Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Branding
Branding Branding
Login Check our Prices

Third-Party CA SCEP Configuration with Intune

Introduction

With the Intune CA Partner integration, organizations can automate their certificate lifecycle management based on the real-time status of their devices managed by Intune. It’s able to achieve this through a combination of the SCEP Protocol and an OAuth API. The API is invoked during the SCEP enrollment process to validate that the device requesting the certificate exists in your Intune organization. With SecureW2, it also used to periodically check Intune to make sure devices that are deleted, changed permissions, or have fallen out of compliance have their authorization modified appropriately. The diagram created by Microsoft below illustrates the enrollment process.

This guide will show you how to setup the Intune Third-Party CA integration with the SecureW2 JoinNow Connector PKI, a managed cloud PKI service. The below flowchart describes what you will need to do at a high-level to set up the Third-Party CA integration.

Prerequisites

To set up Microsoft Intune to allow devices to enroll for digital certificates using the SCEP, you need:

  1. A Microsoft Online Services account with a Microsoft Intune (Microsoft Endpoint Manager) subscription, and the following roles assigned in Azure Active Directory (AD):
    • Intune Administrator
    • Application Administrator
    • Cloud App Security Administrator
  2. An valid account in the JoinNow Cloud Management Portal with the a Managed Device Gateway license.

NOTE: By default, when a device, which has been enrolled through the Intune third-party CA integration, is removed from Intune, the corresponding certificates are automatically revoked in the JoinNow Management Portal.

Device Profiles in Microsoft Intune

Device profiles allow you to add and configure settings, and then push those settings to devices in your organization. The following profiles are created for end-user devices to connect to the secured network using user certificates.

  • Trusted Certificate Profile for the SecureW2 RADIUS Server Root CA
  • Trusted Certificate Profile for the SecureW2 Root CA
  • Trusted Certificate Profile for the SecureW2 Intermediate (Issuing) CA
  • SCEP Profile for the SecureW2 SCEP certificate requests
  • Wi-Fi profile for secure SSID configuration

NOTE: You must create a separate profile for each platform.

Configure Azure

This section describes the steps to configure Azure and Intune to work with the SecureW2 PKI.

Creating a New Application

To create an app in Azure to communicate with the CA Intune IdP, follow the given steps:

  1. Log in to the Azure portal.
  2. Go to App registrations.
  3. Click New registration.
  4. On the Register an application page, enter the name of the application in the Name field.
  5. In the Supported account types section, specify who can use the application by selecting any one of the following options:
    1. Accounts in this organizational directory only (MSFT only – Single tenant)
    2. Accounts in any organizational directory (Any Azure AD directory – Multitenant)
    3. Accounts in any organizational directory (Any Azure AD directory – Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
    4. Personal Microsoft accounts only
  6. Click Register. The following screen is displayed.
  7. Copy the Application (client) ID, Object ID, and Directory (tenant) ID values to your console. These values are required to create an Intune IdP in the JoinNow Management Portal (see the Creating an Intune CA IdP section).

Creating a Client Secret

  1. On the left pane, go to Manage and click Certificates & secrets.
  2. Click New client secret.
  3. In the Add a client secret pop-up window, enter a description for the client secret in the Description field.
  4. From the Expires drop-down list, select the expiration date of the client secret.
  5. Click Add.
  6. The client’s secret is displayed under the Value column.

    NOTE: Ensure that you save the client secret on your console properly, as this secret is non-recoverable.

Adding API Permissions

To provide API permission for SecureW2 to access the Azure directory, provide the following steps:

  1. On the left pane, go to Manage and select API Permissions.
  2. On the API permissions screen, click Add a permission.
  3. Select Microsoft Graph.
  4. Select Application permissions.
  5. In the Select permissions section, from the Application drop-down menu, select Application.Read.All.
  6. Click Add permissions.
  7. Click Add a permission.
  8. Select Intune.
  9. Select Application permissions.
  10. In the Select permissions section, from the Permissions drop-down menu, select scep_challenge_provider for certificate request validation, and then click Add.
  11. After adding the permissions, click Grant admin consent for {your organization} to grant consent for the requested permissions.
  12. In the Grant admin consent confirmation pop-up window, click Yes.
  13. The configured APIs are displayed on the Configured permissions page.

Configure SecureW2

This section describes the following procedures carried out in the JoinNow  Management Portal:

  • Generating the required network profiles
  • Creating a SecureW2 Intermediate CA
  • Creating an Intune Certificate Template
  • Creating an Identity Provider (IdP) for Intune CA
  • Creating the policies (Role, Enrollment, and Network policies)

Getting Started

The Getting Started Wizard creates everything you need for 802.1x. It will generate a RADIUS server, CAs, network profiles, a Landing page to onboard BYOD devices if desired, and all the default network settings you need for 802.1x.

NOTE: If you have configured SecureW2 for your network, skip this section.

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Device Onboarding > Getting Started.
  3. On the Quickstart Network Profile generator page, from the Profile Type drop-down list, select Wireless.
  4. In the SSID field, enter a suitable name for the SSID.
  5. From the Security Type drop-down list, select WPA2-Enterprise.
  6. From the EAP Method drop-down list, select EAP-TLS.
  7. From the Policy drop-down list, select Default.
  8. From the Wireless Vendor drop-down list, select a wireless infrastructure vendor.
  9. From the RADIUS Vendor drop-down list, select SecureW2.
  10. Click Create.

    NOTE    : The Getting Started wizard will typically take 60-90 seconds to create the profile.

Creating an Intermediate CA for Intune SCEP Gateway Integration

As a best practice, SecureW2 recommends having a new intermediate CA for JoinNow SCEP Gateway integration with Intune. The CA that issues certificates to BYOD devices should be separate from the CA that issues certificates to managed devices, because managed devices do not require email notifications. You can disable email notifications for a dedicated CA that issues certificates to Intune managed devices.

To create a new intermediate CA:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to PKI > Certificate Authorities.
  3. Click Add Certificate Authority.
  4. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
  5. From the Type drop-down list, select Intermediate CA.
  6. From the Certificate Authority drop-down list, select the default Root CA that comes with your organization.
  7. In the Common Name field, enter a common name for the CA certificate. SecureW2 recommends a name that includes “SCEP.”
  8. From the Key Size drop-down list, select 2048 for the CA certificate key pair.
  9. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  10. In the Validity Period (in years) field, enter the validity period of the CA certificate.
  11. Click Save. The new intermediate CA is generated.

Creating an Intune Certificate Template

To create an Intune Certificate Template:

  1. Navigate to PKI > Certificate Authorities.
  2. Click Add Certificate Template.
  3. In the Basic section, for the Name field, enter the name of the certificate template.
  4. In the Subject field, enter CN=${/device/clientId}.
  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  7. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  8. In the SAN section:
    1. In the Other Name field, enter ${/device/identity}.
    2. In the RFC822 field, enter ${/device/clientId}.
    3. In the DNS field, enter ${/device/identity}.
  9. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.
  10. Click Save.

Creating an Intune CA IdP

In the JoinNow MultiOS Management Portal, create an IdP for the Intune CA to accept requests from the Intune portal. The IdP provides the Endpoint URI for the SCEP profiles in Intune.

  1. Go to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. In the Basic section, enter the name of the IdP in the Name field.
  4. In the Description field, enter a suitable description for the IdP.
  5. From the Type drop-down list, select Intune CA Partner.
  6. Click Save.
  7. The page refreshes, and the Configuration tab is displayed.
  8. Select the Configuration tab.
  9. In the Configuration section, for the Client Id and Tenant Id fields, enter the values you obtained after creating a new application in the Azure portal (for more information, see the Creating a New Application section).
  10. In the Client Secret field, enter the value you obtained after creating the client secret in the Azure portal (see the Creating a Client Secret section).
  11. From the Certificate Authority drop-down list, select the intermediate CA you created earlier (see the Creating an Intermediate CA for Intune SCEP Gateway Integration section).
  12. Copy the Endpoint URI to your console. This Endpoint URI will be used while configuring a SCEP Profile in Intune.
  13. Click Update.

Configuring Policy Management

Setting up Microsoft Intune requires three policies in the JoinNow MultiOS Management Portal:

  • Role policy
  • Enrollment policy
  • Network policy

NOTE: Microsoft Intune does not need a dedicated Device Role policy. You can use the Default Device Role policy in the configuration.​

Configuring a Role Policy

To configure a user role policy:

  1. Navigate to Policy Management > Roles Policies.
  2. Click Add Role.
  3. In the Basic section, enter the name of the role policy in the Name field.
  4. In the Display Description field, enter a suitable description for the role policy.
  5. Click Save.
  6. The page refreshes, and the Conditions tab is displayed.
  7. Select the Conditions tab.
  8. In the Conditions section, from the Identity Provider drop-down list, select the Intune CA IdP you created earlier (see the Creating an Intune CA IdP section).
  9. In the Attributes/Groups section, for the Attribute field, retain ANY.
  10. Click Update.

Configuring an Enrollment Policy

To configure an enrollment policy:

  1. Navigate to Policy Management > Enrollment Policies.
  2. Click Add Enrollment Policy.
  3. In the Basic section, enter the name of the enrollment policy in the Name field.
  4. In the Display Description field, enter a suitable description for the enrollment policy.

    NOTE: You must select a User Role and Device Role for enrollment. You can use a Fallback Device policy to allow enrollment based on the Role policy.

  5. Click Save.
  6. The page refreshes, and the Conditions and Settings tabs are displayed.
  7. Select the Conditions tab.
  8. In the Conditions section, from the Role drop-down list, select the role policy you created earlier (see the Configuring a Role Policy section).
  9. From the Device Role drop-down list, select DEFAULT DEVICE ROLE POLICY.
  10. Select the Settings tab.
  11. In the Settings section, from the Use Certificate Authority drop-down list, select the intermediate CA you created earlier (see the Creating an Intermediate CA for Intune SCEP Gateway Integration​ section).
  12. From the Use Certificate Template drop-down list, select the template you created earlier (see the Creating an Intune Certificate Template section).
  13. In the other settings, retain the default values.
  14. Click Update.

Configuring Network Policy

To configure network policy:

  1. Go to Policy Management > Network Policies.
  2. Click Add Network Policy.
  3. In the Basic section, enter the name of the network policy in the Name field.
  4. In the Display Description field, enter a suitable description for the network policy.
  5. Click Save.
  6. Select the Conditions tab.
  7. Select Match All or Match Any based on your requirements to set authentication criteria.
  8. Click Add rule.
  9. Expand Identity and click Select adjacent to the Role option.
  10. Click Save.
  11. The Role option appears under the Conditions tab.
  12. From the Role Equals drop-down list, select the role policy you created earlier (see the Configuring a Role Policy section).
  13. Select the Settings tab.
  14. Click Add Attribute.
    1. From the Dictionary drop-down list, select Radius:IETF or Custom.
    2. From the Attribute drop-down list, select an option.
    3. In the Value text box, enter a value for the attribute.
  15. Click Save.

Trusted Certificate Profiles

Trusted Certificate Profile for the RADIUS Server Root CA Certificate

You should configure the Trusted Certificate Profile with the certificate of your RADIUS server certificate’s issuing authority. This is to make the devices trust your RADIUS server by validating the RADIUS server certificate. We achieve this server validation in the profile configuration by adding the Root and/or Intermediate Certificate Authority (CA) certificates that issued the RADIUS server certificate. When you assign this profile, the Microsoft Intune managed devices receive the trusted certificates.

NOTE: For other RADIUS vendors, other than SecureW2 RADIUS server, ensure that you have the Root or Intermediate CA that issues the RADIUS server certificates.

NOTE: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.

Trusted Certificate Profile for SecureW2 Root CA

This trusted certificate profile is required for the certificate chain of trust.

NOTE: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.

Exporting the SecureW2 Root CA

  1. Log in to the JoinNow Management Portal.
  2. Navigate to PKI > Certificate Authorities.
  3. In the Certificate Authorities section, click the Download link for the Root CA issued to your organization (see the Creating an Intermediate CA for Intune SCEP Gateway Integration​ section).

NOTE: This certificate is imported when you set up the trusted certificate profile described in the following section.

Creating a Trusted Certificate Profile - SecureW2 Root CA

  1. Sign in to the Microsoft Endpoint Manager portal.
  2. Navigate to Devices > Configuration profiles.
  3. Click Create and select New Policy.
  4. On the Create a profile page, from the Platform drop-down list, select the device platform for this trusted certificate. The options are:
    1. Android device administrator
    2. Android (AOSP)
    3. Android Enterprise
    4. iOS/iPadOS
    5. macOS
    6. Windows 10 and later
    7. Windows 8.1 and later

      NOTE: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.

  5. From the Profile type drop-down list, select Templates, and then select Trusted certificate.
  6. Click Create.
  7. On the Trusted certificate page, in the Basics section, enter the name of the Trusted Certificate in the Name field.
  8. In the Description field, enter a suitable description for the trusted certificate.
  9. Click Next.
  10. In the Configuration settings section, for the Certificate file field, click the Browse button to add the Root certificate you saved earlier (see the Exporting the SecureW2 Root CA section).

    NOTE: For Windows 8.1 and later devices, from the Destination store drop-down list, select Computer certificate store – Root as shown in the following screen.
  11. Click Next.
  12. Assign the profile to appropriate Groups and Rules, review it, and click Create.

Trusted Certificate Profile for SecureW2 Intermediate CA

This Trusted Certificate Profile is required to map the SecureW2 Intermediate CA certificate to the SCEP certificate profile. This CA certificate must be the certificate that issues the end-user certificates.

NOTE: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.

Exporting the SecureW2 Intermediate CA

To export the SecureW2 Root and Intermediate CAs from the JoinNow MultiOS Management Portal, follow the given steps.

  1. Log in to the JoinNow Management Portal.
  2. Go to PKI > Certificate Authorities.
  3. In the Certificate Authorities section, click the Download link for the Intermediate CA created earlier (see the Creating an Intermediate CA for Intune SCEP Gateway Integration​ section). This certificate is imported when you set up the trusted certificate profile described in the following section.

Creating a Trusted Certificate Profile - SecureW2 Intermediate CA

  1. Sign in to the Microsoft Endpoint Manager portal.
  2. Navigate to Devices > Configuration profiles.
  3. Click Create and select New Policy.
  4. On the Create a profile page, from the Platform drop-down list, select the device platform for this trusted certificate. The options are:
    1. Android device administrator
    2. Android (AOSP)
    3. Android Enterprise
    4. iOS/iPadOS
    5. macOS
    6. Windows 10 and later
    7. Windows 8.1 and later

      NOTE: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.

  5. From the Profile type drop-down list, select Templates, and then select Trusted certificate.
  6. Click Create.
  7. On the Trusted certificate page, in the Basics section, enter the name of the Trusted Certificate in the Name field.
  8. In the Description field, enter a suitable description for the trusted certificate.
  9. Click Next.
  10. In the Configuration settings section, for the Certificate file field, click the Browse button to add the Root certificate you saved earlier (see the Exporting the SecureW2 Intermediate CA section).

    NOTE: For Windows 10 and later devices, configure the Destination Store field as Computer certificate store – Root as shown in the following screen.
  11. Click Next.
  12. Assign the profile to the appropriate Groups and Rules, review it, and click Create.

Exporting the Trusted RADIUS Server Root CA Certificate

This section lists the steps to export the RADIUS server Root CA certificate from the JoinNow Management Portal.

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Device Onboarding > Network Profiles.
  3. On the Network Profiles page, click the Edit link of the network profile configured earlier (see the Getting Started section).
  4. Scroll down to the Certificates section and click Add/Remove Certificate.
  5. Check the checkbox next to DigiCert Global Root CA (Mon Nov 10 00:00:00 UTC 2031) as shown in the following screen.
  6. Click Update.
  7. The CA appears in the Certificates section.
  8. Click Download.

Creating a Trusted Certificate Profile - RADIUS Server Root CA Certificate

  1. Sign in to the Microsoft Endpoint Manager portal.
  2. Navigate to Devices > Configuration profiles.
  3. Click Create and select New Policy.
  4. On the Create a profile page, from the Platform drop-down list, select the device platform for this trusted certificate. The options are:
    1. Android device administrator
    2. Android (AOSP)
    3. Android Enterprise
    4. iOS/iPadOS
    5. macOS
    6. Windows 10 and later
    7. Windows 8.1 and later

      NOTE: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.

  5. From the Profile type drop-down list, select Templates, and then select Trusted certificate.
  6. Click Create.
  7. On the Trusted certificate page, in the Basics section, enter the name of the Trusted Certificate in the Name field.
  8. In the Description field, enter a suitable description for the trusted certificate.
  9. Click Next.
  10. On the Configuration settings page, add the Root CA certificate you saved earlier by clicking the Browse button (see the Exporting the Trusted RADIUS Server Root CA Certificate section).
  11. Click Next.
  12. Assign the profile to appropriate Groups and Rules, review it, and click Create.

SCEP Profile for SecureW2 SCEP Certificate Requests

The SCEP profile is required for end-user devices to communicate with the SecureW2 Issuing CA certificate for the enrollment of end-user certificates. Once the end-user certificate is enrolled successfully, the certificate is used to connect to the Wi-Fi network.

NOTE: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.

Creating a SCEP Certificate Profile

  1. Log in to the Microsoft Endpoint Manager portal.
  2. Navigate to Devices > Configuration profiles.
  3. Click Create and select New Policy.
  4. On the Create a profile page, from the Platform drop-down list, select the device platform for this trusted certificate. The options are:
    1. Android device administrator
    2. Android (AOSP)
    3. Android Enterprise
    4. iOS/iPadOS
    5. macOS
    6. Windows 10 and later
    7. Windows 8.1 and later

      NOTE: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.
  5. From the Profile type drop-down list, select Templates and then select SCEP certificate.

    NOTE: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.
  6. Click Create.
  7. On the SCEP certificate page, in the Basics section, enter the name of the SCEP certificate in the Name field.
  8. In the Description field, enter a suitable description for the SCEP certificate.
  9. Click Next.
  10. For Certificate TypeUser, use the following settings:
    1. In the Configuration settings section, from the Certificate type drop-down list, select User for user certificates.
    2. In the Subject name format field, type a name where Microsoft Intune automatically creates a subject name in the certificate request. Select one of the following options:
      • CN= {{UserName}}
      • CN= {{EmailAddress}}
      • CN= {{UserPrincipalName}} (recommended by SecureW2)
    3. In the Subject alternative name field, from the Attribute drop-down list, select Email address and enter any one of the following values:
      • {{UserName}}
      • {{UserPrincipalName}}
      • {{AAD_Device_ID}} (recommended by SecureW2)

        NOTE: To test if attributes are configured correctly, check the Events section in the JoinNow Management Portal for any event messages, such as Device Creation Failed, which indicates that the attributes are not correctly mapped.
  11. For Certificate TypeDevice, use the following settings:
    1. In the Configuration settings section, from the Certificate type drop-down list, select Device to connect to the network using a device certificate.
    2. In the Subject name format field, type a name where Microsoft Intune automatically creates a subject name in the certificate request. Select one of the following options:
      • CN={{DeviceName}}
      • CN={{AAD_Device_ID}} (recommended by SecureW2)
    3. In the Subject alternative name field, from the Attribute drop-down list, select Email address and enter any one of the following values:
      • {{DeviceName}} (recommended by SecureW2)
      • {AAD_Device_ID}}

        Microsoft Intune automatically creates the subject alternative name (SAN) in the certificate request.

        NOTE: To test if the attributes are configured correctly, in the JoinNow Management Portal, go to Data and Monitoring > General Events and look for any event messages, such as Device Creation Failed, that indicate that the attributes are not correctly mapped.

    4. From the Certificate validity period drop-down list, select the date until which the certificate is valid.
    5. From the Key storage provider (KSP) drop-down list, for Windows 10 and later platforms, select Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP to store the certificate’s key.
    6. From the Key usage drop-down list, select both the Key encipherment and Digital signature check boxes to exchange the certificate’s public key.
      • Key encipherment: Allows key exchange only when the key is encrypted.
      • Digital signature: Allows key exchange only when a digital signature protects the key.
    7. From the Key size (bits) drop-down list, select the number of bits contained in the key. Select the largest key size.
    8. From the Hash algorithm drop-down list, select SHA-2, the highest level of security that the connecting devices support.
    9. Click + Root Certificate under the Root Certificate section.
    10. In the Root Certificate pop-up window, select the profile created earlier (see the Creating a Trusted Certificate Profile – SecureW2 Intermediate CA section).
    11. Click OK.
    12. Under the Extended key usage section, add values for the certificate’s intended purpose. In most cases, the certificate requires client authentication for the user to be able to authenticate to a server.
      • In the Name field, enter the name of the extended key usage.
      • In the Object Identifier field, enter a unique string of decimal numbers to identify an object.
      • From the Predefined values drop-down list, select Client Authentication.
    13. Under the Enrollment Settings section, in the Renewal threshold (%) field, enter the percentage of the certificate lifetime that remains before the device requests renewal of the certificate. The recommended value in Microsoft Intune is 20%.
    14. In the SCEP Server URLs field, enter the Endpoint URI generated from the JoinNow Management Portal (see the Creating an Intune CA IdP section).

    15. Click Next.
    16. Assign the profile to appropriate Groups and Rules, review it, and click Create.

Wi-Fi Profile for Secure SSID Configuration

Microsoft Intune includes built-in Wi-Fi settings that you can deploy to users and devices in your organization. This group of settings is called a profile, which can be assigned to different users and groups. Once you assign users a profile, they can obtain access to the network without configuring it themselves.

Creating a Wi-Fi Profile

  1. Sign in to the Microsoft Endpoint Manager portal.
  2. Navigate to Devices > Configuration profiles.
  3. Click Create and select New Policy.
  4. On the Create a profile page, from the Platform drop-down list, select the device platform for this trusted certificate. The options are:
    1. Android device administrator
    2. Android (AOSP)
    3. Android Enterprise
    4. iOS/iPadOS
    5. macOS
    6. Windows 10 and later
    7. Windows 8.1 and later

      NOTE: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.
  5. From the Profile type drop-down list, select Templates and then select Wi-Fi.
  6. Click Create.
  7. On the Wi-Fi page, in the Basics section, enter the name of the Wi-Fi in the Name field.
  8. In the Description field, enter a suitable description for the Wi-Fi.
  9. Click Next.
  10. In the Configuration settings section, from the Wi-Fi type drop-down list, select any one of the following options:
    • Basic
    • Enterprise
  11. Configure your Wi-Fi settings and click Next.
  12. Assign the profile to appropriate Groups and Rules, review it, and click Create.

Assign a Device Profile

After creating a profile, you must specify the devices to which the profiles are to be pushed. To assign the devices, perform the following steps:

  1. Sign in to the Microsoft Endpoint Manager portal.
  2. Navigate to Devices > Configuration profiles.
  3. Select the profile you want to assign a policy to users or groups.
  4. Scroll to the Assignments section and click the Edit link.
  5. Under the Included groups or Excluded groups section, click Add groups to add one or more Azure AD Groups. To apply the policy to all relevant devices, select Add all users or Add all devices.

    NOTE: If you click Add all users or Add all devices , the Add groups option is disabled.
  6. On the Select groups to include page, select the Azure AD group to which the policy must be assigned and click Select to add the group.
  7. Click Review + Save button.
  8. Click Save.

Add Wi-Fi Settings for Devices Running Android

You can create a profile with specific Wi-Fi settings, then deploy this profile to your Android devices.

Setting NameConfiguration Step
Wi-Fi typeSelect Enterprise.
Network nameEnter a name for your reference.
SSIDThis setting is the real name of the wireless network that devices connect to.
EAP type

Select the Extensible Authentication Protocol (EAP) type used to authenticate secured wireless connections. Select EAP-TLS.

  • Server Trust – Root certificate for server validation: Select an existing trusted Root certificate profile, created in the Creating a Trusted Certificate Profile – RADIUS Server Root CA Certificate section. This certificate is presented to the server when the client connects to the network, and is used to authenticate the connection. Select OK to save your changes.
  • Client Authentication – Client certificate for client authentication (Identity certificate): Select the SCEP profile created previously in the Creating a SCEP Certificate Profile section. This certificate is the identity presented by the device to the server to authenticate the connection. Select OK to save your changes.

NOTE: Retain the default values for the Connect automaticallyConnect to this network and even when it is not broadcasting its SSID attributes.

After you have configured the Wi-Fi settings, select Next and then click Create. The profile is created and displayed in the profiles list.

Add Wi-Fi Settings for iOS Devices

You can create a profile with specific Wi-Fi settings, and then deploy the profile to your iOS devices.

Setting NameConfiguration Step
Wi-Fi typeSelect Enterprise.
Network nameEnter a user-friendly reference name for this Wi-Fi connection.
SSIDThis setting is the real name of the wireless network that devices connect to.
EAP typeSelect the Extensible Authentication Protocol (EAP) type used to authenticate secured wireless connections. Select EAP-TLS.
Server Trust – Certificate server namesAdd one or more common names used on your RADIUS server certificates issued by your trusted CA. For the SecureW2 RADIUS, it is: radius01.securew2.com
Root certificate for server validationSelect an existing trusted Root certificate profile, created in the Creating a Trusted Certificate Profile – RADIUS Server Root CA Certificate section. This certificate is presented to the server when the client connects to the network, and is used to authenticate the connection. Select OK to save your changes.
Client Authentication – Client certificate for client authentication (Identity certificate)Select the SCEP client certificate profile created previously in the Creating a SCEP Certificate Profile section. This certificate is the identity presented by the device to the server to authenticate the connection. Select OK to save your changes.

NOTE: Retain the default values for the Connect automatically, Connect to this network, even when it is not broadcasting its SSID, and Proxy settings attributes.

After you have configured the Wi-Fi settings, select Next and then click Create. The profile is created and displayed in the profiles list.

Add Wi-Fi Settings for macOS Devices

You can create a profile with specific Wi-Fi settings, then deploy this profile to your macOS devices.

Setting NameConfiguration Step
Wi-Fi typeSelect Enterprise.
Network nameEnter a user-friendly reference name for this Wi-Fi connection.
SSIDThis setting is the real name of the wireless network that devices connect to.
EAP typeSelect the Extensible Authentication Protocol (EAP) type used to authenticate secured wireless connections. Select EAP-TLS.
Server Trust – Certificate server namesAdd one or more common names used on your RADIUS server certificates issued by your trusted CA. For the SecureW2 RADIUS, it is: radius01.securew2.com
Root certificate for server validationSelect an existing trusted Root certificate profile, created in the Creating a Trusted Certificate Profile – RADIUS Server Root CA Certificate section. This certificate is presented to the server when the client connects to the network, and is used to authenticate the connection. Select OK to save your changes.
Client Authentication – Client certificate for client authentication (Identity certificate)Select the SCEP client certificate profile created previously in the Creating a SCEP Certificate Profile section. This certificate is the identity presented by the device to the server to authenticate the connection. Select OK to save your changes.

NOTE: Retain the default values for the Connect automatically when in range, Connect to this network, even when it is not broadcasting its SSID, and Company Proxy settings attributes.

After you have configured the Wi-Fi settings, select Next and then click Create. The profile is created and displayed in the profiles list.

Add Wi-Fi Settings for Windows 10 and Later Devices

You can create a profile with specific Wi-Fi settings, then deploy this profile to your Windows 10 and later devices.

Setting NameConfiguration Step
Wi-Fi typeSelect Enterprise.
Wi-Fi name (SSID)This value is the real name of the wireless network that devices connect to.
Connection nameEnter a user-friendly reference name for this Wi-Fi connection.
EAP type

Select the Extensible Authentication Protocol (EAP) type used to authenticate secured wireless connections. Select EAP-TLS.

  • Server Trust – Certificate server names: Add one or more common names used on your RADIUS server certificates issued by your trusted CA. For the SecureW2 RADIUS it’s: radius01.securew2.com
  • Root certificate for server validation – Select an existing trusted Root certificate profile, created in the Creating a Trusted Certificate Profile – RADIUS Server Root CA Certificate section. This certificate is presented to the server when the client connects to the network, and is used to authenticate the connection. Select OK to save your changes.
  • Client Authentication – Client certificate for client authentication (Identity certificate): Select the SCEP profile created previously in the Creating a SCEP Certificate Profile section. This certificate is the identity presented by the device to the server to authenticate the connection. Select OK to save your changes.

After you have configured the Wi-Fi settings, select Next and then click Create. The profile is created and displayed in the profiles list.

NOTE: Retain the default values for the Connect automatically when in range, Metered Connection Limit, Single sign-on (SSO), Enable Pairwise Master Key (PMK) caching, Enable pre-authentication, and Company proxy settings attributes.

Troubleshooting

This section lists the common issues and the steps to resolve them. Common issues that you may encounter after the configuration is done:

  1. Certificate fails to enroll.
  2. Connection to the secure SSID fails.
  3. Error messages are displayed:
    • The “Device Creation Failed” error message is displayed in the Events page (Log in to the JoinNow Management Portal, navigate to Data and Monitoring > General Events).
    • The “SCEP enrollment failed” error message is displayed in the Intune portal.
  4. Users not assigned to the application in Microsoft Intune.

To resolve them:

  1. Check if the attributes have values and are mapped correctly. For more information, see the Creating an Intermediate CA for Intune SCEP Gateway Integration section.
  2. Make sure that the SCEP profile (in the Intune Portal) is configured to send values in the SAN attribute using Email address (RFC822). The common attributes configured are DeviceName and AAD_Device_ID. For more information, see the Creating an Intermediate CA for Intune SCEP Gateway Integration section.
  3. Confirm if the User Role Policy is mapped to the Intune API Token as identity Provider and similarly ensure that Enrollment Policy is mapped to the User Role and default Device Role. For more information, see the Configuring a Role Policy section.
  4. Ensure that the SCEP profile is configured accurately. For more information, see the Creating an Intermediate CA for Intune SCEP Gateway Integration section.
  5. Check if the Trusted Root CA of the RADIUS server certificate is mapped in the Wi-Fi profile. For more information, see the Creating a Wi-Fi Profile section.
  6. Remove the SCEP profile and push any other profile, like the Trusted Root CA profile, to confirm if the user is successful with the configuration. For more information, see the Exporting the Trusted RADIUS Server Root CA Certificate section.
  7. An administrator manually adds the users to Microsoft Intune via Microsoft 365 admin center or the Microsoft Intune admin center and assigns the license to the user accounts. For more information, see: Add users and grant administrative permission to Intune

Schedule a Demo

Sign up for a quick demonstration and see how SecureW2 can make your organization simpler, faster, and more secure.

Schedule Now

Pricing Information

Our solutions scale to fit you. We have affordable options for organizations of any size. Click here to see our pricing.

Check Pricing