Intune – Create – Deploy SCEP Certificate to iOS Devices

4

We need to take care of some prerequisites before creating SCEP Certificate in Intune. You need to have an on-prem infrastructure components available before creating SCEP Certificates in Intune. NDES connector should be installed on your Data Center and NDES connector should be able to talk to CA server as well as with Azure AD App proxy connector if you are using Azure app proxy.

I’m not going to cover the setup of NDES and Azure AD App proxy connector. Those two configurations are very complex and very well explained in loads other blogs. In this post, we will cover how to create and deploy SCEP Profile to iOS Devices via Intune blade in the Azure portal.

All these configurations are explained in the video above or you can watch here

Deployment of SCEP Certificate to iOS devices will help to get connected to corporate Wi-Fi and VPN profiles etc… Before creating iOS SCEP Certificate in Intune, you need to create and deploy certificate chain. The certificate chain includes Root CA certificate and Intermediate/Issuing CA certificate. There are 3 certificate profiles available in Intune, and those are TRUSTED Certificate, SCEP Certificate, and PKCS certificate. We are not going to use PKCS certificate for SCEP profile deployment. Following are the high-level tasks list for deploying SCEP Profile to iOS Devices:-

  1. Create and Deploy iOS Root CA certificate using Intune Azure Portal
  2. Or Create and Deploy iOS Intermediate CA certificate using Intune Azure Portal
  3. Create and Deploy SCEP Certificate to iOS Devices using Intune Azure Portal

SCEP Profile to iOS Devices

Create and Deploy iOS Root CA, iOS Intermediate/Issuing CA Certificate Profiles

As the first step, we need to create Root CA cert profile. To create Root CA cert, navigate through Microsoft Intune – Device Configuration – Profiles – Create profile. Select the platform like iOS and profile type as Trusted Certificate. You just need to browse and upload your ROOT CA cert (Name of the cert = ACN-Enterprise-Root-CA.CER) from your CA server. Once settings are saved, just need to deploy root cert profile to required iOS devices. The same process needs to follow for Intermediate/Issuing CA certificate profile deployment via Intune. Make sure that you are uploading issuing CA cert (Name of cert = ACN-Issuing-CA-PR1.CER) from you CA server. All these configurations are explained in the video above or you can watch here.

Intune - Create - Deploy SCEP Certificate to iOS Devices 1Create and Deploy iOS SCEP Certificate Profile for iOS Devices

To create SCEP certificate profile, navigate through Microsoft Intune – Device Configuration – Profiles – Create profile. While creating iOS SCEP Certificate, we need to select Profile type as “SCEP certificate” and platform as iOS. The next step is configuring the settings, these settings are very important, and we need to consult with your CA team when you create an SCEP Certificate. Loads of these configurations can differ as per the CA server setup and another on-prem component setup.

Certificate validity period is 1 year, and this is the normal standard in the industry. Subject name format is also depending on your organization preference. In this scenario, I selected common name as email. Subject alternative name as UPN. Key usage is a digital signature and key decipherment. Key Size is 2048.

Another important point is you need to link the SCEP Certificate with ROOT cert profile which you already created. If you have not created any ROOT cert in Intune, then it won’t allow you to create SCEP Certificate. Extended key usage is another setting, and it should automatically get populated. One example here is Client Authentication – 1.3.6.1.5.5.7.4.3.

Intune - Create - Deploy SCEP Certificate to iOS Devices 2The last set of settings for iOS SCEP profiles in Intune is Enrollment Settings. I would recommend keeping the renewal threshold of certificates as the default value 20%. SCEP server URLs are very important. These are the URLs which iOS devices will go and request for SCEP certs. So, this should be reachable from the internet. As I mentioned above, you can very well use Azure AD App proxy URLs here (e.g. https://acnndes-sccz.msappproxy.net/certsrv/mscep/mscep.dll ). In this scenario, I’m going to use Azure AD App proxy settings. All these configuration details are explained in the video here.

SCEP Certificate will be in the following format “ACN-Issuing-CA-PR5“.

Reference :-

  • Configure and manage SCEP certificates with Intune – New Azure Portal – here
  • How to configure certificates in Microsoft Intune – New Azure Portal – here
  • How to Protect NDES with Azure AD Application Proxy – here

4 COMMENTS

  1. I have a requirement to identify DEM shared Device SCEP Certificate Serial Number for each device enrolled so we can manually revoke on the CA. We cannot revoke all certificate associated with an account as they share enrollment account credentials.
    Is there a way to extract this from the NDES server or Intune?
    Use case :
    If a DEM shared Device was stolen and we need to revoke the certificate, there a requirement to isolate the certificate of the stolen device. Please note CA generates a unique SCEP Certificate Serial Number per certificate

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.