're gonna

05:35

stop this practice and they decided to self

05:37

manage and figure out how to do that.

05:39

They went on a 18 month campaign

05:41

across the organization to figure out where all their CAS

05:44

were kind of audit what they were issuing

05:46

and they thought they had solved the problem 18 months later,

05:48

six months after that. So we're 24 months in

05:50

now. They found out actually

05:53

the problem wasn't solved. They, uh the, the

05:55

root cas, there were still CAS that they didn't know about

05:57

and their root cas were, were still

05:59

issuing an entity certificates. This is all

06:01

just to illustrate that

06:03

even with the best intentions, your PT

06:05

I team inside your organization can have a hard time

06:07

managing and operating a PT

06:10

I of their own.

06:12

Next one, there's a lot of manual processes. Everything I just

06:14

described sounded very manual. There's also

06:16

things like ceremonies that go into managing

06:18

your own C A

06:20

uh A ceremony is where

06:22

you would have to reissue AC

06:24

A certificate or maybe rotate your C A certificate

06:27

and it's, it's a very difficult thing

06:29

to do. You end up having a lot of PKI

06:31

experts in your organization all

06:33

get in a room, do a bunch of auditing,

06:36

go through a bunch of manual steps, all this very

06:38

difficult to automate and it ends up slowing

06:40

down your organization.

06:43

Next one, it doesn't really facilitate automation.

06:45

So if you're managing your own,

06:47

uh if you're managing your own C A, you

06:49

don't have API S usually you don't have an SDK

06:52

that you can just call. It, ends up slowing down your

06:54

developers. And like I said, ceremonies are

06:56

a great example of something that just cannot be automated.

06:59

Finally, there's cost. So this is the big one that customers

07:01

talk about uh managing your own C A can be very,

07:03

very expensive.

07:05

Um A example that I like to give

07:07

on this one is that it is about

07:09

H SS M. So if you have your own C A

07:11

and HSM is a hardware security module

07:13

that you need to store your private key securely.

07:16

If you will go and buy your own HSM,

07:18

you're looking at 2025 $30,000

07:21

for a single HSM.

07:23

Now, if your organization wants redundancy,

07:25

double or triple that, now if you want high availability,

07:27

maybe double, triple that. So you're looking at possibly

07:30

tens of thousands of dollars in just

07:32

infrastructure costs. Now, you have your

07:34

staff, now you have your specialized team,

07:37

all this stuff adds up very quickly.

07:39

Uh We had a customer tell us that

07:41

they were self managing their own HSM. They

07:43

actually spent 25 $50,000

07:46

on HS MS.

07:47

Their organization tried to do a firmware

07:49

update when they did the firmware update.

07:51

They found out that they accidentally bricked their HSM

07:53

because again, it's very difficult to self manage these things.

07:56

They bricked their HSM. Next thing they know

07:58

they were out, uh a bunch of money and they had to

08:00

start all over, which goes to show you some of the challenges

08:03

that come with traditional cas.

08:05

But now we're gonna talk a little bit about private

08:08

C A and how it's a little bit different. Dan will walk us through that.

08:11

Yeah, thanks Debbie.

08:12

So how is privacy different

08:14

than what we just call traditional cas.

08:17

Well, first it's a managed

08:19

solution where we take the undifferentiated,

08:21

heavy lifting of managing PK

08:24

I operating PK I off of your hands,

08:26

right? So we're talking all that underlying

08:28

infrastructure, databases servers,

08:31

you know the HS MS, all that gone.

08:33

We do it for you, right? So,

08:36

and then in addition to that,

08:38

uh as Devi said, we help

08:40

you be secure. We every private

08:42

key is generated in HSM

08:44

signing happens in HSM and they're not

08:46

exportable. So no worries that

08:48

the private key leaks and you have ac a compromise

08:52

if you talked about

08:53

traditional Cas typically

08:56

don't have your API S. Well,

08:58

we are API for service

09:00

issuing certificates, revoking them,

09:03

that's all doable through automation.

09:07

And then we also have high scalability,

09:09

right? So if you run into a place

09:11

where your traditional C A starting to run out of

09:14

capacity uh issuance rate,

09:16

um you're gonna have to go in

09:18

and invest in that hardware and

09:20

infrastructure again here. You know,

09:22

we support everything

09:24

from IOT devices for like the matter

09:26

smart home standard where we issue

09:28

tens of millions of certificates

09:30

uh, to enterprise use cases, right. Active

09:33

directory, Kubernetes

09:34

and,

09:35

uh, Aws private C A issues on average

09:38

about more than 1.5 million certificates

09:40

a day, including internal certificates

09:42

as well. That means over half

09:44

a billion certificates a year,

09:46

including internal certificates.

09:50

And then lastly,

09:51

yes, you can set up ac A, yes, you can

09:53

set up your PP I, but I want to use it with these

09:55

different use cases, whether it's service

09:58

measures or whether it is with

10:01

uh active directory or whether it's with

10:03

my mobile device management solution.

10:05

Uh Well, Aws privacy is

10:07

integrated with a lot of solutions

10:09

and services within Aws

10:11

making it easier for you to do things like use.

10:13

I am with certificates for even

10:15

workloads that aren't even in Aws.

10:21

So let's jump into the main topic

10:23

of our talk today

10:25

which is a OS privacy at connect to

10:27

fork. So what does

10:29

it really do at the end of the day?

10:31

It allows you to use Aws private

10:33

C A with SCP compatible

10:35

applications, clients end points

10:38

typically that means mobile device management

10:40

solutions.

10:41

Um I'm gonna take one step back

10:43

and talk about the connectors overview, which

10:45

is what our connectors, right? Aw. Private

10:47

C A just told you is a manage solution

10:50

scales great high availability

10:52

but connectors allow you to use private C A in

10:54

environments that have a natural

10:57

uh native established certificate

10:59

distribution solution.

11:00

That's a mouthful. What does that mean?

11:03

Basically you can think about things like

11:05

active directory, right? It has auto enrollment.

11:08

It just works. You put a user group

11:10

and user machine into a group,

11:12

they get a certificate every news

11:14

by itself,

11:16

uh Kubernetes. If you're using that, there's a cert

11:18

manager a on, it's a free open source

11:20

ad on certificate. Life cycle management

11:22

does a fantastic job of making

11:24

sure your certificates get to the right places

11:27

and also stays valid.

11:29

And so really by using connectors, you

11:31

get, you can use Aws privacy

11:34

as a single C A solution for

11:36

a variety of your enterprise use cases.

11:38

Now back to what I was saying a moment ago,

11:41

what is connected for sep basically,

11:43

you can use it with SEP compatible endpoints, clients

11:45

applications.

11:47

Usually this means mobile device management solutions.

11:50

And uh

11:52

S ce P stands for simple certificate enrollment protocol

11:55

just in case you weren't aware of that.

11:57

And that is what a lot of MD M solutions

11:59

have adopted for enrolling certificates.

12:02

So I'm gonna talk a little bit about MD MS, right?

12:04

So we talked about uh improving

12:07

productivity, being able to use it. What

12:09

is an MD M? Why should you even consider

12:11

it? We'll give you a high level,

12:13

you know, rundown of it, but basically allows

12:16

you your enterprise administrators

12:18

to control and enforce

12:20

policies on mobile devices.

12:23

So whether it's corporate issued or

12:25

you bring your own device like I do for work

12:27

now, they can set uh rules

12:29

such as

12:30

hey, you have to have a pass code, it has to be eight

12:32

digits long. You can't have certain apps

12:34

on it, things like that.

12:37

It also provides some information

12:39

back to you to say, hey, are any devices

12:41

in a state that is less secure? Maybe it's

12:44

in a weird IP location, things like

12:46

that. So it provides that kind of information

12:48

as well. And then lastly for that example,

12:50

where I bring my own device to work, I

12:52

want a clear separation between

12:55

my work data and my personal data.

12:57

And I don't need Amazon

12:59

uh data mingling with the

13:01

social media apps that I'm using, right?

13:05

And bringing on a device is actually the most

13:07

common use case that we've

13:09

heard, right? And why would that be?

13:11

So first thing uh

13:13

we found out or learned is

13:15

we, you know, it's up to 34%

13:17

higher productivity when you allow your employees

13:20

to use mobile devices,

13:22

right? So that means hey, I get to be on

13:24

block because I have a question or I need an approval

13:26

that can happen on the go.

13:28

Um

13:30

In addition to that, you could save up to

13:32

$350 per

13:34

employee compared to issuing

13:36

a corporate uh owned device, right?

13:39

So going out and buying a mobile device and giving

13:41

it to your employee compared to that can save

13:43

a little bit of money.

13:44

So higher productivity, lower

13:47

cost,

13:48

that's one of the biggest reasons why we see bring

13:50

your own device as uh uh a major

13:52

use case.

13:53

So Debbie, do you wanna tell us a little

13:55

bit about the connector itself? Yeah,

13:57

definitely. So like Dan said, we're excited to be talking

13:59

about the connector for skep today.

14:01

Uh So when you're creating a connector for ke

14:03

you really have two choices, you can create two

14:05

types. The first one is gonna be a general purpose

14:07

connector. So let's talk about that. First,

14:10

a general purpose connector is designed

14:12

to work

14:13

with end points that support skip.

14:15

Now there's a couple of use cases here. Uh The

14:17

first one is mobile device management.

14:20

So mobile device management means that you

14:22

can use uh the general purpose connector

14:24

with uh

14:26

with MD M such as Jam Pro or

14:28

Airwatch.

14:29

Uh Another C compliant MD MS,

14:32

you can use it with network gear routers, printers,

14:34

whatever other gear that you have that is kept compliant.

14:37

And the last thing you need to know is that the challenge passwords

14:40

that you create are managed by AWS. What

14:42

does that mean? So a challenge password in

14:44

Aws. So a challenge password is a skep

14:46

concept and it's kind

14:48

of the security layer that exists within skep.

14:51

So a skep server

14:53

will create a challenge password. It

14:55

will distribute and then you distribute that out to your

14:57

clients and your trusted MDMS.

14:59

And once that distribution happens, your step clients and

15:01

MDMS will actually be able to make requests

15:04

to your step end point that

15:06

the connector forke

15:07

will create for you and it will know that OK.

15:09

This person knows the password so they're authorized to

15:11

issue a certificate. So that's, that's how you do

15:13

challenge password management.

15:16

And then the other type is the type for connector

15:18

uh the type for Microsoft intune. Now,

15:20

this type is designed to work with as you probably

15:23

guessed Microsoft intune.

15:24

And uh that connector type is

15:27

uh is gonna have challenge

15:29

passwords managed in Microsoft intune.

15:31

So what that means is you're not doing the management

15:33

within AWS. Now, in this connector type,

15:35

you're managing those challenge passwords within intune.

15:38

So every single request that's made

15:40

to issue a new certificate has its own unique

15:42

challenge password that intune will create, send

15:44

your client and the client will make a unique

15:46

request with a unique challenge password. So that

15:48

management is done for you in in Microsoft

15:50

intune. So next,

15:53

uh we'll talk a little bit about what the architecture

15:55

looks like there like. What does it look like to actually use

15:58

uh A MD M with

16:00

the connective for cap. Now, one thing I want to call out is

16:02

using the connective first cap does not require you to

16:04

use that use an MD M. That's just a very popular

16:06

use case that we see with customers.

16:08

So

16:09

here uh we have a MD

16:11

M solution. This could be intune,

16:14

it could be airwatch, it could be Jam Pro

16:16

and you have your AWS private C that you set

16:18

up within Aws

16:20

and you have the connector for cap that you've also

16:22

set up once you set

16:24

those things up.

16:25

Uh The next step is you have a mobile device

16:28

that your organization is managing. This could

16:30

be an I OS device, it could

16:32

be an Android device, a laptop ipad,

16:34

uh whatever your organization is using

16:36

and uh the mobile device uh configuration

16:39

that you create will actually get pushed to your

16:41

uh mobile device from the MD M. Now,

16:44

what is the configuration profile that I just mentioned? A configuration

16:46

profile is uh something

16:48

that you set up in your MD M.

16:50

It's going to contain an endpoint, it's going to contain

16:52

maybe a challenge password and what your certificate

16:55

looks like. So I can say I want a specific

16:57

extension in my certificate or I want a specific

17:00

subject in my in my certificate.

17:02

All those things are set up in my MD M and pushed

17:04

to my mobile device. Once my mobile device

17:06

has that, it will connect with the endpoint

17:08

for connector for scout

17:09

and it will request a certificate. Once

17:12

it requests a certificate, the connector for scap

17:14

will go to AWS private C.

17:16

It'll grab a certificate, get it issued and

17:18

send it back to your mobile device there. You have

17:20

it, it's pretty simple. Now, you have a mobile device that

17:22

is enrolled in your MD M and has a certificate issued

17:24

through a private C A.

17:27

Now,

17:28

all of this sounds pretty simple and it is,

17:31

and we're gonna show you uh in a, in a five step

17:33

demo here.

17:34

And so uh it's gonna be a series of

17:36

videos. We're just gonna talk through it real

17:38

quick. First, we have the step where we're

17:40

gonna create AC A.

17:41

After we create AC A, we'll show you how easy it

17:43

is to create a general purpose connector.

17:46

Um And after that, we'll talk about Microsoft Intune

17:48

a little bit. We'll show you how to make a connector for that.

17:50

And then we'll also talk about how to create configuration

17:53

profiles within Microsoft Intune.

17:55

And then finally, we'll talk about enrolling a device.

17:58

So let's get started with the demos.

18:04

We'll be creating a connector for skip. The

18:06

first step in creating a connector for step is

18:08

to create a private ca So let's go ahead and do that

18:11

here. You have the private T A console.

18:14

I will, I will go ahead and click the create your privacy

18:16

button here.

18:18

You have a wizard that pops up with

18:21

um some options that we're going to go through.

18:23

You have mode options. So

18:26

this is asking you to pick between general purpose and

18:28

short lived certificate for your two

18:30

C modes

18:31

for the purposes of a connective step we recommend

18:34

using general purpose. So I'm gonna go ahead and click that

18:38

now under C A type options,

18:40

we have a root and a subordinate option.

18:43

I'm gonna go ahead and uh stick with root for the purposes

18:45

of this demo

18:47

and someone click that.

18:49

And now uh under subject,

18:52

we have uh

18:54

many fields. A lot of these are optional.

18:57

But for the common name of your C

18:59

A, I'm gonna go ahead and say

19:00

uh let's call it recording

19:03

demo.

19:06

Great. So we now we have a common name for our C A

19:09

and now we have some options for key algorithm.

19:11

Uh The key algorithm of your C A

19:13

uh can be RS A 2048

19:15

2048 RS A 4096

19:18

ECP 256 and ECP

19:20

384.

19:22

So I'm going to go ahead and click

19:24

RS A 2048.

19:25

Uh This is the most widely adopted

19:28

uh algorithm. So we're going to use that for the second

19:30

demo. But if you have other compliance needs

19:32

or other uh key algorithm uh needs,

19:34

you can go ahead and click into the other ones as well.

19:36

They will all work with the connection for skip.

19:40

Great. So now we have certificate revocation options

19:42

here. Um You can select CRL

19:45

and if you suck to the CRL option,

19:47

you'll provide it with a S3 bucket name.

19:49

Uh And the console will actually create

19:51

that S3 bucket for you.

19:53

And uh CRLS will then be generated

19:55

and delivered to that S3 bucket.

19:58

And so clients can pull it down from there

20:01

and then uh if you need O CS P,

20:03

we can also, there's also an option for O CS B

20:05

for now. I'm going to go ahead and uncheck both of these

20:07

because I will go forward with that replication

20:10

for the demo.

20:12

Here. You have tags. You can go ahead and uh tag

20:15

your C A. Uh

20:16

So I guess we can do that. We'll say,

20:18

uh for

20:19

the key, we can say recording

20:22

and the value can be a demo

20:26

here. This is C A permissions. This

20:29

basically says that I'm giving AC

20:31

M access to new certificates that are requested

20:33

by this account.

20:34

I'm gonna go ahead and keep this checked.

20:37

And then here we have pricing.

20:39

This is just acknowledging that the privacy of service

20:41

has pricing associated with it.

20:43

So I'm going to click that and acknowledge that

20:46

I hit create C A

20:48

and awesome. Now I have AC A that is in the

20:50

pending certificate state and it was created successfully.

20:54

Now, this C A cannot be used to actually

20:56

issue certificates quite yet.

20:58

Uh That can only be done

21:00

when uh the C A is

21:02

in the active state.

21:03

So right now the C A is in the pending certificate state.

21:06

So what we're going to do is activate it by

21:08

clicking actions here,

21:10

going to install C A certificate.

21:13

And what this will do is it will actually issue

21:16

ac A certificate off of your C

21:18

A and then import it back into

21:20

your C A

21:21

to activate your C A. So then your C A certificate

21:23

uh will be part of your C A and you'll have

21:25

an active C A that you can then use to issue

21:27

more certificates.

21:29

So here your C A certificate uh has

21:31

a validity period

21:33

and so you can select that here, but we'll leave

21:35

it as a default.

21:37

And then there's a signature algorithm that you can pick from.

21:40

I'm going to go ahead and leave it as sha 256

21:42

RS A.

21:44

I'm going to hit confirm and install

21:47

and there you have it. Now you have ac

21:49

a certificate

21:50

that you can view right here

21:52

that was issued for you and imported back

21:54

into your C A

21:56

and you have uh the C A in the

21:58

active state. So you can actually issue

22:00

certificates off of the C A

22:02

that uh you can then go and use.

22:05

So awesome. What I'm going to

22:07

do next is I will go

22:09

ahead and export this C A certificate

22:12

certificate dot pen and I will save that

22:14

for later because we'll need that. And then some

22:16

of the next steps when we're setting up our

22:18

uh our, our connector for step.

22:21

So as you can see,

22:23

we only took a few minutes to

22:25

set up a, a whole new brand new C

22:28

A that is highly secure,

22:30

available and managed.

22:32

It's awesome.

22:38

So as you can see,

22:41

uh setting up AC A was very quick

22:43

and easy. It only took a few minutes. And

22:45

uh one thing I want to call out about the C A and not

22:48

only is it highly, not only is it highly

22:50

scalable and completely managed for you,

22:52

this C A is also has its private

22:54

key backed in HSM. What

22:56

that means is that we just created a private, we created

22:59

a private key when we created the C A

23:00

and that private keys is created

23:03

in HSM. And any signing operations that occur

23:05

will happen in the HSM. So if you remember that

23:07

customer anecdote from before where it's really

23:09

hard to manage expensive HSM S, all of that

23:11

is done for you here. And on

23:13

top of that, that private key cannot be exported

23:16

from the private C service. So that means your private

23:18

key is always secure. No one can get to it.

23:21

All right. So we just talked about creating AC

23:24

A. Next, we'll talk about what we're launching today,

23:26

which is the, the connect to first step

23:27

and how easy it is to create one.

23:30

So let's take a look at that demo.

23:36

In the previous step, we created AC

23:38

A. In this step, we're going to create

23:41

a connector for SC.

23:42

So we are now in the connector for skip console.

23:46

On the left, we have some uh links

23:48

to other connectors and to the private C

23:51

A console as well.

23:53

One thing to note is the connective step is currently

23:55

in preview

23:56

that means changes might be made to the service.

23:58

And we don't recommend using the uh the preview for

24:01

production workloads.

24:03

So here I'm going to click the create connector

24:06

button and

24:09

we have some options here. Uh I'm gonna go ahead

24:11

and tag or name my connector here.

24:14

Um I will call it

24:16

uh

24:17

recording

24:20

the M and

24:23

then here we have connector types.

24:26

Now there's two types of connectors that you can

24:28

create when you create a connector for

24:31

uh if you pick

24:33

the general purpose connector type,

24:36

this type is designed to work with endpoints and applications

24:38

that support ke

24:40

ke is widely adopted for mobile device enrollment

24:42

and networking equipment. So this will work for many

24:44

different types of MD MS.

24:48

If you're using Microsoft intune,

24:50

you'll use the Microsoft intune type

24:53

of the private CIA connector for cap.

24:56

So to start off with, let's use the general purpose

24:58

type. So I went ahead

25:00

and selected that

25:01

and here I can go pick my C A.

25:05

So I'm going to go ahead and find the ca that

25:07

we created earlier, call the recording demo

25:09

ca select that.

25:12

And then here it's gonna uh it's

25:14

gonna ask me, do I want

25:16

the console to create a challenge password for me.

25:18

So when I hit create connector here,

25:21

a couple of things are going to happen.

25:22

First, it will share my PC

25:25

A with the connector for skip service.

25:27

This allows the connector to issue certificates

25:29

from your private ca to skip endpoints

25:32

and applications.

25:33

When you create connectors outside of the console

25:36

such as through the C

25:37

or API,

25:38

you'll need to create the A

25:39

rams share prior to creating a connector.

25:42

But when you do it through the console, this is done for

25:44

you. So when I click the create connector button,

25:46

the console will take care of that step.

25:50

Uh Next, it's gonna create the connector.

25:53

Uh creating the connector involves creating an endpoint

25:56

that you can later use uh

25:58

to actually make ke requests and

26:00

your clients can use to make ski requests.

26:03

And uh another thing the console

26:05

will do for you is it will create a challenge password

26:07

for you as a managed service.

26:10

All this happens on your behalf to simplify setting

26:12

up Skype for your PC.

26:14

So a challenge password here is one of those

26:16

steps,

26:17

challenge passwords are used to authenticate a

26:19

request before issuing a certificate from

26:21

your C A,

26:23

a challenge. Password is a static password

26:26

and needs to be distributed out to your clients in

26:28

MD MS for them to be able to issue

26:30

certificates against your C A

26:33

great. So I'm gonna go ahead and hit create connector.

26:35

And all the steps that I just mentioned before are happening

26:38

this year is being shared with the skep for connect

26:40

the connector for ke service.

26:42

And uh the endpoint is being

26:44

created

26:45

and you'll see here. Now we have a active

26:49

general purpose type connector

26:52

with an end point

26:54

any challenge password.

26:57

So let's take a look at this challenge password here,

26:59

I can click it

27:00

and click view password.

27:03

One thing to note

27:04

is that you can actually use IM

27:06

policies to lock down who can view that challenge

27:08

password. So here I have IM permissions

27:12

and so I can view the password right here.

27:15

Let me go ahead and close this.

27:17

Uh Another thing you can do from the console

27:19

is you can create a new password,

27:22

just created a new one and I can

27:24

delete an old one

27:26

by selecting the delete button and

27:28

typing, delete and

27:30

delete.

27:33

So here I've just rotated my challenge

27:35

password and I can do that without a hard

27:37

cut over.

27:38

All I have to do is create a new password update.

27:41

All my step applications and clients

27:43

to use that new password and delete the old

27:45

one. That way you can avoid downtime during

27:47

challenge password rotation.

27:50

Great. So here we've created a

27:52

general purpose connector

27:55

for S CE P

27:59

mhm. So

28:03

as you can see, it's pretty easy to create a connector for scout

28:05

that took maybe that was about a three minute video. And

28:08

so in the three minutes before this, we created

28:10

AC A

28:10

and in the next three minutes, we set up a connector

28:13

for scout. So altogether 5

28:15

to 6 minutes to set up a highly secure,

28:17

highly managed scalable C A service

28:19

that you can use with connector for scout.

28:21

And at this point, if you're using the general purpose connector

28:23

type, you're pretty much ready to go.

28:25

You can use the general purpose connector type to

28:28

uh actually work

28:30

with uh your MD MS like Airwatch and Jam

28:32

Pro. So next,

28:34

we'll talk about uh the next connector type,

28:36

which is if you're using Microsoft intune, we'll

28:38

show you how to make that and we'll show you how to set that up.

28:44

In the previous step. We created a general

28:46

purpose connector.

28:47

The connector for step also has a Microsoft

28:50

intune type.

28:51

So let's go ahead and get started and create a Microsoft

28:53

intune type.

28:56

I'm going to hit a great connector

28:59

here. I'll call this

29:02

Microsoft

29:04

inter connector

29:10

for the connector type. I'll select Microsoft

29:12

intune.

29:14

Now with this type of connector, we'll have to

29:16

go to Microsoft intune

29:18

and actually do a few steps to allow

29:21

the connector first step to be able to access

29:23

Microsoft intune.

29:25

So that's good and good.

29:27

Uh In tune here. So I'm in the Azure

29:29

portal and

29:32

in Microsoft Azure, I just searched for app

29:34

registrations and ended up at this page.

29:37

Now under app registrations,

29:39

I'm going to go ahead and click new registration

29:43

here. I'll call this testing

29:46

and

29:48

I can leave the other values as default.

29:51

So what I've done here is I've actually created

29:53

an application within

29:55

Azure. So

29:58

now I'm looking at this application

30:01

and we'll see that the

30:03

connector for step console is asking for an application

30:05

ID and a directory, id.

30:07

So let's copy, paste those values, application

30:10

id, copy that

30:14

and directory ID. I'm going to go ahead

30:16

and copy that as well.

30:19

Great.

30:21

Now I can proceed as in

30:23

the same fashion I did with the general purpose connector

30:25

where here I will search for my

30:27

C A. I'll select

30:30

it. I noticed

30:32

that the console is mentioning that the C A has been

30:34

shared with the connection for Ske service already because

30:36

I used the same C A in the previous step

30:39

when I created the general purpose connector. But

30:41

that's OK. It'll just get Reshad.

30:43

So I selected my C A

30:46

and I'm going to hit create connector

30:48

and here it's going to go through very similar steps as the last

30:50

time where it's going to go ahead and create an endpoint.

30:54

And uh one big difference

30:56

though is here, we will not

30:58

be self managing

31:01

these challenge passwords

31:03

instead.

31:05

Uh And as a console says, when using this connector

31:07

type, you manage to challenge passwords

31:09

using Microsoft intune.

31:12

And so

31:14

uh what we've done here is we've created a

31:16

uh

31:17

Microsoft into connector type

31:20

and now we can go ahead

31:22

and move on to the next step,

31:25

which is setting up access in

31:27

Azure. As you can see again,

31:29

we created a uh another connector

31:31

type. This was if you're using Microsoft Intune, you'll

31:33

create this connector type.

31:35

And this is another really easy step showed

31:37

you how to set up uh that connector. The

31:39

next step here will show you how to actually grant access.

31:42

So your connector for G needs to be

31:44

able to talk to your Microsoft into tenant and

31:46

we'll show you how to do that in the next demo.

31:48

Next, we're going to make sure that

31:50

Microsoft Intune has access set up correctly.

31:53

So the connector for SCAP can actually access Microsoft

31:55

Intune. So let's go ahead

31:57

over to, to Azure.

31:59

OK. Here we will

32:02

see the app registration that I just

32:04

created

32:05

called testing.

32:07

I can head over to certificates and secrets,

32:11

Federated essentials

32:13

and click the add credential button.

32:17

Here. I'm going to select other issuer

32:21

and I can go ahead and copy the values that the

32:24

uh that the connector gave us. So

32:26

here we have a value for issuer,

32:29

subject and audience. I'm going to click

32:31

issuer

32:32

and paste that into the issuer

32:35

subject identifier.

32:39

Please study and

32:41

here I'm going to copy the audience and

32:43

add it right here,

32:46

the name this testing

32:48

and hit

32:49

at great.

32:51

So now my connector for cab has

32:53

access to Microsoft Intune.

32:55

Now I'm going to go ahead and configure the permissions

32:58

that the connector first step has on my interne

33:00

configuration. So here I'll go to API

33:02

permissions

33:06

and I'll be able to add those specific permissions

33:08

that the connector

33:09

will, will use.

33:11

So I'm going to click, add permission

33:14

and go and click into

33:22

and now I can go to application permissions

33:25

and search for a skip

33:28

and click, add permissions.

33:31

I'll add a second permission here by clicking, add a

33:33

permission again,

33:34

Microsoft graph this time

33:37

application permissions,

33:39

searching for application and application,

33:42

read, add

33:45

permissions

33:46

and then one last button here, I'm going to grant

33:49

admin consent.

33:54

Great.

33:55

So I pretty easily just

33:57

set up my

33:58

uh connector for step to have access to my intune.

34:02

Next, I need to create a configuration

34:04

profile

34:05

that can be used

34:07

by June to actually

34:09

push ske certificates and

34:12

uh

34:13

scap trusted user profiles to

34:17

my devices. So I'm going to head

34:19

over to Microsoft Intune

34:22

and here I went to devices

34:24

and configuration

34:27

here. I'm actually going to create two

34:29

configuration profiles.

34:32

The first one is going to be

34:34

for.

34:35

Well, so I have a Windows machine that's set up

34:37

that I'm going to use as my device that I'm

34:39

enrolling to intune.

34:42

So I'll go ahead and select that first.

34:44

And then here I'll the profile type will

34:46

be trusted certificate.

34:49

So what this means is that

34:51

a trusted certificate is a certificate that ends up

34:53

in a devices trust store. So for

34:55

us, we're going to use our root

34:58

CASC A certificate that we created

35:00

earlier

35:01

as the trusted certificate.

35:03

So I'll go ahead and click create,

35:06

I'll call this trusted

35:09

sir.

35:12

Hit next

35:14

and here I need to upload it.

35:16

So I actually

35:19

upload it by just taking

35:21

the certificate that I downloaded earlier. The C A

35:23

certificate from my C A

35:25

and changing the dot P

35:27

dot C open

35:29

that up hit next.

35:32

Say that all devices that are Windows

35:34

machines that enroll to

35:37

uh my intern will get this,

35:40

get the certificate in the trust store. So I collected

35:42

all devices

35:43

hit next