API Gateway Solutions for Managed Device Certificate Enrollment

In typical Microsoft Intune SCEP certificate issuance, Intune simply sends a SCEP URL which managed devices access to issue certificates. But if you issue certificates this way, there’s the potential risk of an unauthorized device gaining access to the SCEP URL and requesting its own SCEP certificate template.

With our Intune SCEP certificate issuance platform, we integrate seamlessly with Intune. Before our PKI issues certificates, we can verify the device requesting the certificate exists in Intune. Additionally, our Intune CA partner integration allows us to automatically revoke certificates when a device is retired, wiped, or deleted in Intune. This further automates the client certificate lifecycle, making it simple for administrators to manage each SCEP certificate. It also prevents someone from abusing your Intune SCEP configuration, as it implements a user/device lookup during the Intune SCEP process. The SecureW2 solution enables hassle-free certificate distribution and management with these integrations, freeing IT managers to concentrate on important tasks without sacrificing security.

Our integration with Jamf Pro works very similarly to our Intune SCEP integration mentioned above. Thanks to advanced integration options, our certificate authority platform can leverage the smart/static groups you build in Jamf Pro to automatically revoke certificates. Our PKI will check Jamf Pro every several minutes and revoke certificates from devices added to these groups, ensuring your revoked certificates are always up-to-date.

This integration improves network security because resources may only be accessed by authorized users holding valid SCEP certificates. The partnership between SecureW2 and Jamf Pro ensures an effective and safe network authentication process.

SecureW2's certificate authority management platform interfaces smoothly with all major MDMs, including Workspace One, Jamf Pro, Intune, and MobileIron, to provide full SCEP certificate management. Our solution allows you to distribute and renew certificates for zero-touch device enrollment using a wide range of API gateways like SCEP, WSTEP, JSON, OpenID Connect, OAuth, and more. 

With Intune and Jamf Pro, our PKI also supports automatic certificate revocation. Integrating our cloud PKI services with your chosen MDM is easy by setting up the platform and instructing devices to enroll in certificates automatically.

For flexible device enrollment, SecureW2 further supports WSTEP, JSON, and OpenID Connect protocols in addition to Simple Certificate Enrollment Protocol (SCEP). Furthermore, our Chromebook extension streamlines certificate enrollment for managed Chromebooks, eliminating user-downloaded software requirements.

Whether integrating with Intune, Jamf Pro, or any other MDM, organizations benefit from diverse enrollment choices adapted to their unique requirements. SecureW2 makes certificate-based authentication simple and accessible by streamlining your ability to issue certificates to all your mobile devices.

When it comes to enrolling for a SCEP certificate for a managed device, the end-user doesn’t need to see or do anything. Most users have no idea their device is using a certificate.

The certificate signing request process is handled entirely on the backend by our cloud PKI service and the MDM. The MDM simply pushes the Wi-Fi profile (if you’re doing secure certificate-based authentication for Wi-Fi) and the SCEP profile to the device, which then accesses the URL to complete the certificate signing request with the certificate file.

This makes it simple to issue certificates to every endpoint on your network. Without needing to rely on users to complete certificate requests, you don’t need to worry about the potential for misconfiguration.

Yes, if you have a third-party CA or a pre-existing PKI such as Active Directory Certificate Services (AD CS), we can integrate with it. That means you can use our certificate authority management platform to help issue certificates and otherwise manage the certificate lifecycle for your external CA.

However, there are many reasons to consider our cloud PKI over other alternatives. One reason is that our vendor-neutral solution offers an industry-best number of integrations with Identity Providers and Device Management infrastructure. We also offer customizable certificate templates, for example, which can be encoded with information from your MDMs or your cloud Identity Providers (IDPs). We further enable Jamf Pro and Intune SCEP environments with our advanced integration that allows you to automatically revoke certificates and also secure all certificate signing requests by ensuring the devices exist in Jamf Pro or Intune.

Choosing SecureW2's managed PKI has several benefits over AD CS and Microsoft Cloud PKI. Although it works well in Microsoft settings like Azure and Intune, Microsoft Cloud PKI does not integrate with multiple IDPs/MDMs like Okta and Jamf Pro, an essential feature for various infrastructures. On the other hand, our platform easily interacts with other IDPs and MDMs, guaranteeing interoperability everywhere. In addition, we offer an easy-to-use RADIUS service for certificate-based authentication, which simplifies implementation compared to Microsoft NPS.

Meanwhile, AD CS has cost and scalability issues because it depends on on-premise infrastructure. SecureW2 offers a simplified approach with easy interfaces, while AD CS requires more time and experience to configure and set up.

SecureW2's managed PKI provides organizations full certificate authority services, including Intune SCEP certificate issuance, without platform reliance or on-premise infrastructure constraints. Our solution is flexible and effective, providing enterprises with strong certificate management systems customized to meet their requirements.