Forum Discussion

Perschall2022's avatar
Perschall2022
Comet
10 months ago

Need help with prelogin Intune deployment

Hello,  I need to understand how to get prelogin to work for my environment so users can sign in when off of the network.  We are deploying devices from intune using the enrollment status page. S...
BrianI's avatar
BrianI
Comet
2 months ago

Fingers crossed someone here can help me w/ getting pre login working for Entra Autopilot Hybrid Joining.  The big pre-req for hybrid joining thru autopilot is line of site to the DC and I had been hoping to get that thru the Pre Login feature of the Cato client.  Pre Login is tested and working on already domain joined machines, and works even if a Cato user hasn't been added to the client yet.  Here's what I've been able to accomplish so far:

  • Cato client installed on workstation as a line of business app.
  • Device cert, root cert and intermediate cert from our domain CA pushed to cert:\localmachine\.
    • Trust path verified thru cert manager
  • PreLogin and Subdomain registry keys pushed thru powershell platform script and confirmed on device
  • I can ping sso.ias.catonetworks.com from the device, and if I launch the CatoClient it opens up but just sits at disconnected.  I would expect it to see the reg keys, verify the certs, and then move to the limited access stage.
  • BrianI's avatar
    BrianI
    Comet
    31 days ago

    I've found that once the Cato Client is installed, if I restart the CatoNetworksVPNService it will move to the limited connectivity phase which is what I need for Line of Sight to the DC.  Now I just need to figure out how to make sure Cato is installed and the service gets restarted before the Offline Domain Join portion of autopilot times out.

    • ErwinG's avatar
      ErwinG
      Comet
      18 days ago

      Hi,

      You're deploying the Cato Registry keys using an Intune Platform Script. Since platform scripts run before the application deployment phase, you should be good there. 

      Just to verify: 

      • The Registry Path: HKLM:\SOFTWARE\CatoNetworksVPN
      • PreLogin (DWORD) with value of 1
      • Subdomain (String) with your subdomain (without .via.catonetworks.com)


      Then install the Cato client via Intune. If your architecture is correct, the Cato client should start and automatically create a connection using a device certificate. Autopilot will then perform the actual domain join during the device configuration phase. 

      Few questions:

      • Have you uploaded the root cert of your CA to the Cato portal? (Access / Client Access / Signing Certificates)
      • Have you configured the allowed destinations (IPs, IP ranges or hosts)? (Access / Client Access / Pre Login). You should have at least the IPs of the domain controller(s) for your domain in there, your CA and possibly KMS Server.
      • Do you use SCEP / NDES to deliver the device certificate to the client? The client needs a signed device certificate to authenticate and connect.