10-24-2017 09:11 PM
Working with a school district that owns approximately 5000 Apple iPads. At this time, the school district does not have an MDM system in place. The school district also does not have an inventory of the MAC addresses for the iPads they own. For each classroom cart containing 25-30 iPads, there is an Apple Macbook loaded with Apple Configurator used to administer the iPads for the classroom.
Question 1: What would be a recommended method suited for large scale iPad deployment to issue a certificate from a Microsoft CA for each iPad?
1) Create a unique user object for each iPad in Active Directory and manually enroll each iPad using the ISE onboard process? Each iPad certificate would have a unique CN and the MAC address as the SAN.
2) Create a unique user object representing a single classroom in a school where the naming convention as an example could be, <Facility ID>-IPAD-<Classroom Identifier> and manually enroll each iPad using the ISE onboard process? Each iPad in a single classroom would have a certificate with the same CN and the MAC address as the SAN.
3) Not use the ISE enrollment process, and have the organization purchase an MDM and use the MDM to generate a certificate and WiFi EAP-TLS profile for each iPad to authenticate?
4) A different method?
Question 2: Does Apple configurator (or another commercial software utility) have the capability to simplify the enrollment process without having to manually touch thousands of iPads, or will this be a large team effort to get this done.
Any feedback would be appreciated.
Solved! Go to Solution.
10-25-2017 05:14 AM
I like option 2 so each classroom can see all the devices
Why are you not using the ISE internal ca? Save yourself some pain
I am not familiar with methods outside of ISE but perhaps others have used them
You would need to research outside of ISE would is the recommended way for an organization to onboard and manage lots of devices since they are not obviously simple BYOD devices per user
10-25-2017 05:14 AM
I like option 2 so each classroom can see all the devices
Why are you not using the ISE internal ca? Save yourself some pain
I am not familiar with methods outside of ISE but perhaps others have used them
You would need to research outside of ISE would is the recommended way for an organization to onboard and manage lots of devices since they are not obviously simple BYOD devices per user
10-25-2017 04:34 PM
If leverage the same username, then you are bound to a device registration limit by user.so be sure to set limit to match class size if you were to employ this option (Administration > Device Portal Management > Settings). Using MS CA is also fine. Need to decide who will manage certs and if expect certs for individual users or classes to be managed out of AD or ISE. In case of AD CA, you must revoke certs from its interface vs ISE. If ISE is CA, then certs are issued and optionally revoked automatically when devices reported as Stolen.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide