cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Large Scale Onboarding and Issuing certificates for iPads

Jayhawk_10
Beginner
Beginner

Working with a school district that owns approximately 5000 Apple iPads. At this time, the school district does not have an MDM system in place. The school district also does not have an inventory of the MAC addresses for the iPads they own. For each classroom cart containing 25-30 iPads, there is an Apple Macbook loaded with Apple Configurator used to administer the iPads for the classroom.

Question 1: What would be a recommended method suited for large scale iPad deployment to issue a certificate from a Microsoft CA for each iPad?

1) Create a unique user object for each iPad in Active Directory and manually enroll each iPad using the ISE onboard process? Each iPad certificate would have a unique CN and the MAC address as the SAN.

2) Create a unique user object representing a single classroom in a school where the naming convention as an example could be, <Facility ID>-IPAD-<Classroom Identifier> and manually enroll each iPad using the ISE onboard process? Each iPad in a single classroom would have a certificate with the same CN and the MAC address as the SAN.

3) Not use the ISE enrollment process, and have the organization purchase an MDM and use the MDM to generate a certificate and WiFi EAP-TLS profile for each iPad to authenticate?

4) A different method?

Question 2: Does Apple configurator (or another commercial software utility) have the capability to simplify the enrollment process without having to manually touch thousands of iPads, or will this be a large team effort to get this done.

Any feedback would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

I like option 2 so each classroom can see all the devices

Why are you not using the ISE internal ca? Save yourself some pain

I am not familiar with methods outside of ISE but perhaps others have used them

You would need to research outside of ISE would is the recommended way for an organization to onboard and manage lots of devices since they are not obviously simple BYOD devices per user

View solution in original post

2 REPLIES 2

Jason Kunst
Cisco Employee
Cisco Employee

I like option 2 so each classroom can see all the devices

Why are you not using the ISE internal ca? Save yourself some pain

I am not familiar with methods outside of ISE but perhaps others have used them

You would need to research outside of ISE would is the recommended way for an organization to onboard and manage lots of devices since they are not obviously simple BYOD devices per user

If leverage the same username, then you are bound to a device registration limit by user.so be sure to set limit to match class size if you were to employ this option (Administration > Device Portal Management > Settings).  Using MS CA is also fine.  Need to decide who will manage certs and if expect certs for individual users or classes to be managed out of AD or ISE.  In case of AD CA, you must revoke certs from its interface vs ISE.  If ISE is CA, then certs are issued and optionally revoked automatically when devices reported as Stolen. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: