Active Directory certificate settings

Use this payload to set authentication information for Active Directory Certificate servers. Active Directory Certificate servers bind a user identity or device to a private key that is stored in a directory server. This payload lets the device or user use the stored key for service encryption and authentication.

Note: Use the Active Directory certificate payload for OS X device, user, and user group configuration profiles. For more information, see About profiles and payloads and Payload best practices.

The following entries are required:

  • The description of the certificate request

  • The fully qualified domain name or IP address of the certificate server

  • The name of the Certificate Authority (the common name or CN attribute value of the directory entry at “CN=<your CA>,N=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,<your base DN>”

The following entries are optional:

  • The certificate template type

  • The user name and password credentials (optional for users and groups, unnecessary for devices and device groups)

The following options are available:

  • Allow all apps to access the certificate in the Keychain

    By default, only selected processes, such as Wi-Fi and VPN can access this certificate. Enable this option to allow all apps to access this certificate.

  • Allow an administrator to export the private key from the Keychain

    This allows the private key, if given by the Active Directory administrator, to be exported from the Keychain and given to another user.

To bind OS X to Active Directory, see Directory settings.

You can add multiple Active Directory Certificates by clicking the Add button Add Payload button.