[Win10] Limiting users that can log into a workstation using Restricted Groups CSP

The title says it for itself. It is a useful capability for shared workstations and other scenarios, where the PC access needs to be limited. The credit goes to this blog post on EMM.how, you can read it for full details and pictures I just want to make a few points that I’ve taken out of that post and add some of mine.

(more…)

Simplifying LetsEncrypt on Windows – CryptLE automation

In this post we will talk about using the CryptLE on Windows to quickly generate and renew certificates for your virtual appliances with LetsEncrypt (which was not originally designed to provide certificates for virtual appliances).

Preface

Being a cheap smart person that I am, I run my small cloud setup (Domain + SSL) completely for free. For DNS I am using ClouDNS and can wholeheartedly recommend them (3 free domains, easy UI, all the features you need for a small size operation, including Web Redirect and mail forwarding). For SSL I am using LetsEncrypt.

LetsEncrypt is awesome, but it was designed for web servers, where things can be highly automated, secure and worry free. But when you need to generate a cert that has to be manually uploaded onto a virtual appliance (such as UAG) – things get a lot more complicated. Suddenly, many LE clients don’t even support this mode! In my case, when I started with LetsEncrypt, no known (to me!) Win32 agent supported issuing a certificate for a different hostname, so I had to deploy a Linux VM, deal with manual DNS challenges (according to my good colleague Alexey Rybalko, there is a DNS provider that does it for you, but $$$), copy the certs to my Windows laptop, from which I then had to deliver certs further. Oh, the mess!…

All this time I was keeping an eye on other Win32 LE clients, in case I missed something, and I’ve found one that does it better. Enter CrypeLE!

So, why is this better?

  1. Native Win32
  2. Supports standalone, SAN and wildcard certs
  3. Can generate a proper LetsEncrypt account so you don’t have to deal with manual DNS challenges every time you renew your cert
  4. Simple to deploy – one executable
  5. Simple to use – one-time setup, and then just automate the way you like. I just wrote a CMD file (see below)

Setting up CryptLE

First, we download the 32/64 bit version from https://github.com/do-know/Crypt-LE/releases

Then we read the first time setup guide: https://zerossl.com/usage.html#First_time_run_and_regular_use

Since we don’t want to use manual challenges every time to renew, we will use crypto keys to authenticate instead. We need one domain key per each domain that we want to use, and one account key (same for all our domains). You can use OpenSSL to generate the RSA keys yourself, as the guide recommends, or you can let LE64 generate all that for you with the –generate-missing parameter, as you will see in the next session.

That’s it!

Issuing the certs

In my case I wrote a CMD file that generates a wildcard cert. You need to replace the parts in bold with your parameters.

.\le64.exe ^
-key .__LETSECRYPT_ACCOUNTKEY_PRIVATE.pem ^
-email your_email@your_domain.com ^
-domains ".%1" ^
-crt "%1-wildcard.crt" ^
-csr-key "%1-wildcard.key" ^
-csr "%1-wildcard.csr" ^
-export-pfx "PFX_PASSWORD" -tag-pfx ".%1" ^
-handle-as dns -api 2 -live ^
-generate-missing

Then you just run it as gen_wildcard.cmd domain.com to get a wildcard cert for *.domain.com stored in a file.

In fact, you get four files, all of which are important!

  • .KEY (cert private key) and .CSR (cert signing request, signed with the above key) – these are files that allow you to avoid DNS challenge next time you renew. Keep them! But if you lose them – no problem, you will just have to go through the DNS challenge again
  • .CRT – this is a BASE64 encoded public cert (also known as PEM). It alone is enough in most cases, but remember that the private key is stored separately in the KEY file, should you need it.
  • .PFX – this is the cert with the key inside in the PFX format, protected with the password you set in the batch file. Different systems require different formats so I always generate both PEM and PFX. Typically PFX is easier for manual installs, and PEM/KEY is easier for automated installs, such as UAG deployment via the INI file.

This is all there is to it!

Notes

  1. Note that first time you run the file, you will have to go through the manual DNS challenge – this is unavoidable – you have to prove ownership of the domain. But next time you do it – it will be all automated, provided you kept the KEY and CSR files.
Loading an account key from .__LETSECRYPT_ACCOUNTKEY_PRIVATE.pem
Loading a CSR from <domain>.csr
Registering the account key
The key is already registered. ID: ...
Current contact details: <my email here>
Received domain certificate, no validation required at this time.
Requesting issuer's certificate.
Saving the full certificate chain to <domain>.crt.
Exporting certificate to <domain>.pfx.
The job is done, enjoy your certificate!
  1. Another nice effect of having the account key and email is that LetsEncrypt will be sending you the expiration reminders – in the past I almost always missed the deadlines 🙂
  2. Finally, you can issue SAN certificates too – just specify several domains in the -domains parameter. You will probably not run this in a standard batch file, but it is totally doable – I did it.

Summary

We’ve just seen how we can use LE64 / ZeroSSL CryptLE to issue LetsEncrypt certificates (inclding wildcard and SAN) with minimal effort on Windows machines. Was is useful for you? Are you using a better solution? Let me know in comments!

Update

If you have Windows servers on which you want to update the certificates using LetsEncrypt (directly), check out this post by my good colleague Roch Norwa: https://digitalworkspace.blog/2020/01/03/automating-lets-encrypt-cerificates-lifecycle-for-horizon-and-unified-access-gateway/

VMware Launcher on Android Enterprise – nuances

I regularly get questions from customers and partners who used kiosk mode on older Device Admin devices with VMware (then AirWatch) Launcher, and have issues since they had migrated to Android Enterprise and Launcher 4.0+.

In this post you will learn how to:

  • Solve the most frequent (and annoying) issue when migrating Launcher setups to AE
  • Find further settings for Launcher, which are not exposed in the GUI, and apply them via custom XML
  • Control Launcher versions per OG using Settings and Inheritance.
(more…)

Remediate the Pixel4 and Galaxy S10 biometric security flaws with Workspace ONE

I am pretty sure you’ve heard already about the issues with Samsung Galaxy S10 fingerprint sensor and Google Pixel 4 Face Unlock. Both companies have acknowledged the issues and committed to releasing the patches “soon” (Samsung is said to be testing fixes in certain countries already). What can you in the meantime? With Workspace ONE and Android Enterprise is it easy!

(more…)

Hidden TCPdump and ETHtool on VMware UAG

VMware UAG (Unified Access Gateway) is a cool little security appliance, deployable on vSphere, AWS, Azure etc that hosts a lot of Workspace ONE edge services: Horizon Proxy, Web Reverse Proxy, Tunnel VPN Gateway, Content Gateway and (since 3.6) the Secure Email Gateway. The challenge is that the thing was built to be headless and super-secure, which means it is almost bare inside. And this is not helpful when troubleshooting.

While watching a VMworld 2019 Session (links at the bottom) I’ve found out that there is actually a hidden tcpdump and ethtool installer, which was first made for our own support services, but is generally available for everyone now.

All you need to do is invoke /etc/vmware/gss-support/install.sh command from the UAG CLI. Of course, it is highly advisable to remove the tools once the troubleshooting is done via /etc/vmware/gss-support/uninstall.sh !

ADV1798BU – Unified Access Gateway Securing Virtual Desktop and App Access

In case you need a refreshed on TCPdump and ETHtool:

With TCPdump I usually prefer capturing everything into a PCAP file and then loading in WireShark for analysis. Now we only need NetCat to be able to stream it conveniently to a remote host.

That is it for today – enjoy, and let me know if it was helpful!

The shortest longest Android 10 review post

Image result for android 10 logo

I’ve been planning and preparing and researching for my Android 10 Overview post for a while now, and then I found this monster of a review from Ron Amadeo on Ars Technica (instant subscribe!)

https://arstechnica.com/gadgets/2019/09/android-10-the-ars-technica-review/

Basically, I have very litte to add. The review is huge, though and will take a while. If you want to focus, read these enterprise-relevant sections:

And then the official Android Enterprise changelog from Google, which had still not been added to the TOC on the release notes page 🙂

Once we get those new features supported in Workspace ONE (and I get an extra Android10 device) I’ll post something more detailed.