Intune Android Work SCEP Certificate Deployment Issue

SCEP certificate deployment for Intune managed Android for Work devices is tricky.

This process is similar to that of iOS. But, because of “Android for Work” containerization, it’s a bit tricky to confirm whether the SCEP certificate is successfully delivered to the device or not.

This post will see more details about the “Intune Android Work SCEP Certificate Deployment Issue.”

Patch My PC

SCEP Certificate Deployments Posts

The following are two posts and video tutorials that will give you more details about SCEP certificates. I explained about prerequisites of SCEP cert deployment, creation, and deployment process of SCEP certificates.

How to Create and Deploy SCEP Certificate to iOS Devices
How to Create and Deploy SCEP Certificate to Windows Devices

Android for Work SCEP certificate deployment using Intune is similar to iOS. You need to follow

  1. Make sure the SCEP certificate infrastructure is in place
  2. Create and Deploy a Root or Intermediate certificate with a trusted certificate as profile type. Select Android for Work as a platform
  3. Create and Deploy SCEP certificate with SCEP cert as profile type. Select Android for Work as a platform

Why do we need to deploy SCEP certificates to Devices?

If you want to provide corporate resource access to the users through VPN, WiFi, or email profiles, you can authenticate these connections using certificates. This gives more security and removes the need to enter usernames and passwords to establish connections.

We can use Intune to deploy the SCEP certificates to Android for Work enrolled devices.

Android Work – SCEP Certificate Deployment Issue?

The Android device is successfully enrolled to Intune for management. The user was able to access the email and other company resources. Also, the device received the ROOT certificates deployed via Intune.

I was able to see the ROOT certificate on an Android device with the certificate application. But, I could not trace the SCEP certificate on an Android device.

Intune A4W SCEP Certificate Deployment Troubleshooting Steps?

We have checked the CA and NDES servers to see whether everything is working fine or not. Also, we confirmed that there are no errors in the NDES and Event logs. We collected the following logs.

IIS logs: 
C:\inetpub\logs\LogFiles\W3SVC1\u_ex<YYMMDD>.log 
NDESPlugin:
<C:\Program Files\Microsoft Intune\NDESPolicyModule\Logs\NDESPlugin.log> 
NDES Connector Service: 
 <C:\Program Files\Microsoft Intune\NDESConnectorSvc\Logs\Logs\NDESConnector_<YYYY-MM-DD_xxxxxxxx>.svclog> 
 <C:\Program Files\Microsoft Intune\NDESConnectorSvc\Logs\Logs\CertificateRegistrationPoint_<YYYY-MM-DD>.svclog>

Also, check the Company Portal logs from the Android for Work device. We could see the object ID (OID) for the SCEP client certificate in the log.

926 2017-10-30T13:29:47.8500000 VERB Event com.microsoft.omadm.providerhive.ProviderHiveVerbose 11575 508 
ADD ./Vendor/MSFT/NodeCache/SCConfigMgr/Nodes/47/ExpectedValue unknown:<ConfigurationParameters xmlns=
"http://schemas.microsoft.com/SystemCenterConfigurationManager/2012/03/07/CertificateEnrollment/ConfigurationParameters">
<ExpirationThreshold>20</ExpirationThreshold><RetryCount>3</RetryCount><RetryDelay>1</RetryDelay><TemplateName />
<SubjectNameFormat>1041824</SubjectNameFormat><SubjectAlternativeNameFormat>33432</SubjectAlternativeNameFormat>
<KeyStorageProviderSetting>0</KeyStorageProviderSetting><KeyUsage>160</KeyUsa
ge><KeyLength>2048</KeyLength><HashAlgorithms><HashAlgorithm>SHA-2</HashAlgorithm></HashAlgorithms><NDESUrls><NDESUrl>https://ACNPRS.msappproxy.net/certsrv/mscep/mscep.dll</NDESUrl></NDESUrls><CAThumbprint></CAThumbprint><ValidityPeriod>1</ValidityPeriod><ValidityPeriodUnit>Years</ValidityPeriodUnit><EKUMapping><EKUMap><EKUName>Client Authentication</EKUName><EKUOID></EKUOID></EKUMap></EKUMapping></ConfigurationParameters>

And from the following log trace, it’s confirmed that the Android device is getting the SCEP cert. But, the SCEP certificate is not visible on Android devices.

2017-10-30T14:16:08.1030000 VERB Event com.microsoft.omadm.providerhive.ProviderHiveVerbose 25939 3582 GET ./Vendor/MSFT/CertificateStore/SCEP/ModelName=AC_0;Hash=-11293741923/EncodedCertificate returned chr:

Why is the SCEP certificate not visible on Android Device?

The real issue seems to be related to access to the SCEP certificate. SCEP certificate is stored within the “Android for Work” container.

However, the root certificate is stored in the default certificate store of the Android device. Hence we would be able to see the root cert on the Android devices but not the SCEP certificate.

The SCEP certificate is received, but the default certificate application in Android doesn’t have access to the Android for Work container.

The app needs to check the certificates installed in the device container, and it does not have the right to access the A4W container. That is the reason why I couldn’t see it.

How do we make sure SCEP Certificate is deployed to Android Device?

Microsoft support engineer told me to add a new “My Certificate” application to Google Play for Work store. I said the application to Google Play for Work store.

Deployed that application to the device using Intune. The following blog posts will give you more ideas about the Android for Work setup for Intune environment.

Intune Android for Work SCEP Certificate Deployment Issue

The “My Certificate” application got installed on my Android device through the Android for Work channel.

I validated and verified the SCEP certificate on the Android for Work container with My Certificate Application.

We could use similar logic to check the WiFi Profile deployment testing on Android for Work devices.

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc………

3 thoughts on “Intune Android Work SCEP Certificate Deployment Issue”

  1. Hi Anoop, great post.
    Having difficulty accessing WiFi using profile and cert authentication for AfW. Works OK on Windows Phone. SCEP certs have been deployed successfully. Checked using the My Certificates app as you mentioned. Root cert deployed successfully as well. If the root cert is deployed to the personal profile and the SCEP cert is deployed to the Work profile, how will this work? Do we need to allow communication between the work profile and personal profile in the device policy?
    Thanks
    Steve

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.