This document describes how to create a custom Active Directory certificate template on a Windows server and then configure the HYPR Workforce Access Client application to use the certificate when a user registers or authenticates on a macOS workstation. There are three main steps in this process:
Before you begin, verify that:
- Active Directory Certificate Services are deployed within the domain
- Your account on the Windows server has privileges to modify the Certificate Authority settings
- The HYPR Workforce Access Client application is already installed on the workstation
- Log into the Windows server that performs the Certificate Authority role, either directly or via a remote desktop client.
- Open the Microsoft Management Console (MMC).
- In the console, select File>Add/Remove Snap-in...
- Use the Add > button to add Certificate Templates to the list of selected snap-ins then click OK to save the change.
- Open the Certificate Templates snap-in, right-click on Smartcard User template, and select Duplicate Template.
- In the Properties of New Template window, go to the General tab and change the following settings:
Template display name
Any name that will let you identify this as a HYPR template. For example:
By default, MMC will use the Template display name without any spaces. You can change the name, but make a note of the value since you’ll need it later to set up the HYPR Workforce Access client on each workstation.
Publish certificate in Active Directory
You can leave this either checked or unchecked
Please ensure to add Secure Email to the Application Policy
- Select OK to close the Properties of New Template window and create the template.
- On the Windows Server, open the Certification Authority console.
- In the left navigation pane, right-click on the machine name and select Properties.
- Go to the Policy Module tab, click the Properties... button, and make sure the "Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate" option is checked for Request Handling.
- Back in the left navigation pane, right-click on Certificate Templates and select New>Certificate Template to Issue.
- In the Enable Certificate Templates list, locate the HYPR certificate template you created above. Highlight the template name and click OK to publish it.
To configure HYPR to use the new certificate, you need to specify the certificate template name in the
HyprOneService.plist file on each workstation where the HYPR Workforce Access Client application is installed.
- Open the
HyprOneService.plistfile for editing (see Installation and Configuration).
- Set the
CertificateTemplatekey value to the name of your certificate template. Make sure you use the template name (for example, “hyprmac”), not the template display name (“HYPR macOS”).
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>ApiToken</key> <string></string> <key>ApiTokenId</key> <string></string> <key>ApiVersion</key> <integer>4</integer> <key>ApplicationId</key> <string>windowslogin</string> <key>CertificateAuthEnabled</key> <true/> <key>CertificateTemplate</key> <string>hyprmac</string> <key>Devices</key> ...
- Make sure the
CertificateAuthEnabledkey value is set to
true. (Normally this value will already be set correctly unless you're modifying an existing non-domain-joined installation to use Active Directory.)
- Save the changes and restart the computer.
- Open the HYPR Workforce Access Client and register a new device to confirm the registration is using the new certificate template.
Updated 5 months ago