Home Knowledge Base SecureW2 Documentation Third-Party CA SCEP Configuration with Intune

Third-Party CA SCEP Configuration with Intune

1. Introduction

With the Intune CA Partner integration, organizations can automate their certificate lifecycle management based on the real-time status of their devices managed by Intune. This is achieved through the SCEP Protocol and an OAuth API. The API is invoked during the SCEP enrollment process to validate that the device requesting the certificate exists in your Intune organization. SecureW2 also periodically checks Intune to ensure that devices that are deleted, have changed permissions, or have fallen out of compliance have their authorization modified appropriately. The diagram created by Microsoft below illustrates the enrollment process.

This document describes the steps to integrate SecureW2 PKI as a third-party CA with Microsoft Intune to create and auto-enroll certificates for Microsoft Intune Managed Devices using the Simple Certificate Enrollment Protocol (SCEP).

The below flowchart describes the high-level steps to set up Microsoft Intune to allow devices to enroll for digital certificates using the SCEP:

NOTE: When a device, that has been enrolled through the Intune third-party CA integration is removed from Intune, the corresponding certificates are automatically revoked in the JoinNow Management Portal.

2. Prerequisites

The following prerequisites are required to allow device enrollment for digital certificates using SCEP in Microsoft Intune:

  1. A Microsoft Online Services account with a Microsoft Intune (Microsoft Endpoint Manager) subscription and the following roles assigned in Entra ID:
    • Intune Administrator
    • Application Administrator
    • Cloud App Security Administrator
  2. A valid JoinNow Cloud Management Portal account with a Managed Device Gateway license.
  3. Permission to register an application in Azure Active Directory (AD)

NOTE: By default, when a device enrolled through the Intune third-party CA integration is removed from Intune, the corresponding certificates are automatically revoked in the JoinNow Management Portal.

3. Device Profiles in Microsoft Intune

Device profiles allow you to add and configure settings and then push those settings to devices in your organization. The following profiles are created for end-user devices to connect to the secured network using user certificates.

  • Trusted Certificate Profile for the SecureW2 RADIUS Server Root CA
  • Trusted Certificate Profile for the SecureW2 Root CA
  • Trusted Certificate Profile for the SecureW2 Intermediate (Issuing) CA
  • SCEP Profile for the SecureW2 SCEP certificate requests
  • Wi-Fi profile for secure SSID configuration

NOTE: You must create a separate profile for each platform.

4. Configure Azure

This section describes the steps to configure Azure and Intune to work with the SecureW2 PKI.

4.1 Creating a New Application

To create an app in Azure to communicate with the CA Intune core provider, follow the given steps:

    1. Log in to the Azure portal.
    2. Go to App registrations.

    3. Click New registration.
    4. On the Register an application page, enter the application’s name in the Name field.
    5. In the Supported account types section, specify who can use the application by selecting any one of the following options:
      1. Accounts in this organizational directory only (MSFT only – Single tenant)
      2. Accounts in any organizational directory (Any Microsoft Entra ID tenant– Multitenant)
      3. Accounts in any organizational directory (Any Microsoft Entra ID tenant– Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox)
      4. Personal Microsoft accounts only
    6. Click Register. The following screen is displayed.
    7. Copy the Application (client) ID, Object ID, and Directory (tenant) ID values to your console. These values are required to create an Intune core provider in the JoinNow Management Portal (see the Creating an Intune CA Device Management Platform section).

4.2 Creating a Client Secret

  1. On the left pane, go to Manage and click Certificates & secrets.
  2. Click New client secret.

  3. In the Add a client secret pop-up window, enter a description of the client secret in the Description field.
  4. From the Expires drop-down list, select the expiration date of the client secret.
  5. Click Add.
  6. The client’s secret is displayed under the Value column.

NOTE: Ensure you save the client secret on your console properly, as this secret is non-recoverable.

4.3 Adding API Permissions

To provide API permission for SecureW2 to access the Entra ID, follow the given steps:

  1. On the left pane, go to Manage and select API Permissions.
  2. On the API permissions screen, click Add a permission.

  3. Select Microsoft Graph.
  4. Select Application permissions.

  5. In the Select permissions section, from the Application drop-down menu, select Application.Read.All.

  6. Click Add permissions.
  7. Click Add a permission.
  8. Select Intune.
  9. Select Application permissions.

  10. In the Select permissions section, from the Permissions drop-down menu, select scep_challenge_provider for certificate request validation, and then click Add permissions.

  11. After adding the permissions, click Grant admin consent for {your organization} to grant consent for the requested permissions.
  12. In the Grant admin consent confirmation pop-up window, click Yes.
  13. The configured APIs are displayed on the Configured permissions page.

5. Configure SecureW2

This section describes the following procedures carried out in the JoinNow Management Portal:

  • Generating the required network profiles
  • Creating a SecureW2 Intermediate CA
  • Creating an Intune Certificate Template
  • Creating a Core Provider for Intune CA
  • Creating the policies (Policy Workflow, Enrollment, and Network policies)

5.1 Getting Started

The Getting Started Wizard creates everything you need for 802.1x, including a RADIUS server, CAs, network profiles, a Landing page for onboarding BYOD devices if desired, and all the default network settings required for 802.1x.

NOTE: If you have configured SecureW2 for your network, skip this section.

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Device Onboarding > Getting Started.
  3. On the Quickstart Network Profile generator page, from the Generate Profile for drop-down list, select Internal User Authentication.
  4. From the Profile Type drop-down list, select Wireless.
  5. In the SSID field, enter a suitable name for the SSID.
  6. From the Security Type drop-down list, select WPA2-Enterprise.
  7. From the EAP Method drop-down list, select EAP-TLS.
  8. From the Policy drop-down list, select DEFAULT.
  9. From the Wireless Vendor drop-down list, select a wireless infrastructure vendor.
  10. From the RADIUS Vendor drop-down list, select SecureW2.
  11. Click Create.

    NOTE: The Getting Started wizard typically takes 60-90 seconds to create the profile.

5.2 Creating an Intermediate CA for Intune SCEP Gateway Integration

As a best practice, SecureW2 recommends having a new intermediate CA for JoinNow SCEP Gateway integration with Intune. The CA that issues certificates to BYOD devices should be separate from the CA that issues certificates to managed devices because managed devices do not require email notifications. You can disable email notifications for a dedicated CA that issues certificates to Intune-managed devices.

To create a new intermediate CA:

  1. Navigate to Dynamic PKI > Certificate Authorities.
  2. Click Add Certificate Authority.

  3. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
  4. From the Type drop-down list, select Intermediate CA.
  5. From the Certificate Authority drop-down list, select the default Root CA that comes with your organization.
  6. In the Common Name field, enter a common name for the CA certificate. SecureW2 recommends a name that includes “SCEP.”
  7. From the Key Size drop-down list, select 2048 for the CA certificate key pair.
  8. From the Signature Algorithm drop-down list, select SHA-256 as the signature algorithm for the certificate signing request.
  9. In the Validity Period field, enter the validity period for the Intermediate CA in terms of the number of years.
  10. In the Notifications section:
    1. From the Expiry Notification Frequency (in days) drop-down list, select the frequency interval for which a certificate expiration notification should be sent to users.
    2. Select the Notify user on successful Enrollment checkbox to notify users after a successful enrollment.
    3. If the RFC has a valid email address, the user will receive the certificate-issued or expired notification; otherwise, they will not receive the notification.
  11. In the Revocation section:
    1. In the Revoke Certificate if unused for field, select the number of days after which an unused certificate can be revoked.
      • Since last usage – Select this checkbox to revoke the certificate after a specified number of days if it remains unused.
      • Since certificate issuance – Select this checkbox to revoke the certificate after a specified number of days after it is issued.
    2. From the Reason Code drop-down list, select any one of the following reasons for which the certificate is revoked.
      • Certificate Hold
      • AA Compromise
      • Privilege Withdrawn
      • Unspecified 
  12. Click Save. The new intermediate CA is generated.

5.3 Creating an Intune Certificate Template

To create an Intune Certificate Template:

  1. Navigate to Dynamic PKI > Certificate Authorities.
  2. Scroll to the Certificate Templates section and click Add Certificate Template.
  3. In the Basic section, for the Name field, enter the name of the certificate template.
  4. In the Subject field, enter the following source value recommended for the Intune-specific certificate template: CN=${/csr/subject/commonname}
  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  7. From the Signature Algorithm drop-down list, select SHA-256 as the signature algorithm for the certificate signing request.
  8. In the SAN section, the following configurations are the recommended values. This can be changed as per the requirements of the infrastructure and setup.
    1. In the Other Name field, enter ${/csr/san/othername}. This will fetch the Othername value (UPN) configured in Intune.
    2. In the RFC822 field, enter ${/csr/san/rfc822name}. RFC822name normally refers to the email address. But this can be configured as per the business requirement in Intune.
    3. In the DNS field, enter ${/csr/san/dnsname}. This will fetch the DNS name from the client device as per the value configured in Intune.
  9. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.

  10. Click Save.

5.4 Creating an Intune CA Device Management Platform

In the JoinNow MultiOS Management Portal, create a device management platform for the Intune CA to accept requests from the Intune portal. The device management platform provides the Endpoint URI for the SCEP profiles in Intune.

  1. Go to Integration Hub > Device Management Platforms.
  2. Click Add.

  3. In the Basic section, enter the name of the device management platform in the Name field.
  4. In the Description field, enter a suitable description for the device management platform.
  5. From the Type drop-down list, select Intune CA Partner.

  6. Click Save.
  7. The page refreshes, and the Configuration tab is displayed.
  8. Select the Configuration tab.
  9. In the Client Id and Tenant Id fields, enter the values you obtained after creating a new application in the Azure portal (for more information, see the Creating a New Application section).
  10. In the Client Secret field, enter the value you obtained after creating the client secret in the Azure portal (see the Creating a Client Secret section).
  11. From the Certificate Authority drop-down list, select the intermediate CA you created earlier (see the Creating an Intermediate CA for Intune SCEP Gateway Integration section).
  12. Copy the Endpoint URI to your console. You will use this endpoint URI to configure an SCEP Profile in Intune.
  13. Click Update.

5.5 Configuring Policy Management

Setting up Microsoft Intune requires three policies in the JoinNow Management Portal:

  • Policy Workflow
  • Enrollment policy
  • Network policy

NOTE: Microsoft Intune does not need a dedicated Device Role policy. You can use the Default Device Role policy in the configuration.​

5.5.1 Configuring a Policy Workflow

To configure a Policy Workflow:

  1. Navigate to Policy Management > Policy Workflows.
  2. Click Add Policy Workflow.

  3. In the Basic section, enter the name of the policy workflow in the Name field.
  4. In the Display Description field, enter a suitable description for the policy workflow.
  5. Click Save.
  6. The page refreshes, and the Conditions tab is displayed.
  7. Select the Conditions tab.
  8. From the Core Provider drop-down list, select the Intune CA device management platform you created earlier (see the Creating an Intune CA Device Management Platform section).
  9. Click Update.

5.5.2 Configuring an Enrollment Policy

To configure an enrollment policy:

  1. Navigate to Policy Management > Enrollment.
  2. Click Add Enrollment Policy.

  3. In the Basic section, enter the name of the enrollment policy in the Name field.
  4. In the Display Description field, enter a suitable description for the enrollment policy.

    NOTE: You must select a User Role and Device Role for enrollment. You can use a Fallback Device policy to allow enrollment based on the Policy Workflow.
  5. Click Save.
  6. The page refreshes, and the Conditions and Settings tabs are displayed.
  7. Select the Conditions tab.
  8. From the Role list, select the policy workflow you created earlier (see the Configuring a Policy Workflow section).
  9. From the Device Role list, select DEFAULT DEVICE ROLE POLICY 1.

  10. Select the Settings tab.
  11. In the Settings section, from the Use Certificate Authority drop-down list, select the intermediate CA you created earlier (see the Creating an Intermediate CA for Intune SCEP Gateway Integration​ section).
  12. From the Use Certificate Template drop-down list, select the template you created earlier (see the Creating an Intune Certificate Template section).
  13. In the other settings, retain the default values.
  14. Click Update.

5.5.3 Configuring Network Policy

To configure network policy:

  1. Go to Policy Management > Network.
  2. Click Add Network Policy.
  3. In the Basic section, enter the name of the network policy in the Name field.
  4. In the Display Description field, enter a suitable description for the network policy.

  5. Click Save. The page refreshes, and the Conditions and Settings tabs are displayed.
  6. Select the Conditions tab.
  7. Select Match All or Match Any based on your requirement to set authentication criteria. In the case explained here, we are selecting Match All.
  8. Click the Add rule and select the role you want to assign to this network policy. It is essential to select the appropriate policy workflow, as it triggers the network policy. This menu offers various rules that you can select based on your business requirements.

    NOTE: You can assign a network policy to multiple user roles.
  9. Click Save.
  10. The Role option appears under the Conditions tab.
  11. From the Role Equals drop-down list, select the policy workflow you created earlier (see the Configuring a Policy Workflow section).
  12. Select the Settings tab.
  13. From the Access drop-down list, select any one of the options to allow or deny authentication requests. The default value is “Allow”.
  14. To configure MFA, select the checkbox to enable MFA.
  15. From the Perform MFA Using drop-down list, select a Core Provider for MFA.
  16. Click Add Attribute.
    1. From the Dictionary drop-down list, select an option:
      1. Radius: IETF – This is what we will use for the following attributes, as we are using standard RADIUS attributes for VLAN assignment.
      2. Custom: Used for any VSAs (Vendor-Specific Attributes).
    2. From the Attribute drop-down list, select an option.
      1. Framed-Protocol
      2. Framed-IP-Address
      3. Framed-IP-NetMask
      4. Framed-Routing
      5. Filter-Id
      6. Framed-MTU
      7. Framed-Compression
      8. Reply-Message
      9. Framed-Route
      10. Framed-IPX-Network
      11. State
      12. Class
      13. Session-Timeout
      14. Tunnel-Type
      15. Tunnel-Medium-Type
      16. Tunnel-Private-Group-ID
      17. Framed-Pool
      18. User-Name
    3. In the Value field, enter the appropriate value for the attribute.
  17. Click Save.
  18. Repeat for any other RADIUS attribute you would like to send. For reference, here is what is commonly required for VLAN Assignment:
    a. Tunnel-Medium-Type: IEE-802
    b. Tunnel-Private-Group-ID: {VLAN Name}
    c. Server
Tunnel-Type: VLAN
  19. Click Update.

6. Trusted Certificate Profiles

You should configure the Trusted Certificate Profile with the certificate of your RADIUS server certificate’s issuing authority. This is to make the devices trust your RADIUS server by validating the RADIUS server certificate. We achieve this server validation in the profile configuration by adding the Root and/or Intermediate Certificate Authority (CA) certificates that issued the RADIUS server certificate. When you assign this profile, the Microsoft Intune-managed devices receive the trusted certificates.

NOTE: For RADIUS vendors, other than the SecureW2 CloudRADIUS server, ensure that you have the Root or Intermediate CA that issues the RADIUS server certificate.

NOTE: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.

6.1 Exporting the SecureW2 Root, Intermediate, and RADIUS CA

To create trusted profiles in Intune, the Root, Intermediate, and RADIUS Server CA must be uploaded in their respective profiles in the Intune Endpoint manager. To download these certificates from the JoinNow Management portal, follow the below steps:

  1. Navigate to Dynamic PKI > Certificate Authorities.
  2. In the Certificate Authorities section, click the Download link for the Root CA, and intermediate CA issued to your organization (see the Creating an Intermediate CA for Intune SCEP Gateway Integration section). An example of this is explained in the below screenshot:

6.1.1 Exporting RADIUS Root CA

Similarly, for downloading the RADIUS Server Root CA:

  1. Navigate to Device Onboarding > Profiles.
  2. On the Network Profiles page, click the Edit link of the network profile configured earlier (see the Getting Started section).
  3. Scroll down to the Certificates section and click Add/Remove Certificate.

  4. Check the checkbox next to DigiCert Global Root G3 (Fri Jan 15 12:00:00 UTC 2038) as shown in the following screen.
  5. Click Update.
  6. The CA appears in the Certificates section.
  7. Click Download.

6.2 Creating Trusted Certificate Profile – Root, Intermediate, and RADIUS Root CA

The downloaded CA certificates must be uploaded to the respective trusted profiles to deploy them in the client devices. The deployment of these CA certificates is necessary to form a chain of trust during the enrollment and RADIUS authentication. Intune requires the creation of three trusted certificate profiles:

  1. Trusted Certificate Profile for Root CA
  2. Trusted Certificate Profile for Intermediate CA of the RADIUS Server certificate
  3. Trusted Certificate Profile for Root CA of the RADIUS Server certificate

To create trusted profiles in Intune:

  1. Sign in to the Microsoft Endpoint Manager portal.
  2. Navigate to Devices > Configuration.
  3. Click Create and select New Policy.

  4. On the Create a profile page, from the Platform drop-down list, select the device platform for this trusted certificate. The options are:
    • Android device administrator
    • Android (AOSP)
    • Android Enterprise
    • iOS/iPadOS
    • macOS
    • Windows 10 and later
    • Windows 8.1 and later


    NOTE: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.

  5. From the Profile type drop-down list, select Templates, and then select Trusted certificate.

  6. Click Create.
  7. On the Trusted certificate page, in the Basics section, enter the name of the Trusted Certificate in the Name field. For easy identification, suitable naming conventions with “Root, Intermediate, and RADIUS CA” can be used.
  8. In the Description field, enter a suitable description for the trusted certificate.
  9. Click Next.
  10. In the Configuration settings section, for the Certificate file field, click the Browse button. Select the certificate appropriate to the trusted profile being created as shown in the below table:
    Trusted Profile mapped with Intermediate CATrusted Profile mapped with Root CATrusted Profile mapped with RADIUS Server Root CA

    Upload the Intermediate CA downloaded from the JoinNow portal in 6.1 Exporting the SecureW2 Root, Intermediate, and RADIUS CA

    From the Destination store drop-down list, select  “Computer certificate store – Intermediate

    Upload the Root CA of the organization downloaded from the JoinNow portal in 6.1 Exporting the SecureW2 Root, Intermediate, and RADIUS CA

    From the Destination store drop-down, select  “Computer certificate store – Root

    Upload the Root CA of the organization downloaded from the JoinNow portal in 6.1.1 Exporting RADIUS Root CA

    From the Destination store drop-down, select  “Computer certificate store – Root

  11. Click Next.
  12. Assign the profile to the appropriate Groups and Rules, review it, and click Create.

7. SCEP Profile for SecureW2 SCEP Certificate Requests

The SCEP profile is required for end-user devices to communicate with the SCEP Server—SecureW2 CloudConnector and request the enrollment of end-user certificates.

NOTE: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.

7. 1 Creating a SCEP Certificate Profile

To create a SCEP certificate profile, perform the following steps:

  1. Log in to the Microsoft Endpoint Manager portal.
  2. Navigate to Devices > Configuration.
  3. Click Create and select New Policy.

  4. On the Create a profile page, from the Platform drop-down list, select the device platform for this SCEP certificate. You can select one of the following platforms for device restriction settings:
      1. Android device administrator
      2. Android (AOSP)
      3. Android Enterprise
      4. iOS/iPadOS|
      5. macOS
      6. Windows 10 and later
      7. Windows 8.1 and later


    NOTE    : You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.

  5. From the Profile type drop-down list, select Templates and then select SCEP certificate.
    NOTE: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.
  6. Click Create
  7. On the SCEP certificate page, in the Basics section, enter the name of the SCEP certificate in the Name field.
  8. In the Description field, enter a suitable description for the SCEP certificate.
  9. Click Next. The Configurations settings tab opens. Two types of certificates can be issued to a client device.
    1. For Certificate Type – User
    2. For Certificate Type – Device

      The following tabular column shows the configuration values for the two SCEP profiles:
      FieldUser CertificateDevice Certificate
      Certificate type Select UserSelect Device
      Subject name formatCN= {{UserPrincipalName}} CN={{AzureADDeviceId}}
      Subject alternative name

      Configure attributes with respective value:

      • For Email ID, enter {{EmailAddress}} 
      • For User principal name, enter {{UserPrincipalName}}
      • For DNS, enter {{AzureADDeviceId}}
      • For URI, enter tag:microsoft.com,2022-09-14:sid:<value>

      Configure attributes with respective value:

      • For User principal name, enter {{Device_Serial}}
      • For DNS, enter {{AzureADDeviceId}}
      • For URI, enter tag:microsoft.com,2022-09-14:sid: <value>
      Certificate validity period Validity in number of YearsValidity in number of Years
      Key storage provider (KSP)select Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP to store the certificate’s key.
      Key usage

      Select both the Key encipherment and Digital signature checkboxes to exchange the certificate’s public key.

      • Key encipherment: Allows key exchange only when the key is encrypted.
      • Digital signature: Allows key exchange only when a digital signature protects the key.
      Key size (bits)Select 2048 or 4096 as necessary.
      Hash algorithm Select SHA-2, the highest level of security that the connecting devices support.

      1. Click + Root Certificate under the Root Certificate section.
      2. In the Root Certificate pop-up window, select the profile created earlier (see the Creating a Trusted Certificate Profile – SecureW2 Intermediate CA section).
      3. Click OK.
      4. Under the Extended key usage section, add values for the certificate’s intended purpose. In most cases, the certificate requires client authentication for the user to be able to authenticate to a server.
        1. In the Name field, enter the name of the extended key usage.
        2. In the Object Identifier field, enter a unique string of decimal numbers to identify an object.
        3. From the Predefined values drop-down list, select Client Authentication.
      5. Under the Enrollment Settings section, in the Renewal threshold (%) field, enter the percentage of the certificate lifetime that remains before the device requests renewal of the certificate. The recommended value in Microsoft Intune is 20%.
      6. In the SCEP Server URLs field, enter the Endpoint URI generated from the JoinNow Management Portal (see the Creating an Intune CA Device Management Platform section).

      7. Click Next.
      8. Assign the profile to the appropriate Groups and Rules, review it, and click Create.

8. Wi-Fi Profile for Secure SSID Configuration

Microsoft Intune includes built-in Wi-Fi settings that you can deploy to users and devices in your organization. This group of settings is called a profile, which can be assigned to different users and groups. Once you assign users a profile, they can obtain access to the network without configuring it themselves.

8.1 Creating a Wi-Fi Profile

To create a Wi-Fi Profile, perform the following steps:

  1. Sign in to the Microsoft Endpoint Manager portal.
  2. Navigate to Devices > Configuration.
  3. Click Create and select New Policy.
  4. On the Create a profile page, from the Platform drop-down list, select the device platform for this trusted certificate. The options are:
    • Android device administrator
    • Android (AOSP)
    • Android Enterprise
    • iOS/iPadOS
    • macOS
    • Windows 10 and later
    • Windows 8.1 and later

      NOTE      : You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.
  5. From the Profile type drop-down list, select Templates and then select Wi-Fi.
  6. Click Create.
  7. On the Wi-Fi page, in the Basics section, enter the Wi-Fi’s name in the Name field.
  8. In the Description field, enter a suitable description for the Wi-Fi.
  9. Click Next.
  10. In the Configuration settings section, from the Wi-Fi type drop-down list, select any one of the following options:
    • Basic
    • Enterprise
  11. Configure your Wi-Fi settings and click Next.
  12. Assign the profile to the appropriate Groups and Rules, review it, and click Create.

8.2 Assign a Device Profile

After creating a profile, you must specify the devices to which the profiles are to be pushed. To assign the devices, perform the following steps:

  1. Sign in to the Microsoft Endpoint Manager portal.
  2. Navigate to Devices > Configuration.

  3. Select the profile you want to assign a policy to users or groups.
  4. Scroll to the Assignments section and click the Edit link.
  5. Under the Included groups or Excluded groups section, click Add groups to add one or more Entra ID Groups. To apply the policy to all relevant devices, select Add all users or Add all devices.

    NOTE    : If you click Add all users or Add all devices, the Add groups option is disabled.
  6. On the Select groups to include page, select the Entra ID group to which the policy must be assigned and click Select to add the group.
  7. Click the Review + save button.
  8. Click Save.

8.3 Add Wi-Fi Settings for Devices Running Android

You can create a profile with specific Wi-Fi settings, and then deploy this profile to your Android devices.

Setting Name

Configuration Step

Wi-Fi type

Select Enterprise.

Network name

Enter a name for your reference.

SSID

This setting is the real name of the wireless network that devices connect to.

EAP type

Select the Extensible Authentication Protocol (EAP) type used to authenticate secured wireless connections. Select EAP-TLS.

  • Server Trust – Root certificate for server validation: Select an existing trusted Root certificate profile, created in the Creating a Trusted Certificate Profile – RADIUS Server Root CA Certificate section. This certificate is presented to the server when the client connects to the network and is used to authenticate the connection. Select OK to save your changes.
  • Client Authentication – Client certificate for client authentication (Identity certificate): Select the SCEP profile created previously in the Creating a SCEP Certificate Profile section. This certificate is the identity presented by the device to the server to authenticate the connection. Select OK to save your changes.

NOTE: Retain the default values for the Connect automatically, Connect to this network and even when it is not broadcasting its SSID attributes.

After you have configured the Wi-Fi settings, select Next and then click Create. The profile is created and displayed in the profiles list.

8.4 Add Wi-Fi Settings for iOS Devices

You can create a profile with specific Wi-Fi settings, and then deploy the profile to your iOS devices.

Setting Name

Configuration Step

Wi-Fi type

Select Enterprise.

Network name

Enter a user-friendly reference name for this Wi-Fi connection.

SSID

This setting is the real name of the wireless network that devices connect to.

EAP type

Select the Extensible Authentication Protocol (EAP) type used to authenticate secured wireless connections. Select EAP-TLS.

Server Trust – Certificate server names

Add one or more common names used on your RADIUS server certificates issued by your trusted CA. For the SecureW2 RADIUS, it is: radius01.securew2.com

Root certificate for server validation

Select an existing trusted Root certificate profile, created in the Creating a Trusted Certificate Profile – RADIUS Server Root CA Certificate section. This certificate is presented to the server when the client connects to the network and is used to authenticate the connection. Select OK to save your changes.

Client Authentication – Client certificate for client authentication (Identity certificate)

Select the SCEP client certificate profile created previously in the Creating a SCEP Certificate Profile section. This certificate is the identity presented by the device to the server to authenticate the connection. Select OK to save your changes.

NOTE: Retain the default values for the Connect automatically, Connect to this network, even when it is not broadcasting its SSID, and Proxy settings attributes.

After you have configured the Wi-Fi settings, select Next and then click Create. The profile is created and displayed in the profiles list.

8.5 Add Wi-Fi Settings for macOS Devices

You can create a profile with specific Wi-Fi settings, and then deploy this profile to your macOS devices.

Setting Name

Configuration Step

Wi-Fi type

Select Enterprise.

Network name

Enter a user-friendly reference name for this Wi-Fi connection.

SSID

This setting is the real name of the wireless network that devices connect to.

EAP type

Select the Extensible Authentication Protocol (EAP) type used to authenticate secured wireless connections. Select EAP-TLS.

Server Trust – Certificate server names

Add one or more common names used on your RADIUS server certificates issued by your trusted CA. For the SecureW2 RADIUS, it is: radius01.securew2.com

Root certificate for server validation

Select an existing trusted Root certificate profile, created in the Creating a Trusted Certificate Profile – RADIUS Server Root CA Certificate section. This certificate is presented to the server when the client connects to the network and is used to authenticate the connection. Select OK to save your changes.

Client Authentication – Client certificate for client authentication (Identity certificate)

Select the SCEP client certificate profile created previously in the Creating a SCEP Certificate Profile section. This certificate is the identity presented by the device to the server to authenticate the connection. Select OK to save your changes.

NOTE: Retain the default values for the Connect automatically when in range, Connect to this network, even when it is not broadcasting its SSID, and Company Proxy settings attributes.

After you have configured the Wi-Fi settings, select Next and then click Create. The profile is created and displayed in the profiles list.

8.6 Add Wi-Fi Settings for Windows 10 and Later Devices

You can create a profile with specific Wi-Fi settings, and then deploy this profile to your Windows 10 and later devices.

Setting Name

Configuration Step

Wi-Fi type

Select Enterprise.

Wi-Fi name (SSID)

This value is the real name of the wireless network that devices connect to.

Connection name

Enter a user-friendly reference name for this Wi-Fi connection.

EAP type

Select the Extensible Authentication Protocol (EAP) type used to authenticate secured wireless connections. Select EAP-TLS.

  • Server Trust – Certificate server names: Add one or more common names used on your RADIUS server certificates issued by your trusted CA. For the SecureW2 RADIUS, it’s: radius01.securew2.com
  • Root certificate for server validation – Select an existing trusted Root certificate profile, created in the Creating a Trusted Certificate Profile – RADIUS Server Root CA Certificate section. This certificate is presented to the server when the client connects to the network and is used to authenticate the connection. Select OK to save your changes.
  • Client Authentication – Client certificate for client authentication (Identity certificate): Select the SCEP profile created previously in the Creating a SCEP Certificate Profile section. This certificate is the identity presented by the device to the server to authenticate the connection. Select OK to save your changes.

After you have configured the Wi-Fi settings, click Next and then Create. The profile is created and displayed in the profiles list.

NOTE: Retain the default values for the Connect automatically when in range, Metered Connection Limit, Single sign-on (SSO), Enable Pairwise Master Key (PMK) caching, Enable pre-authentication, and Company proxy settings attributes.

9. Troubleshooting

This section lists the common issues and the steps to resolve them. Common issues that you may encounter after the configuration is done:

  1. Certificate fails to enroll.
  2. Connection to the secure SSID fails.
  3. Error messages are displayed:
    • The “Device Creation Failed” error message is displayed on the Events page (Log in to the JoinNow Management Portal, navigate to Data and Monitoring > General Events).
    • The “SCEP enrollment failed” error message is displayed in the Intune portal.
  4. Users not assigned to the application in Microsoft Intune.

To resolve them:

  1. Check if the attributes have values and are mapped correctly. For more information, see the Creating an Intermediate CA for Intune SCEP Gateway Integration section.
  2. Make sure that the SCEP profile (in the Intune Portal) is configured to send values in the SAN attribute using the Email address (RFC822). The common attributes configured are DeviceName and AAD_Device_ID. For more information, see the Creating an Intermediate CA for Intune SCEP Gateway Integration section.
  3. Confirm if the User Role Policy is mapped to the Intune API Token as identity Provider and similarly ensure that the Enrollment Policy is mapped to the User Role and default Device Role. For more information, see the Configuring a Policy Workflow section.
  4. Ensure that the SCEP profile is configured accurately. For more information, see the Creating an Intermediate CA for Intune SCEP Gateway Integration section.
  5. Check if the RADIUS server certificate’s Trusted Root CA is mapped in the Wi-Fi profile. For more information, see the Creating a Wi-Fi Profile section.
  6. Remove the SCEP profile and push any other profile, like the Trusted Root CA profile, to confirm if the user is successful with the configuration. For more information, see the Exporting the Trusted RADIUS Server Root CA Certificate section.
  7. An administrator manually adds the users to Microsoft Intune via Microsoft 365 admin center or the Microsoft Intune admin center and assigns the license to the user accounts. For more information, see: Add users and grant administrative permission to Intune
More Microsoft Intune Explainers