Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager? We need to take care of some prerequisites before creating SCEP Certificate in Intune. You need to have on-prem infrastructure components available before creating SCEP Certificates in Intune.
NDES connector is supposed to be installed on your Data Center, and the NDES connector should be able to talk to the CA server and Azure AD App proxy connector if you are using the Azure app proxy. Related post – Intune SCEP HTTP Errors Troubleshooting Made Easy With Joy – #5 (anoopcnair.com).
I’m not going to cover the setup of NDEs and Azure AD App proxy connectors. Those two configurations are complex and well explained in loads of other blogs. This post will cover how to create and deploy a SCEP Profile to iOS Devices via Intune blade in the Azure portal.
All these configurations are explained in the video above or you can watch it here
Introduction – Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices
Deployment of SCEP Certificate to iOS devices will help connect to corporate Wi-Fi and VPN profiles etc… Before creating iOS SCEP Certificate in Intune, you need to create and deploy a certificate chain. The certificate chain includes the Root CA certificate and the Intermediate/Issuing CA certificate.
There are 3 certificate profiles available in Intune, and those are TRUSTED Certificate, SCEP Certificate, and PKCS certificate. We are not going to use the PKCS certificate for SCEP profile deployment. Following are the high-level tasks list for deploying SCEP Profile to iOS Devices (Deploy SCEP profiles to iOS Devices):-
- Create and Deploy iOS Root CA certificate using Intune Azure Portal
- Or Create and Deploy an iOS Intermediate CA certificate using Intune Azure Portal
- Create and Deploy SCEP Certificate to iOS Devices using Intune Azure Portal
Create and Deploy iOS Root CA, iOS Intermediate/Issuing CA Certificate Profiles
As the first step, we need to create a Root CA cert profile. To create Root CA cert, navigate through Microsoft Intune – Device Configuration – Profiles – Create profile (Deploy SCEP profiles to iOS Devices). Select the platform like iOS and profile type as Trusted Certificate. You need to browse and upload your ROOT CA cert (Name of the cert = ACN-Enterprise-Root-CA.CER) from your CA server.
Once settings are saved, you need to deploy the root cert profile to the required iOS devices. The same process needs to follow for Intermediate/Issuing CA certificate profile deployment via Intune. Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager?
Make sure that you are uploading issuing CA cert (Name of cert = ACN-Issuing-CA-PR1.CER) from your CA server. All these configurations are explained in the video above or you can watch them here.
To create a SCEP certificate profile, navigate Microsoft Intune – Device Configuration – Profiles – Create a profile. While creating iOS SCEP Certificate, we need to select Profile type as “SCEP certificate” and platform as iOS.
The next step is configuring the settings, these settings are very important, and we need to consult with your CA team when you create a SCEP Certificate. Loads of these configurations can differ as per the CA server setup and another on-prem component setup (Deploy SCEP profiles to iOS Devices).
The certificate validity period is 1 year, which is the standard in the industry. The subject name format is also depending on your organization’s preference. In this scenario, I selected a common name as email. Subject alternative name as UPN. Key usage is a digital signature and key decipherment. The key Size is 2048.
Another important point is to link the SCEP Certificate with the ROOT cert profile you already created. If you have not created any ROOT cert in Intune, it won’t allow you to create a SCEP Certificate. Extended key usage is another setting, and it should automatically get populated.
One example here is Client Authentication – 184.108.40.206.220.127.116.11.3. Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager?
The last set of settings for iOS SCEP profiles in Intune is Enrollment Settings. I would recommend keeping the renewal threshold of certificates as the default value of 20%. SCEP server URLs are very important. These are the URLs to which iOS devices will go and request SCEP certs.
So, this should be reachable from the internet. As I mentioned above, you can use Azure AD App proxy URLs here (e.g., https://acnndes-sccz.msappproxy.net/certsrv/mscep/mscep.dll ). In this scenario, I will use Azure AD App proxy settings. All these configuration details are explained in the video here.
SCEP certificate will be in the following format “ACN-Issuing-CA-PR5“.
- Configure and manage SCEP certificates with Intune – New Azure Portal – here
- How to configure certificates in Microsoft Intune – New Azure Portal – here
- How to Protect NDES with Azure AD Application Proxy – here
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a logger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…