Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filter Radius Certificate Distribution By Device Group #532

Open
alister-cf opened this issue Oct 16, 2023 · 6 comments
Open

Filter Radius Certificate Distribution By Device Group #532

alister-cf opened this issue Oct 16, 2023 · 6 comments

Comments

@alister-cf
Copy link

It would be nice to be able to filter the distribution of certificates to only devices that can actually use them, This would also reduce the amount of commands generated unnecessarily, also the time to distribute!
@jworkmanjc
Copy link
Contributor

I think I have a planned change for you @alister-cf, I agree there's a more efficient way to do this.

@alister-cf
Copy link
Author

alister-cf commented Dec 5, 2023
edited
Loading

@jworkmanjc I ended up doing an implementation myself which might work for others too! But Ultimately this is just getting a list of mobile devices and the last Jumpclouded person to access it.

As for my solution, I added the following line to 83-84 of Generate-UserCerts.ps1
if((Check-IsUsersMobileSystem -Username $MatchedUser.username -SystemDisplayName $systemInfo.displayName).Equals($false)) {continue}
and just imported a file that has this function which returns true/false depending if it matches my criteria.

As for the code of this function, I just pull a {Device: User} KV Pair JSON blob from a web server that's automatically generated.

@jworkmanjc
Copy link
Contributor

Looks awesome, much better than doing a query every time.

@alister-cf
Copy link
Author

alister-cf commented Dec 8, 2023
edited
Loading

@jworkmanjc it's simple but way better for us, The speed improvement by not doing a lot of stuff that doesn't need to be done was significant. it use to take 3 days to generate and distribute the certs before, and generate around 5000 to 7500 machine command's, it now takes 15 minutes and only generates around 25 machine commands. Also means i can now use the rest of the tool for monitoring distribution and failures without having to wait hours and trying to avoid timeouts. we have around 150 machines and 100 users. Also allowed us to continue using groups to assign permissions for groups of devices instead of permissions for individual users per device.

@jworkmanjc
Copy link
Contributor

@alister-cf if you want to chat at all I'm interested in learning more about how you are managing the lifecycle of certs. There are some changes I'd like to make to the tool. I'd like to turn the tool into a proper PowerShell module, something you can schedule through a cron job, there's also planned work to remove the generated commands requirement. If you'd like to chat and show me anything you've done I'm highly motivated to setup a meeting. Let me know if you want to share anything it would be helpful for me to understand how others are using this.

@alister-cf
Copy link
Author

@jworkmanjc That would be great, happy to have a meeting to discuss how we use it, we have only just started using certificates but will be looking at renews early Jan, it will just be manual for now using the scripts until I get motivated to automate it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jworkmanjc @alister-cf