SCEP certificate deployment for Intune managed Android for Work devices is tricky.
This process is similar to that of iOS. But, because of “Android for Work” containerization, it’s a bit tricky to confirm whether the SCEP certificate is successfully delivered to the device or not.
This post will see more details about the “Intune Android Work SCEP Certificate Deployment Issue.”
SCEP Certificate Deployments Posts
The following are two posts and video tutorials that will give you more details about SCEP certificates. I explained about prerequisites of SCEP cert deployment, creation, and deployment process of SCEP certificates.
Android for Work SCEP certificate deployment using Intune is similar to iOS. You need to follow
- Make sure the SCEP certificate infrastructure is in place
- Create and Deploy a Root or Intermediate certificate with a trusted certificate as profile type. Select Android for Work as a platform
- Create and Deploy SCEP certificate with SCEP cert as profile type. Select Android for Work as a platform
If you want to provide corporate resource access to the users through VPN, WiFi, or email profiles, you can authenticate these connections using certificates. This gives more security and removes the need to enter usernames and passwords to establish connections.
We can use Intune to deploy the SCEP certificates to Android for Work enrolled devices.
Android Work – SCEP Certificate Deployment Issue?
The Android device is successfully enrolled to Intune for management. The user was able to access the email and other company resources. Also, the device received the ROOT certificates deployed via Intune.
I was able to see the ROOT certificate on an Android device with the certificate application. But, I could not trace the SCEP certificate on an Android device.
Intune A4W SCEP Certificate Deployment Troubleshooting Steps?
We have checked the CA and NDES servers to see whether everything is working fine or not. Also, we confirmed that there are no errors in the NDES and Event logs. We collected the following logs.
IIS logs: C:\inetpub\logs\LogFiles\W3SVC1\u_ex<YYMMDD>.log NDESPlugin: <C:\Program Files\Microsoft Intune\NDESPolicyModule\Logs\NDESPlugin.log> NDES Connector Service: <C:\Program Files\Microsoft Intune\NDESConnectorSvc\Logs\Logs\NDESConnector_<YYYY-MM-DD_xxxxxxxx>.svclog> <C:\Program Files\Microsoft Intune\NDESConnectorSvc\Logs\Logs\CertificateRegistrationPoint_<YYYY-MM-DD>.svclog>
Also, check the Company Portal logs from the Android for Work device. We could see the object ID (OID) for the SCEP client certificate in the log.
926 2017-10-30T13:29:47.8500000 VERB Event com.microsoft.omadm.providerhive.ProviderHiveVerbose 11575 508 ADD ./Vendor/MSFT/NodeCache/SCConfigMgr/Nodes/47/ExpectedValue unknown:<ConfigurationParameters xmlns= "http://schemas.microsoft.com/SystemCenterConfigurationManager/2012/03/07/CertificateEnrollment/ConfigurationParameters"> <ExpirationThreshold>20</ExpirationThreshold><RetryCount>3</RetryCount><RetryDelay>1</RetryDelay><TemplateName /> <SubjectNameFormat>1041824</SubjectNameFormat><SubjectAlternativeNameFormat>33432</SubjectAlternativeNameFormat> <KeyStorageProviderSetting>0</KeyStorageProviderSetting><KeyUsage>160</KeyUsa ge><KeyLength>2048</KeyLength><HashAlgorithms><HashAlgorithm>SHA-2</HashAlgorithm></HashAlgorithms><NDESUrls><NDESUrl>https://ACNPRS.msappproxy.net/certsrv/mscep/mscep.dll</NDESUrl></NDESUrls><CAThumbprint></CAThumbprint><ValidityPeriod>1</ValidityPeriod><ValidityPeriodUnit>Years</ValidityPeriodUnit><EKUMapping><EKUMap><EKUName>Client Authentication</EKUName><EKUOID></EKUOID></EKUMap></EKUMapping></ConfigurationParameters>
And from the following log trace, it’s confirmed that the Android device is getting the SCEP cert. But, the SCEP certificate is not visible on Android devices.
2017-10-30T14:16:08.1030000 VERB Event com.microsoft.omadm.providerhive.ProviderHiveVerbose 25939 3582 GET ./Vendor/MSFT/CertificateStore/SCEP/ModelName=AC_0;Hash=-11293741923/EncodedCertificate returned chr:
Why is the SCEP certificate not visible on Android Device?
The real issue seems to be related to access to the SCEP certificate. SCEP certificate is stored within the “Android for Work” container.
However, the root certificate is stored in the default certificate store of the Android device. Hence we would be able to see the root cert on the Android devices but not the SCEP certificate.
The SCEP certificate is received, but the default certificate application in Android doesn’t have access to the Android for Work container.
The app needs to check the certificates installed in the device container, and it does not have the right to access the A4W container. That is the reason why I couldn’t see it.
How do we make sure SCEP Certificate is deployed to Android Device?
Microsoft support engineer told me to add a new “My Certificate” application to Google Play for Work store. I said the application to Google Play for Work store.
Deployed that application to the device using Intune. The following blog posts will give you more ideas about the Android for Work setup for Intune environment.
- Beginners Guide Intune Android for Work and Google Play for Work Setup
- Step by Step Video Guide Intune Azure Portal How to Setup Android Work Support
- How to Enrol Android for Work Supported Devices to Intune Management
- Intune Entry Level Low-Cost Device Support for Android for Work Enrollment
The “My Certificate” application got installed on my Android device through the Android for Work channel.
I validated and verified the SCEP certificate on the Android for Work container with My Certificate Application.
We could use similar logic to check the WiFi Profile deployment testing on Android for Work devices.
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………