Skip to main content

Configuring PKI and Certificate Authority Integration in Mobile Guardian

  • Updated

Mobile Guardian supports integration with your school’s Public Key Infrastructure (PKI) and Certificate Authority (CA) to distribute trusted certificates to managed devices. This allows devices to authenticate securely to Wi-Fi networks (802.1X), VPN gateways, email servers, and internal web services without manual certificate installation.

Certificate distribution is configured within a profile and supports iOS/iPadOS, macOS, Android, Windows, and ChromeOS. This article covers how to upload CA certificates, configure certificate-based authentication, and link certificates to network and service profiles.

What You Will Learn

  • How to upload root and intermediate CA certificates to Mobile Guardian
  • How to distribute trusted certificates to devices via profiles
  • How to link CA certificates to Wi-Fi, VPN, and SCEP configurations
  • Platform-specific requirements for certificate deployment

Prerequisites

  • Admin access to the Mobile Guardian Dashboard
  • Your CA root certificate and any intermediate certificates in .cer, .pem, or .der format (obtain these from your PKI or network team)
  • Devices enrolled in Mobile Guardian
  • For Windows: admin access to the Microsoft Intune Admin Centre
  • For ChromeOS: admin access to the Google Admin console

Note: If your school uses SCEP for automatic certificate enrollment, see Configuring SCEP Certificate Profiles in Mobile Guardian for the full SCEP configuration process. This article covers the foundational CA trust setup that SCEP relies on.

 

How Certificate Distribution Works

Certificate-based authentication follows a trust chain. Before a device can use a certificate issued by your CA (e.g. via SCEP), it must first trust the CA itself. This requires the CA’s root certificate (and any intermediate certificates) to be installed on the device.

Mobile Guardian distributes these certificates as part of a device profile. The process is:

  1. Upload the CA root and intermediate certificates to Mobile Guardian.
  2. Add the certificates to a profile (Baseline or Conditional).
  3. Assign the profile to devices.
  4. Devices receive the certificates at the next sync and add them to their trusted certificate store.
  5. Services that rely on certificate authentication (Wi-Fi, VPN, SCEP) can then complete the trust chain.

 

Uploading CA Certificates

Step 1: Navigate to Profile Settings

  1. Log in to your Mobile Guardian Dashboard.
  2. Navigate to Profiles: Click on “Profiles” in the left-hand navigation panel.
  3. Edit the profile: Click the pencil icon under the “Actions” column for the Baseline or Conditional profile you want to configure.

Step 2: Open the Network Configuration

  1. Under the profile configuration options, click on “Networks”.
  2. Select “Certificates”.
  3. Click “Add New” to upload a certificate.

Step 3: Upload the CA Certificate

  1. Certificate Name: Enter a descriptive name (e.g. School Root CA or Intermediate CA - 2025).
  2. Certificate File: Click “Upload” and select the CA certificate file from your computer (.cer, .pem, or .der format).
  3. Click “Save” to add the certificate to the profile.

Repeat this process for each certificate in your chain. If your PKI uses a root CA and one or more intermediate CAs, upload each one separately.

Note: The certificate file must be the public certificate only. Do not upload private keys to the dashboard.

 

Linking Certificates to Network Profiles

Once the CA certificates are uploaded, you can reference them in Wi-Fi, VPN, and SCEP configurations within the same profile.

Wi-Fi (802.1X Authentication)

  1. In the same profile, click on “Networks” > “Wi-Fi”.
  2. Select or create a Wi-Fi configuration that uses WPA2 Enterprise or WPA3 Enterprise security.
  3. Under the authentication settings, set the EAP type (e.g. EAP-TLS, PEAP).
  4. For Trusted Server Certificate, select the CA certificate you uploaded.
  5. For Identity Certificate (if using EAP-TLS), select the SCEP credential or manually uploaded client certificate.
  6. Click “Save”.

VPN

  1. In the same profile, click on “Networks” > “VPN” (if available for your configuration).
  2. Under the VPN authentication settings, select the CA certificate as the Trusted Server Certificate.
  3. If the VPN requires client certificate authentication, reference the SCEP credential or uploaded client certificate.
  4. Click “Save”.

SCEP

  1. In the same profile, click on “Networks” > “SCEP”.
  2. When configuring a new SCEP payload, the device will use the uploaded CA certificates to validate the SCEP server’s identity during enrollment.
  3. See Configuring SCEP Certificate Profiles in Mobile Guardian for full SCEP configuration steps.

 

Platform-Specific Considerations

iOS/iPadOS and macOS

  • Certificate delivery: CA certificates are delivered as part of the MDM profile payload. No additional steps required beyond the profile configuration above.
  • Certificate storage: Certificates are installed in the device’s system trust store and are available to all apps and services.
  • Supervision: Not required for certificate distribution, but supervised devices allow silent installation without user prompts.
  • Certificate transparency: On iOS 15+ and macOS 12+, users can view installed certificates under Settings > General > VPN & Device Management.

Android

  • Certificate delivery: CA certificates are delivered via the managed device profile through Android Enterprise (EMM) or AMA Zero-Touch.
  • Certificate storage: Certificates are installed in the work profile certificate store. Only apps within the managed profile can access them.
  • User prompt: Depending on the Android version and manufacturer, the user may see a notification that a CA certificate has been installed. This is expected behaviour and does not require user action.

Note: On Android, a persistent “Network may be monitored” notification may appear when a CA certificate is installed in the work profile. This is standard Android behaviour and cannot be suppressed.

Windows

CA certificate distribution on Windows is managed through Microsoft Intune.

  1. Sign in to the Microsoft Intune Admin Centre.
  2. Navigate to Devices > Manage Devices > Configuration > Create > New Policy.
  3. Select Platform: Windows 10 and later.
  4. Select Profile type: Templates > Trusted certificate.
  5. Click Create.
  6. Enter a name (e.g. School Root CA Certificate).
  7. Upload the CA certificate file.
  8. For Destination store, select Computer certificate store - Root (for root CAs) or Computer certificate store - Intermediate (for intermediate CAs).
  9. Under Assignments, add the Microsoft Entra ID group matching your Mobile Guardian profile.
  10. Click Review + Create.

Note: The Trusted Certificate profile must be deployed before any SCEP or Wi-Fi certificate profiles. Without the trusted root, devices will reject certificates issued by your CA.

ChromeOS

Certificate distribution for ChromeOS is managed through the Google Admin console.

  1. Sign in to the Google Admin console.
  2. Navigate to Devices > Networks > Certificates.
  3. Click Add Certificate and upload the CA certificate.
  4. Assign the certificate to the organisational unit containing your Mobile Guardian-managed Chromebooks.

Certificates uploaded via the Google Admin console are available to the ChromeOS system trust store and are used for network authentication and HTTPS trust.

 

Saving and Deploying

After uploading certificates and linking them to network profiles:

  1. Click “Save” on the profile.
  2. Navigate to the “Which Device” tab to confirm the profile is assigned to the correct devices.
  3. Click “Sync with Devices” to push the updated profile.

Devices will receive the certificates at the next sync. Certificate installation is silent on supervised iOS/iPadOS and macOS devices. Android and unsupervised iOS devices may show a brief notification.

 

Verifying Certificate Installation

From the Mobile Guardian Dashboard

  1. Navigate to “Devices” > “All Devices”.
  2. Select a device to open the device details.
  3. Click on the “Certificates” tab to view installed certificates.
  4. Confirm the CA certificate appears with the correct name and expiry date.

From the Device

Platform How to verify
iOS/iPadOS Settings > General > VPN & Device Management > Management Profile > More Details > Certificates
macOS Keychain Access > System keychain > Certificates
Android Settings > Security > Encryption & Credentials > Trusted Credentials > User tab
Windows Run certmgr.msc > Trusted Root Certification Authorities > Certificates
ChromeOS Settings > Security and Privacy > Manage certificates > Authorities tab

 

Troubleshooting

Issue Likely Cause Resolution
Certificate not appearing on device Profile not assigned or device has not synced Verify profile assignment under “Which Device” and trigger a manual sync
Wi-Fi authentication failing despite certificate being installed Incorrect CA certificate uploaded (e.g. intermediate instead of root, or vice versa) Verify the full certificate chain with your PKI team and upload all required certificates
“Network may be monitored” warning on Android Expected Android behaviour when a CA certificate is installed No action required. Inform users this is normal for managed devices
Windows devices not receiving certificate Trusted Certificate profile not deployed in Intune Create and assign a Trusted Certificate profile in Intune before deploying SCEP or Wi-Fi profiles
Certificate expired CA certificate has passed its validity period Obtain a renewed certificate from your PKI team and upload it as a replacement
SCEP enrollment failing Device does not trust the CA that issued the SCEP server’s certificate Ensure the CA root certificate is deployed to devices before configuring SCEP

 

Best Practices

  • Always upload the complete certificate chain (root CA and all intermediate CAs). Missing intermediates are the most common cause of authentication failures.
  • Name certificates descriptively, including the CA name and year of expiry (e.g. School Root CA - Expires 2028). This makes it easier to identify which certificates need renewing.
  • Deploy CA certificates before any dependent configuration (SCEP, 802.1X Wi-Fi, VPN). The trust chain must be established first.
  • Set a calendar reminder 60 days before your CA certificates expire. Certificate expiry on managed devices can cause sudden, widespread connectivity failures.
  • Test the full chain on a single device before deploying to your fleet. Connect to the target Wi-Fi network or VPN to confirm authentication succeeds end to end.
  • For Windows and ChromeOS, coordinate with your Intune and Google Admin administrators to ensure certificates are deployed through the correct management console.

Please let us know if you found this helpful! 

Thanks for reading! 🙂

Related articles