Intune Android Work SCEP Certificate Deployment Issue

3
Intune Android for Work SCEP Certificate Deployment Issue

SCEP certificate deployment for Intune managed Android for Work devices is a bit tricky. This process is similar to that of iOS. But, because of “Android for Work” containerisation, it’s bit a tricky to confirm whether the SCEP certificate is successfully delivered to the device or not. In this post, we will see more details about “Intune Android Work SCEP Certificate Deployment Issue.”

SCEP Certificate Deployments Posts

Following are two posts, and video tutorials will give you more details about SCEP certificates. I explained about prerequisites of SCEP cert deployment, creation, and deployment process of SCEP certificates.

How to Create and Deploy SCEP Certificate to iOS Devices
How to Create and Deploy SCEP Certificate to Windows Devices

Android for Work SCEP certificate deployment using Intune is similar to that of iOS. You need to follow:-

  1. Make sure the SCEP certificate infrastructure is in place
  2. Create and Deploy Root or Intermediate certificate with a trusted certificate as profile type. Select Android for Work as platform
  3. Create and Deploy SCEP certificate with SCEP cert as profile type. Select Android for Work as platform

Select Android for Work as platformWhy do we need to deploy SCEP certificates to Devices?

If you want to provide corporate resource access to the users through VPN, WiFi or email profiles then, you can authenticate these connections by using certificates. This gives more security and removes the need to enter usernames and passwords to authenticate connections.

We can use Intune to deploy the SCEP certificates to Android for Work enrolled devices.

Android Work – SCEP Certificate Deployment Issue?

The Android device is successfully enrolled to Intune for management. The user was able to access the email and other company resources. Also, the device is received the ROOT certificates deployed via Intune.

I was able to see the ROOT certificate on Android device with certificate application. But, I was not able to trace the SCEP certificate on Android device.

Intune A4W SCEP Certificate Deployment Troubleshooting Steps?

We have checked the CA and NDES servers whether everything working fine or not. Also, we confirmed that there are no errors in the NDES and Event logs. We collected the following logs:-

IIS logs: 
C:\inetpub\logs\LogFiles\W3SVC1\u_ex<YYMMDD>.log 
NDESPlugin:
<C:\Program Files\Microsoft Intune\NDESPolicyModule\Logs\NDESPlugin.log> 
NDES Connector Service: 
 <C:\Program Files\Microsoft Intune\NDESConnectorSvc\Logs\Logs\NDESConnector_<YYYY-MM-DD_xxxxxxxx>.svclog> 
 <C:\Program Files\Microsoft Intune\NDESConnectorSvc\Logs\Logs\CertificateRegistrationPoint_<YYYY-MM-DD>.svclog>

Also, checked the Company Portal logs from Android for Work device. We could see the object ID (OID) for the SCEP client certificate in the log.

926 2017-10-30T13:29:47.8500000 VERB Event com.microsoft.omadm.providerhive.ProviderHiveVerbose 11575 508 
ADD ./Vendor/MSFT/NodeCache/SCConfigMgr/Nodes/47/ExpectedValue unknown:<ConfigurationParameters xmlns=
"http://schemas.microsoft.com/SystemCenterConfigurationManager/2012/03/07/CertificateEnrollment/ConfigurationParameters">
<ExpirationThreshold>20</ExpirationThreshold><RetryCount>3</RetryCount><RetryDelay>1</RetryDelay><TemplateName />
<SubjectNameFormat>1041824</SubjectNameFormat><SubjectAlternativeNameFormat>33432</SubjectAlternativeNameFormat>
<KeyStorageProviderSetting>0</KeyStorageProviderSetting><KeyUsage>160</KeyUsa
ge><KeyLength>2048</KeyLength><HashAlgorithms><HashAlgorithm>SHA-2</HashAlgorithm></HashAlgorithms><NDESUrls><NDESUrl>https://ACNPRS.msappproxy.net/certsrv/mscep/mscep.dll</NDESUrl></NDESUrls><CAThumbprint></CAThumbprint><ValidityPeriod>1</ValidityPeriod><ValidityPeriodUnit>Years</ValidityPeriodUnit><EKUMapping><EKUMap><EKUName>Client Authentication</EKUName><EKUOID></EKUOID></EKUMap></EKUMapping></ConfigurationParameters>

And from the following log trace, it’s confirmed that the Android device is getting the SCEP cert. But, the SCEP certificate is not visible on Android device.

2017-10-30T14:16:08.1030000 VERB Event com.microsoft.omadm.providerhive.ProviderHiveVerbose 25939 3582 GET ./Vendor/MSFT/CertificateStore/SCEP/ModelName=AC_0;Hash=-11293741923/EncodedCertificate returned chr:

Why is the SCEP certificate not visible on Android Device?

The real issue seems to be related to access to SCEP certificate. SCEP certificate is stored with in “Android for Work” container. However, the root certificate is stored in default certificate store of Android device. Hence we would be able to see the root cert on Android device but not SCEP certificate.

The SCEP certificate is received, but the default certificate application in Android doesn’t have access to Android for Work container. The app needs check the certificates installed in the device container and it does not have rights to access the A4W container. That is the reason why I couldn’t see it.

How do we make sure SCEP Certificate is deployed to Android Device?

Microsoft support engineer told me to add a new application called “My Certificate” to Google Play for Work store. I added the application to Google play for Work store. Deployed that application to the device using Intune. The following blog posts will give you more idea about Android for Work setup for Intune environment.

Beginners Guide Intune Android for Work and Google Play for Work Setup
Step by Step Video Guide Intune Azure Portal How to Setup Android Work Support
How to Enrol Android for Work Supported Devices to Intune Management
Intune Entry Level Low-Cost Device Support for Android for Work Enrollment

Intune Android for Work SCEP Certificate Deployment Issue

The “My Certificate” application got installed on my Android device through Android for Work channel. I was able to validate and verify the SCEP certificate on Android for Work container with My Certificate Application. I think we could use similar logic to check the WiFi Profile deployment testing on Android for Work devices.

Intune – Android Google Work Video Tutorial

3 COMMENTS

  1. Hi Anoop, great post.
    Having difficulty accessing WiFi using profile and cert authentication for AfW. Works OK on Windows Phone. SCEP certs have been deployed successfully. Checked using the My Certificates app as you mentioned. Root cert deployed successfully as well. If the root cert is deployed to the personal profile and the SCEP cert is deployed to the Work profile, how will this work? Do we need to allow communication between the work profile and personal profile in the device policy?
    Thanks
    Steve

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.