Enabling successful Mac Auto Enrollment

Challenges and security risks of Mac Enrollment

Unlike with PCs, auto-enrollment of certificates to Mac clients from a Microsoft Certificate Authority (CA) is not possible.

Additionally, certificates and private keys stored on Mac clients are full-exportable. The delivery of digital certificates and private keys to Mac clients can conflict with your security policy design and weaken security posture.

As a result of the inherent differences between Mac and PC clients, a more user-intensive process is required to request certificates and a less secure manner is used to deliver and store them on Mac devices. Private key exposure and certificate transferability contradict most security policies, but are often accepted for Mac devices due to the lack of alternatives. To support legal non-repudiation, key pairs used for digital signature must be generated by the client software, must not be exportable or backed up and remain under user control at all times.

How can CSS help ensure the security and efficiency of Mac Enrollment?

  • Enable auto-enrollment from Mac clients
  • Deliver non-exportable certificates directly to Mac clients
  • Deliver Certificates with on-device key generation (ODKG), ensuring private keys are not stored in remote locations or transferred over air/wire.
  • Support auditable non-repudiation for users utilizing certificates on Mac clients
  • Implement demonstrable and fully auditable security operations

Discover how to efficiently and securely enroll your Mac clients.