For both MindLink Anywhere and MindLink Mobile it is essential that you provide appropriate certificates with the correct attributes in order to utilize the web authentication feature in the MindLink Anywhere Management Center, and to adhere to Apple's ATS requirements.
It is also a mandatory requirement that the key length is set to 2048 bit as by default this is the lowest level of encryption supported by the authentication token mechanism.
Generating a Certificate
If you are using a publicly signed Certificate, signed by a Certificate Authority such as Geotrust or Verisign then it is suggested that you use the Skype Bootstrapper tool bundled as part of the Skype installation executable. If you are using a locally signed certificate then you will need to ensure that the Certificates Root-CA is authorised on the end-user's device. A certificate is required in each of the following cases:
- If MindLink is being served over HTTPS, a client-facing certificate is required.
- The subject name must match the DNS name of the URL by which MindLink is accessed.
- The issuer must be trusted by all client machines - i.e. a public CA may be required if clients are accessing via the internet.
- A certificate is needed to perform MTLS with the Skype for Business frontend servers.
- The subject name must match the FQDN of the server on which MindLink is hosted.
- The issuer must be trusted by the Skype for Business frontend - i.e. an enterprise internal CA will be acceptable providing both Skype for Business and MindLink servers trust the same CA.
Each server certificate must include:
- EKU property for "Server Authentication"
- A CRL distribution point
- Subject name should be the FQDN of the server
- Private key
In addition to the above pre-requisites for MLA, the MCE certificate must specify EITHER both the "Server Authentication" and "Client Authentication" Extended Key Usages (EKUs) OR specify no EKUs.
The same certificate may be used for both roles only if the issuing CA is trusted by all client computers and the Skype for Business frontend server. The DNS name on which MindLink will be accessed via HTTP is the same as the FQDN of the machine, or the certificate has SANs for the public DNS name and the FQDN. These instructions are aimed at customers using an Internally Signed Certificate
As of January 2017 Apple has stated that apps and their subsequent servers have to be ATS compliant, ensuring all traffic is encrypted. This means it is a pre-requisite that your Windows Server has been configured to utilise the TLS 1.2 protocol. Example for enabling TLS 1.2 on the MindLink Server
Manage ATS requirements (MindLink Mobile). for iOS 10.3+ devices, the initial callback on port 7074 must be HTTPS so the service needs to be secured by an SSL certificate.
- this is one way to enable TLS 1.2 , but please consult your local deployment administrators before proceeding **
the following link will run through how to set this up using the registry edit tool: https://technet.microsoft.com/en-us/library/dn786418%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396#BKMK_SchannelTR_TLS12
Apple Push Notification Service
This is the service responsible for push notifications on iOS devices. To correctly configure this service a certificate must be supplied through the management tool. These certificates are supplied within the .Zip files that can be download from www.mindlinksoft.com
The .Zip file contains the certificates, which must be installed on the server. This process is similar to the one described above.
1 - From the MindLink Server, Launch an instance of MMC (Start > Search 'mmc')
2 - Click File > Add /Remove Snap-In...
3 - Click Certificates > Add > Computer Account > Next > Finish > OK
4 - Navigate to the Certificate folder within the Personal Store
5 - Right Click in a Blank Area of the center pain and select All Tasks > Request a New Certificate
6 - Click Next to begin the Wizard. Select Active Directory Enrolment Policy and click Next
7 - Set Computer checkbox to True and click Enrol
8 - Click Finish
9 - Right Click your newly created certificate and go to: All Tasks > Manage Private Keys. If this is not available the certificate has no Private key and will not work.
10 - In the dialogue Box that appears, click Add and add permissions for the Service Account that will run MindLink, and click Check Names. This step is only required for Email connector or Social connector, the other products will automatically assign permission
11 - Click OK
12 - Ensure that the permissions are set to Full Control and click OK