New York public school cooperative Erie 1 BOCES was looking for a solution to authenticate mobile devices for Wi-Fi access. After success in the request-for-proposal process, Microsoft partner PrimeKey implemented its EJBCA Enterprise certificate issuance and management system, which works with Microsoft Azure and Microsoft Intune. Erie 1 BOCES integrated EJBCA Enterprise with Microsoft Intune in about two weeks and issued certificates to thousands of devices. Now there are plans to extend this deployment to thousands of other devices as well.
A growing need for remote management of devices
Erie 1 Board of Cooperative Educational Services (BOCES) delivers technology and support to more than 100 school districts across seven counties in New York. It was established as a way for local school districts to collaborate on services and reduce their individual expenses.
Along with his colleagues, Steven Duckworth, Chief Microcomputer Technical Support Specialist, had been transforming the cooperative’s approach to managed IT services. Erie 1 BOCES and its districts already used Microsoft Azure Active Directory and Microsoft Office 365, so it made sense to turn to Microsoft Intune for corporate device management. With the onset of the COVID-19 pandemic, districts started to inquire about remote management of Windows devices and Intune for remote instruction. Intune would enable IT staff to enroll their laptops to push apps, policies, and certificates to those devices to authenticate them against their Wi-Fi network, but Duckworth also required a third-party solution.
“It was important to authenticate devices in a secure manner, which required a public-facing certificate management solution, since the devices were bound to Azure AD,” Duckworth said.
During the request-for-proposal process, Erie 1 BOCES rejected vendors that were charging per certificate.
“I started doing the math. If each device required a certificate across dozens of districts, the costs would be astronomical: more than $250,000 per year,” Duckworth said.
PrimeKey stood out for its flexibility and cost-effectiveness.
Delivering public key infrastructure solutions
PrimeKey, part of Keyfactor, produces public key infrastructure (PKI) and digital signing solutions. The Microsoft Intelligent Security Association member operates across the globe, with offices in Sweden, Germany, France, the United States, and Australia.
PrimeKey's EJBCA Enterprise, available in the Azure Marketplace, serves as a comprehensive PKI solution for users, software, and Internet of Things (IoT) devices. EJBCA Enterprise includes everything needed to issue and manage certificates with certificate authorities, registration authorities, and validation authorities. It provides native support for Azure Key Vault and supports all common – and many uncommon – PKI architectures. Azure Key Vault is a cloud service for securely storing and accessing API keys, passwords, certificates, or cryptographic keys. Its certificate management allows users to provision, manage, and deploy public and private Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates for use with Azure and internal connected resources.
Cloud-based deployment enables remote management and scalable licensing. EJBCA Enterprise also integrates with Intune and third-party PKI and certificate management.
Deploying EJBCA
Erie 1 BOCES required EJBCA to be deployed as a PKI solution to implement a new root certification authority and subordinate certification authorities, along with registration authority and validation authority. During the discovery working sessions, PrimeKey gathered and reviewed Erie 1 BOCES' requirements. In the implementation sessions, PrimeKey worked with Erie 1 BOCES to deploy the EJBCA PKI.
Certificates are issued to end-user workstations (primarily laptops) within the Erie 1 BOCES environment. The main purpose for the certificates is for workstation validation to use Erie 1 BOCES’ internal wireless network. Validation authority services and certificate revocation lists are provided by dedicated EJBCA nodes.
After a smooth deployment of EJBCA Enterprise, Erie 1 BOCES integrated it with Intune and issued certificates to thousands of devices for students and faculty members. Now there are plans to extend this deployment to thousands of other devices as well.
“EJBCA is scalable, cost-effective, and easy to use, which enables our organization to remotely enroll and authenticate Intune-managed devices for students and faculty across many school districts and counties,” Duckworth said.
“We are always proud to be involved with projects that improve our education system,” said Harry Haramis, SVP of Cloud & SaaS Marketplaces at PrimeKey. “It was critical for Erie 1 BOCES of New York State to provide secure connectivity to so many users, as easy as possible. The only way this was achievable was through Microsoft Intune and EJBCA coming together.”
“EJBCA is scalable, cost-effective, and easy-to-use, which enables our organization to remotely enroll and authenticate Microsoft Intune-managed devices for students and faculty across many school districts and counties.”
Steven Duckworth, Chief Microcomputer Technical Support Specialist, Erie 1 BOCES
Follow Microsoft