Remove The Certificate Prompt For Windows And MacOS

This blog is to walk you through setting up the necessary profiles for your Windows 10 and MacOS fleet for them to pick the right certificate automatically to authenticate against Workspace ONE Access via the Certificate (Cloud Deployment) authentication adapter. Same principle can be applied to any web app (or website) that does certificate authentication, so follow along.

If you have browser based web app that takes a client cert for authentication or better, you had your Workspace ONE Access configured to do Certificate (Cloud Deployment) authentication, and you want to get rid of the "cert-picker" prompt, follow along.

Essentially, you will get a system dialog window with one or more client certificates listed (You will hear people referring to it as Cert-Picker), and it is effectively the system asking you, which certificate do you want me to use to authenticate against this website? Unfortunately, even if you have only one client certificate on the device, it will still prompt you to select. Worse, if there are multiple client certificates installed, to authenticate against different systems (WiFi, VPN, Email, etc.), it will sure make the end users confused, and struggling to pick the right one.

Remove Windows 10 Certificate Prompts

For Windows 10, I am going to cover 3 browsers, Chrome, Edge, and Firefox. For these browsers to behave as what we wanted, some registry key/values are needed.

Chrome - 

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls

a key named "1" (String value) needs to be created, and with the value following this syntax {"pattern":"[*.]","filter":{}}

For example:{"pattern":"https://cas.vidmpreview.com/","filter":{"ISSUER":{"CN":"XYZ_Access"}}}

What this means is, whenever you hit https://cas.vidmpreview.com/*, and the site prompts for certificate, use the certificate with the Common Name of "XYZ_Access". "XYZ_Access" is the Common Name of the client certificate I pushed down to my test devices, and it's actually my Top UEM OG Name.  This will be true to customers who opt-in to use Workspace ONE UEM Built-in CA to generate SCEP certificate (You can confirm by installing the certificate first and examine the details of the certificate on a test device)

ps: If you are running your Access environment On-Prem and you are currently using 7443 or non 443 port for the Certificate auth adapter, you will likely need to include the port there as well, like below.

{"pattern":"https://{accessURL}:7443/","filter":{"ISSUER":{"CN":"XYZ_Access"}}}

Try adding the registry value, and see for yourself that the prompt goes away.

Once you confirmed that this registry key works, next will be setting up Workspace ONE UEM Windows 10 profile to configure this key remotely.

Before I get into that, let's take a look at the registry key needed for Edge and Firefox.

Edge - 

About the same as Chrome, under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\AutoSelectCertificateForUrls

A key named "1", with value following the same format as the one specified for Chrome above

Firefox - 

Similarly, the way to specify the behavior is done through registry, however the way Firefox functions is slightly different. It does not provide a pattern to match the URL, nor allowing to pre-configure what certificate to use. You are going to configure a key security.osclientcerts.autoload, which load the certificates from user's keychain, and another key security.default_personal_cert set to Select Automatically. It is sort of a blackbox where Firefox will attempt to find a certificate to use for authentication, and because of lack of specifications, I won't expect this to work 100% when you have multiple client certificates installed, and multiple sites performing certificate authentication.

Windows 10 Cert Picker Profile Configurations General Steps

Steps

1. Create a Device channel profile (as opposed to user channel) profile for Windows 10.

2. Fill in Name, Description, Assignment Group within the General tab.

3. Select Configure for Custom Settings on the left.

4. Select Workspace ONE Intelligent Hub for Target and uncheck Make Command Atomic.

5. Paste in the custom settings XML into both Install and Remove Settings.

6. Save and Publish.

The profile Custom Settings tab will look like this.

Important

There are a few things to keep in mind when setting up a profile to configure registry.

1. Both wap-provisioningdoc id and uuid have to be unique UUID, and there are bunch of online utilities to generate UUID, but if you prefer use [guid]::NewGuid() in PowerShell works too.

2. Notice the Action in Install Settings is Replace, and in Remove Settings is Remove. This ensures the corresponding keys get removed when the profile gets removed.

3. Notice the registry key value is not really human readable, and that is because we need to escape the " marks in the XML with the SGML " character entity.

4. Be sure to change the registry key value to suit your URL and Certificate Common Name.

XML for Chrome

Install Settings:

<wap-provisioningdoc id="b046b0ed-0c4c-4161-8075-b73efa3f1053" name="customprofile">/
<characteristic type="com.airwatch.winrt.registryoperation" uuid="731b71e2-a938-4d7f-98f6-1abdca4d4b5a">
<parm RegistryPath="HKLM\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls" Action="Replace">
<Value Name="1" Data="{&quot;pattern&quot;:&quot;https://[*.]vidmpreview.com&quot;,&quot;filter&quot;:{&quot;ISSUER&quot;:{&quot;CN&quot;:&quot;XYZ_Access&quot;}}}" Type="String" />
</parm>
</characteristic>
</wap-provisioningdoc>

Remove Settings:

<wap-provisioningdoc id="b046b0ed-0c4c-4161-8075-b73efa3f1053" name="customprofile">/

<characteristic type="com.airwatch.winrt.registryoperation" uuid="731b71e2-a938-4d7f-98f6-1abdca4d4b5a">
<parm RegistryPath="HKLM\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls" Action="Remove">
<Value Name="1" Data="{&quot;pattern&quot;:&quot;https://[*.]vidmpreview.com&quot;,&quot;filter&quot;:{&quot;ISSUER&quot;:{&quot;CN&quot;:&quot;XYZ_Access&quot;}}}" Type="String" />
</parm>
</characteristic>
</wap-provisioningdoc>

XML for Edge

Install Settings:

<wap-provisioningdoc id="00545f06-8906-4905-a5b0-0261fb58a7bc" name="customprofile">/

    <characteristic type="com.airwatch.winrt.registryoperation" uuid="278cf781-4f80-4b99-87d2-b59e50af5cb4">

        <parm RegistryPath="HKLM\SOFTWARE\Policies\Microsoft\Edge\AutoSelectCertificateForUrls" Action="Replace">

            <Value Name="1" Data="{&quot;pattern&quot;:&quot;https://cas.vidmpreview.com&quot;,&quot;filter&quot;:{&quot;ISSUER&quot;:{&quot;CN&quot;:&quot;XYZ_Access&quot;}}}

" Type="String" />

                    </parm>

    </characteristic>

</wap-provisioningdoc>

Remove Settings:

<wap-provisioningdoc id="00545f06-8906-4905-a5b0-0261fb58a7bc" name="customprofile">/

    <characteristic type="com.airwatch.winrt.registryoperation" uuid="278cf781-4f80-4b99-87d2-b59e50af5cb4">

        <parm RegistryPath="HKLM\SOFTWARE\Policies\Microsoft\Edge\AutoSelectCertificateForUrls" Action="Remove">

             <Value Name="1" Data="{&quot;pattern&quot;:&quot;https://cas.vidmpreview.com&quot;,&quot;filter&quot;:{&quot;ISSUER&quot;:{&quot;CN&quot;:&quot;XYZ_Access&quot;}}}

" Type="String" />

        </parm>

    </characteristic>

</wap-provisioningdoc>

XML for Firefox

Install Settings:

<wap-provisioningdoc id="60705e07-26c6-499e-add3-ea8322906fa1" name="customprofile">/

    <characteristic type="com.airwatch.winrt.registryoperation" uuid="9d4926ae-f37f-4f34-a06d-5b81d58048f9">

        <parm RegistryPath="HKLM\SOFTWARE\Policies\Mozilla\Firefox\Preferences" Action="Replace">

            <Value Name="security.osclientcerts.autoload" Data="1" Type="DWORD" />

<Value Name="security.default_personal_cert" Data="Select Automatically" Type="String" />

                    </parm>

    </characteristic>

</wap-provisioningdoc>

Remove Settings:

<wap-provisioningdoc id="60705e07-26c6-499e-add3-ea8322906fa1" name="customprofile">/

    <characteristic type="com.airwatch.winrt.registryoperation" uuid="9d4926ae-f37f-4f34-a06d-5b81d58048f9">

        <parm RegistryPath="HKLM\SOFTWARE\Policies\Mozilla\Firefox\Preferences" Action="Remove">

            <Value Name="security.osclientcerts.autoload" Data="1" Type="DWORD" />

<Value Name="security.default_personal_cert" Data="Select Automatically" Type="String" />

                    </parm>

    </characteristic>

</wap-provisioningdoc>

Remove MacOS Certificate Prompts

For MacOS, I am going to cover 3 browsers, Safari, Chrome, and Firefox.

Here we need to introduce the concept of Identity Preference, which is essentially a OS function built into KeyChain application to "autofill" certificate requests for Safari and Webkit-based applications. It will be associated with a client certificate and a user can manually create the Identity Preference by right clicking on the certificate and specify the destination pattern.

Configure Identity Preference for Safari

1. In the Workspace ONE UEM console, click Add > Profile > macOS > User Profile.
2. Enter a Name for the profile (such as Safari Identity Preference) and choose an assignment group consisting of your testing/validation devices.
3. Select the Credentials payload (or SCEP depending on your CA) and click Configure.
4. Select the Defined Certificate Authority as the credential source and choose the appropriate Certificate Authority and Request Template.
5. Select the check box to allow access to all applications.
6. Enter a URL in the Identity Preference section (and optionally click Add to add up to 14 more preference URLs).
7. Click Save and Publish, then click Publish.

ps: 

1. The trailing slash is important.

2. If you are using a custom port, like 7443, include the port number and the trailing slash.

3. Wildcard is supported here, so something like *.vidmpreview.com would work, and if done this way, the trailing slash is not needed.

4. In some rare situations, I had seen this not working as expected until I add "(com.apple.Safari)" at the end of the URL.

Configure Identity Preference for Chrome

This will be a Custom Settings profile on the User channel, with only General and Custom Settings configured. See below for custom settings XML.

<dict>

<key>AutoSelectCertificateForUrls</key>

<array>

 <string>{"pattern":"*.vidmpreview.com","filter":{"ISSUER":{"CN":"XYZ_Access"}}}</string>

</array>

<key>PayloadEnabled</key>

<true/>

            <key>PayloadDisplayName</key>

            <string>Google Chrome Settings</string>

            <key>PayloadEnabled</key>

            <true/>

            <key>PayloadIdentifier</key>

            <string>com.google.Chrome.4F720473-6832-4CE0-A895-E9C3FC6F8CBD</string>

            <key>PayloadType</key>

            <string>com.google.Chrome</string>

            <key>PayloadUUID</key>

            <string>4F720473-6832-4CE0-A895-E9C3FC6F8CBD</string>

            <key>PayloadVersion</key>

            <integer>1</integer>

</dict>

Configure Identity Preference for Firefox

Similarly to how it is done for Chrome, this will also be a Custom Settings profile on the User channel. See below for custom settings XML.

<dict>

        <key>PayloadDisplayName</key>

        <string>Firefox ESR Policies</string>

        <key>PayloadEnabled</key>

        <true/>

        <key>PayloadIdentifier</key>

        <string>org.mozilla.firefox.BCADDC78-843E-4112-936A-DAB8EEEF514C</string>

        <key>PayloadType</key>

        <string>org.mozilla.firefox</string>

        <key>PayloadUUID</key>

        <string>BCADDC78-843E-4112-936A-DAB8EEEF514C</string>

        <key>PayloadVersion</key>

        <integer>1</integer>

        <key>EnterprisePoliciesEnabled</key>

        <true/>     

        <key>Preferences</key>

        <dict>

          <key>security.default_personal_cert</key>

          <string>Select Automatically</string>

          <key>security.osclientcerts.autoload</key>

          <true/>

</dict>

</dict>