Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added a link.

This article describes a configuration example of the SCEP protocol with Azure Intune in Protocol Gateway.


Expandall

Prerequisites

Expand
titlePrerequisites

The following prerequisites apply:

Step-by-step instruction

Configure Intune for device certificate enrollment

Expand
titleRegister app

To authorize communication between Protocol Gateway and Azure Intune you need to create a new registration app in your company Azure portal.

  1. Navigate to the Azure Portal at https://portal.azure.com/.
  2. Navigate to Azure Active Directory > App registrations and select New registration.
  3. Give the app registration a Name, which is the user-facing display name, for example Intune App
  4. Set Supported account types to Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).
  5. In Redirect URI, select Web and set the URI to the Protocol Gateway SCEP Intune endpoint:

    Code Block
    titleExample: Protocol Gateway SCEP Intune endpoint
    https://example.com/pgwy/scep/intune/pkiclient.exe


  6. Click on Register to finalize the app registration.
  7. You are directed to the App overview page. Copy the Application (client) id, this is your app id and needs to be configured in the Protocol Gateway SCEP properties later.
  8. Navigate to Certificates & secrets and create a Client secret. Copy the value before leaving the page, it can not be retrieved later. This value needs to be configured in the Protocol Gateway SCEP properties later. 
  9. Navigate to API permissions. You need to add three separate application permissions.
    Click Add a permission and then:

    1. On the Request API permissions page, select Intune and then select Application permissions.

      1. Select the checkbox for scep_challenge_provider (SCEP challenge validation).
      2. Click Add permissions to save this configuration.
      3. Click Add a permission again.

    2. On the Request API permissions page, select Microsoft Graph > Application permissions.

      1. Expand Application and select the checkbox for Application.Read.All (Read all applications).

      2. Click Add permissions to save this configuration.
      3. Click Add a permission again.

    3. On the Request API permissions page, change the tab from 'Microsoft APIs' to 'APIs my organization uses'

      1. In the search bar, type 'windows'

      2. Select Windows Azure Active Directory > Application permissions.

      3. Expand Application and select the checkbox for Application.Read.All (Read all applications).

      4. Click Add permissions to save this configuration.
  10. Click on Grant admin consent for... and click Yes.


Expand
titleEnable Intune MDM

To allow Windows 10 devices to enroll using Intune, Microsoft Intune Mobility MDM (Mobile Device Management) must be enabled.  

  1. Navigate to Azure Active Directory > Mobility (MDM and MAM) and select Microsoft Intune.
  2. Change MDM user scope to either All or limit the enrollment access to specific groups with the option Some.
  3. Make sure that MAM user scope is set to None. Mobile Application Management (MAM) must be inactive for Intune to work. 


Expand
titleConfigure Trusted certificate profiles

To establish the necessary certificate trust stores for the devices to successfully enroll with Intune, the following Trusted certificate profiles need to be configured: 

  • Computers trusted root store - Root CA

  • Computers trusted intermediate store - Root CA

  • Computers trusted intermediate store - Intermediate CA

Follow this guide to configure each of the trusted certificate profiles: 

  1. Navigate to the Azure Endpoint manager (https://endpoint.microsoft.com/).
  2. Navigate to Devices => Configuration Profiles, and select Create profile.
  3. Perform the following settings:
    1. Set Platform to Windows 10 or later.
    2. Set Profile type to templates.
    3. Select Template name to trusted certificate and click Create.
    4. Enter a profile name and optionally a description, then click Next.
    5. Upload the certificate that should be trusted, in DER format, and specify the 'Destination store'. Then click on next.
      1. For Root CA in trusted root store: upload the root CA certificate and set Destination store to Computer certificate store - Root.
      2. For Root CA in trusted intermediate store: upload the root CA certificate and set Destination store to Computer certificate store - Intermediate.
      3. For Intermediate CA in trusted intermediate store: upload the intermediate CA certificate and set Destination store to Computer certificate store - Intermediate.
    6. Configuring the access rights to this profile can be done either by applying it to all devices or by applying it to a selected group that the users requesting certificates via Intune will be a part of. Once the assignments have been configured click on next.
    7. If no device limitation is required, configuration of the accessibility rules can be skipped. Click on Next to proceed.
    8. Review your settings and verify that they are correct and then click on Create.


Expand
titleCreate SCEP certificate profile

A SCEP Certificate Profile needs to be created for Intune to know how the end user certificate should be defined and which CA to deliver the CSR to.

  1. Navigate to the Azure Endpoint manager at https://endpoint.microsoft.com/.
  2. Navigate to Devices > Configuration Profiles and select Create profile.
  3. Perform the following settings:
    1. Set Platform to Windows 10 or later.
    2. Set Profile type to templates.
    3. Select Template name to SCEP certificate and click Create.
    4. Enter a Profile name and optionally a Description. Click Next.
    5. The configurations determine the content of the CSR that will be sent to Protocol Gateway and should be adapted per installation.
      However, some settings are mandatory, for example the following:  
      1. Set Certificate type to Device.
      2. Set Key storage provider (KSP) to Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP.
      3. Set Root Certificate to the Root CA Trusted Profile that was configured in the trusted root store.
      4. In Extended key usage, add Client Authentication via the Predefined values.
      5. Set SCEP Server URLs to the Protocol Gateway Intune endpoint:

        Code Block
        titleExample: Protocol Gateway SCEP Intune endpoint
        https://example.com/pgwy/scep/intune


    6. Click on Next.
  4. Configure the access rights to the profile, either by applying it to all devices or by applying it to a selected group that the users requesting certificates via Intune will be a part of. Click on Next.
  5. If no device limitation is required, the configuration of the accessibility rules can be skipped. Click on Next
  6. Verify the settings and click on Create.


Configure Protocol Gateway SCEP for Intune

Expand
titleSet SCEP properties

To set the properties for the SCEP protocols: 

  1. Open scep.properties for editing.
    1. On Linux, this is found in /var/cm-gateway/conf.
    2. On Windows, this is found in C:/ProgramData/Nexus/cm-gateway/conf.
  2. Set the SCEP properties as follows: 
    1. Enable the SCEP protocol by setting start to true
    2. Set default.ra.keyfile to the Protocol Gateway RA token file and default.ra.password to the related PIN.

      Note

      The certificate format linked to the token procedure should not handle verifications (that is, rfc5280 can be used).


  3. In a handler, set the following Intune parameters, to be able to verify the incoming device CSRs: 

    1. Set filter and format according to the SCEP.properties example below. 
    2. Set tenant to the fully qualified domain name (FQDN) of the organization configured in Intune.
    3. Set azure_app_id to the Application (client) id that was received in the Register app section above.  
    4. Set azure_app_key to the Client secret that was received in the Register app section above.
    5. Set certificateAuthority to the name of the issuing CA for the end user certificates.

      Info

      For more information on how to configure verifications of certificate requests in .properties files, see Certificate request verifications in Protocol Gateway.


  4. If needed, scramble sensitive parameters in the configuration file. See Scramble sensitive data in configuration files in Protocol Gateway.
  5. Save the file. 
Code Block
titleExample: SCEP.properties
# SCEP parameters
start = true
default.tokenprocedure = SCEP Registration and Enroll Procedure
default.ra.keyfile = protocol-gateway-ra.p12
default.ra.password = <Protocol Gateway RA PIN>

# Intune parameters
handler.x.filter = intune/pkiclient.exe
handler.x.format = scep-intune
handler.x.tenant = {azure-tenant}
handler.x.azure_app_id = {app-id}
handler.x.azure_app_key = {app-key}
handler.x.certificateAuthority = {CA_name}



Expand
titleRestart Tomcat
  1. Restart the Tomcat service. 

Enroll Windows 10 device

Expand
titleEnroll Windows 10 devices

See the following Microsoft guide on how to enroll Windows 10 devices: https://docs.microsoft.com/en-us/mem/intune/enrollment/quickstart-enroll-windows-device


Related information

External links

  • Certificate Manager is now listed as a third party CA software supporting Intune SCEP. Read more here.