Hi there,
I want to only allow users on certain machines, our laptops, to enroll for a certificate. I thought it might work with an enrollment agent, which is auto enrolled on those computers in a specified security group and than allow users having this key to enroll for the certificate. I modified templates “User Signature Only” for the user certificate and “Enrollment Agent (Computer)” for the machine enrollment agents.
Only users with secured and allowed laptops should be able to use our vpn, this can not be achieved using groups on the vpn authentication side, because users change workstation often from mobile to desktop. So users should be auto enrolled for a vpn certificate if they are on an approved laptop.
Now I tried to implement this in a test environment, but it seems it’s not possible for a user to get a certificate if the enrollment agent certificate is in the computer context.Is there a way to check for the computer group when enrolling the user certificate, so I wouldn’t need an enrollment agent – or is it possible to limit a user enrollment agent to a security group of computers, so I the user is able to access this certificate?
Thanks for any help