we would like to use an enrollment agent for the provisioning team that will be provisioning smart cards for end users, so that end users don't have to do the enrollment themselves. However the concern is that they will thereby be able to enroll a smart card for the Domain Admins as well. Is there a way to restrict the enrollment agent so that it cannot be misused this way?
we are using the versa-sec software for smartcard management.
thanks and regards,-Ravi

Restricting who enrollment agent can enroll for
- 267 Views
- Last Post 21 September 2016
Ravi.Sabharanjak
posted this
20 September 2016
hcoleman
posted this
20 September 2016
Ravi.Sabharanjak
posted this
20 September 2016
I had not, thank you!

BrianB
posted this
21 September 2016
Brainstorming here…
If you are using and Enterprise CA, you could create a new template and then you could set up security to deny enroll and auto enroll on the certificate template
so that Domain Admins cant enroll. Granted, a domain admin can add themselves to Enterprise Admins and modify the template later but that is a manual process that you could set monitoring and alerting on.
Brian Britt