Using SCEP to Assign Certificates with Intune

Using SCEP to Assign Certificates with Intune

Introduction

Configuring managed devices for digital certificates can be an involved process, but utilizing a SCEP gateway to distribute certificates to Intune devices simplifies the process considerably. Once properly configured using the guide below, managed Intune devices can be distributed certificates with no end user interaction and no possibility of misconfiguration.

For more details on setting up Cloud Connector for certificate enrollment, refer to the JoinNow MultiOS and Connector Configuration Guide in the SecureW2 management portal.

 

Prerequisites

The following are the prerequisites for setting up Intune to allow devices to enroll for digital certificates using Simple Certificate Enrollment Protocol (SCEP):

  • A Microsoft Online Services account with Intune subscription.
  • Users are assigned Intune licenses before they can enroll their devices in Intune.
  • JoinNow Cloud Management Portal has been set up for TLS (Root and Intermediate Device CAs are present).

 

Device Profiles in Microsoft Intune

Devices profiles allow you to add and configure settings, and then push those settings to devices in your organization. The following profiles are to be created for end-user devices to successfully connect to the secured network using user certificates.

Note: You must create a separate profile for each platform.

 

Prerequisite: Generate SCEP URL, Policies and Attributes

  1. Navigate to API Tokens under Identity Management
  2. Click Add API Token
  3. Enter in a Name and Vendor and click Update
  4. A CSV file will be downloaded that contains a shared secret and a SCEP URL. This SCEP URL needs to be modified to work with Intune
    • The unmodified URL is structured in a way that must be modified in a way that recognizes the SCEP URL and shared secret to allow a configuration profile to be pushed out. For more information about this, contact the support team.

 

User Role and Enrollment Policies

Setting up Intune requires two separate policies in the SecureW2 management portal. A User Role Policy and an Enrollment Policy. Intune does not need a dedicated Device Role policy. You can use the Default Device Role policy if its settings are default.

Configuring the Role Policy:
  1. Navigate to Policy Management
  2. Click Add Role
  3. Navigate to the Conditions tab
  4. Select Intune as your Identity Provider
  5. Click Update
Configuring the Enrollment Policy:
  1. Navigate to Policy Management
  2. Click Enrollment Policy
  3. Add Enrollment Policy
  4. Create a Name
  5. Click Save
  6. Navigate to the Conditions tab
  7. Select the User Role (whatever you named your Role Policy) that was just created in Role Policy
  8. Leave Device Role as DEFAULT DEVICE ROLE
  9. Click Update
  10. Navigate to the Settings tab
  11. Select the Intermediate CA that will be used
  12. Select the Certificate Template we created earlier under Use Certificate Template
  13. Leave Revoke Certificate as Automatically
  14. Click Update

Configuring the enrollment policy

 

Step 1. Trusted Certificate Profile for RADIUS Certificate

This profile should be configured with the certificate of your RADIUS server certificate’s issuing authority. This is to make the devices trust your RADIUS server by validating the RADIUS server certificate. We achieve this server validation in the profile configuration by adding the Root and/or Intermediate Certificate Authority certificates that issued the RADIUS server certificate. When you assign this profile, the Intune managed devices receive the trusted certificates.

You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.

 

1.1 Export RADIUS Server Root CA

First you need to obtain the RADIUS Server Root CA. In this guide, we will be configuring Intune with the SecureW2 RADIUS Server, so we will export the RADIUS Server Root CA from the SecureW2 management portal.

To Export the SecureW2 RADIUS Server Certificate:

  1. Click Network Profiles
  2. Click Edit on the Network Profile you configured earlier
  3. Click Add/Remove Certificate in the Certificates section
  4. Check the box next to DigiCert Global Root CA (Mon Nov 10 00:00:00 UTC 2031)

Adding the certificate

  1. Click Update
  2. The CA will appear in the Certificates section
  3. Click Download

 

1.2 Create a Trusted Certificate Profile

Now that we’ve downloaded the RADIUS Server certificate, we need to create a Trusted Certificate Profile in Azure to push this certificate to our devices.

  1. Sign-in to the Azure portal.
  2. Select All services, filter on Intune, and select Microsoft Intune.
  3. Select Device configuration—> Manage—> Profiles—> Create profile.

Creating a trusted certificate profile

  1. Enter a Name and Description for the trusted certificate profile.
  2. From the Platform drop-down list, select the device platform for this trusted certificate.
    • Android
    • iOS
    • macOS
    • Windows 10 and later
      • Note: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.
  3. From the Profile type drop-down list, choose Trusted certificate.

configuring the device profile

  1. Browse to the certificate you saved in 1.1 Export your trusted Root and Intermediate CA certificates, then select OK.
    • For Windows 8.1 and Windows 10 devices only, select the Destination Store for the trusted certificate from: Computer certificate store – Root

selecting the certificate store

  1. When you’re done, choose OK, go back to the Create profile pane, and select Create.
  2. The profile is created and appears on the list. To assign this profile, see Assign device profiles.

 

Step 2. Trusted Certificate Profile for SecureW2 Issuing CA Certificate

This profile is required to map the SecureW2 Issuing CA certificate to the SCEP certificate profile. This CA certificate must be the certificate that issues the end-user certificates.

You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.

 

2.1 Export Your SecureW2 Issuing CA certificate

Export the SecureW2 Issuing Certification Authority (CA) certificate as a public certificate (.cer) from the SecureW2 management portal.

  1. Login to SecureW2 management portal.
  2. Navigate to PKI Management—> Certificate Authorities.
  3. Under Certificate Authorities section, beside the Issuing Intermediate CA certificate, click Download.

This certificate is imported when you set up the trusted certificate profile below.

 

2.2 Create Trusted Certificate Profile

Please follow all the steps from previous section 1.2 Create trusted certificate profile except for the following step, which is mentioned below:

  1. Locate the certificate you saved in 2.1 Export your SecureW2 Issuing CA certificate, then select OK.

Note: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.

 

Step 3. SCEP Certificate Profile for SecureW2 SCEP Certificate Requests

This profile is required for end-user devices to communicate with the SecureW2 Issuing CA certificate for the enrollment of end-user certificates. Once the end-user certificate is enrolled successfully, the certificate is used to connect to the Wi-Fi network.

You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.

 

3.1 Create a SCEP Certificate Profile

  1. In the Azure portal, select All services, filter on Intune, and select Microsoft Intune.
  2. Select Device configuration—> Profiles—> Create profile.
  3. Enter a Name and Description for the SCEP certificate profile.
  4. From the Platform drop-down list, select the device platform for this SCEP certificate. Currently, you can select one of the following platforms for device restriction settings:
    • Android
    • iOS
    • macOS
    • Windows 10 and later
      • Note: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.
  5. From the Profile type drop-down list, select SCEP certificate. Enter the following settings:
    1. Certificate type: Choose User for user certificates. Choose Device for scenarios such as userless devices, like kiosks, or for Windows devices, placing the certificate in the Local Computer certificate store.
      • Note: Certificate Type is not a setting on Android SCEP Profiles
    2. Subject name format: Select how Intune automatically creates the subject name in the certificate request. The options change if you choose a User certificate type or Device certificate type. Choose from:
      • Common name
      • Common name including email
      • Common name as email
    3. Subject alternative name: Select how Intune automatically creates the subject alternative name (SAN) in the certificate request. The options change if you choose a User certificate type or Device certificate type. The following attributes are selected:
      • Email address
      • User principal name (UPN)
    4. Key storage provider (KSP) (Windows Phone 8.1, Windows 8.1, Windows 10): Enter where the key to the certificate is stored. Choose the following value:
      • Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP
    5. Key usage: Enter the key usage options for the certificate. Select both options:
      • Key encipherment: Allow key exchange only when the key is encrypted
      • Digital signature: Allow key exchange only when a digital signature helps protect the key
    6. Key size (bits): Select the number of bits contained in the key. Select the largest bit size.
    7. Hash algorithm (Android, Windows Phone 8.1, Windows 8.1, Windows 10): Select the strongest level of security that the connecting devices support.
    8. Root Certificate: Choose the profile created in 2.2 Create Trusted Certificate Profile. The Root CA certificate profile you previously configured and assigned to the user and/or device.
    9. Extended key usage: Add values for the certificate’s intended purpose. In most cases, the certificate requires Client Authentication so that the user or device can authenticate to a server.
    10. Enrollment Settings
      • Renewal threshold (%): Enter the percentage of the certificate lifetime that remains before the device requests renewal of the certificate.
      • SCEP Server URLs: Enter the SCEP URL that we created in the Prerequisite section.
    11. Select OK, and Create your profile.
    12. The profile is created and appears on the profiles list pane. Next, Assign a device profile.

configuring the SCEP certificate profile

 

Step 4. Wi-Fi Profile for Secured SSID Configuration

Microsoft Intune includes built-in Wi-Fi settings that can be deployed to users and devices in your organization. This group of settings is called a “profile”, and can be assigned to different users and groups. Once assigned, users obtain access to the network without configuring it themselves.

 

4.1 Create a Wi-Fi Profile

  1. In the Azure portal, select All services
    1. Filter on Intune
    2. Select Microsoft Intune.
  2. Select Device configuration—> Profiles—> Create profile.
  3. Enter a Name and Description for the Wi-Fi profile.
  4. In the Platform drop-down list, select the device platform to apply the Wi-Fi profile. Your options:
    1. Android
    2. iOS
    3. macOS
    4. Windows 10 and later
      1. Note: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.
  5. In Profile Type, choose Wi-Fi.
  6. The Wi-Fi profile is different for each platform. To see the profile for a specific platform, choose:
    1. Android
    2. iOS
    3. macOS
    4. Windows 10 and later
  7. When finished adding your Wi-Fi profile, select Create Profile—> Create to add the configuration profile. The profile is created and is shown in the profiles list (Device configuration—> Profiles).
  8. Next, Assign a device profile.

 

4.2 Assigning a Device Profile

  1. In the Azure portal, select All Services—> filter on Intune—> select Intune.
  2. Select Device configuration—> Profiles. All the profiles are listed.
  3. Select the profile you want to assign—> Assignments.
  4. Choose to Include groups or Exclude groups, and then select your groups. When you select your groups, you’re choosing an Azure AD group. To select multiple groups, hold down the Ctrl key, and select your groups.
  5. Save your changes.

selecting the parameters of network groups

 

4.3 Add Wi-Fi Profile for Devices Running Android

You can create a profile with specific settings as per the image below, then deploy this profile to your Android devices.

Configuring the Wi-Fi profile for Android devices

 

4.4 Add Wi-Fi Profile for iOS Devices

You can create a profile with specific settings as per the image below, then deploy this profile to your iOS devices.

Configuring the Wi-fi profile for iOS devices

 

4.5 Add Wi-Fi Profile for macOS Devices

You can create a profile with specific settings as per the image below, then deploy this profile to your macOS devices.

Configuring the Wi-Fi profile to push to macOS devices

 

4.6 Add Wi-Fi Profile for Windows 10 and Later Devices

You can create a profile with specific settings as per the image below, then deploy this profile to your Windows devices.

Configuring the wi-fi profile to upload to windows devices

 

Concluding Thoughts

Once the profile has been completed, the network is ready to authenticate managed devices using digital certificates. The certificates pushed to devices require no action from the end user; they are ready for productive network usage. If you have any questions concerning the configuration process to use SCEP to push certificates to Intune devices, contact us with your questions using the form below.

Intune is either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.

  • Email addresses from free providers (Gmail, Hotmail, etc.) will not be accepted.
  • This field is for validation purposes and should be left unchanged.