Classroom – Identity Certificate Management

Overview

FileWave 11.1 includes support for Apple Classroom. The setup recommended by Apple for MDM providers is to have one root CA, intermediate CAs for leaders (teachers) and members (students) and one certificate per device. This means we need a UI where administrators are able to generate, view and manage those certificates, which allows renewing/revoking certificates, as well as creating the initial root CA and intermediate CAs.

In the Admin

Dashboard

First place where you might see anything that is related to classroom is in the dashboard. By default we check if all the certificates are ok. It goes into warning state (yellow) if a certificate is about to expire (in less than 30 days) or if the whole classroom CA/certificate chain is absent. IT goes into error if at least on the the certificate is already expired.

In case of warning or error, you can click on "Go to settings" and it will ask you the super user credentials and if you want to create the defaut CA/Certificates (see following on how to proceed).

image.png

After it has refreshed (can take a few seconds), it will look like that:

image.png

Preferences

The certificate management UI is available in the Preferences, in the Education section, on the Apple Classroom tab. Click "Manage Certificates" to open the Classroom certificate management UI. You will need to enter fwadmin credentials.

image.png

The first time you open the Manage Certificates dialog, no certificates exist at all. Therefore, FileWave Admin asks you whether you want to generate the certificates:

image.png

As part of the process, a private key for the root CA certificate is generated. FileWave does not store a copy of this private key. It is your responsibility to store this key in a secure location, as you can see in the warning that is displayed.

image.png

FileWave will ask you to store the private key as soon as the certificate generation is completed successfully. The private key is a PKCS #8 key stored in DER format. FileWave Admin saves this private key in the local disk of the computer where it is running and sets restrictive permissions on the file. You will need to provide this private key when renewing or revoking certificates. The default file name is "FileWave Classroom Private Key.key" and it is stored on the Desktop by default. If you press Cancel or the Esc key by mistake while on the save dialog, FileWave stores the private key on the default location anyway, so you won't need to regenerate the root CA.

The dialog displays the certificates in a tree structure, where the root CA certificate is the top level item in the tree and child certificates appear as child items. The serial number and the expiry date of each certificate are also displayed next to it. Certificates that will expire in less than one month are displayed with a yellow background, while expired certificates are displayed with red letters. You can sort by any column and filter certificates by typing some criteria in the search box and pressing Enter.

image.png

You can renew and revoke any certificates. In order to do so, select one or more certificates. The view supports multiple selection by holding the Ctrl key (⌘ on Mac) and clicking entries. You can then either right-click to get a context menu or use the corresponding buttons on the lower left corner of the dialog. When revoking a certificate, all its child certificates will also be revoked. The certificate and its child certificates will be renewed automatically right after revocation.

You don't need the private key for renewing or revoking leader or member certificates. However, renewing/revoking any intermediate CAs requires the private key of the Root CA that was generated before. The first time you renew or revoke an intermediate CA certificate, you will be asked to open the private key. It will be remembered for the duration of the dialog, so you won't need to open it again for any subsequent operations on CA certificates, unless any operation fails. If you close the dialog and open it again later, you will need to provide the private key again for renewing/revoking CA certificates.