Example: SCEP Intune configuration in Protocol Gateway

The following prerequisites apply:

• Protocol Gateway must be installed. See Install Protocol Gateway.
• Initial configuration of Protocol Gateway must be done. See Initial configuration of Protocol Gateway. 
• Microsoft Intune must be set up according to https://docs.microsoft.com/en-us/mem/intune/fundamentals/setup-steps
• The SCEP RA certificate must be issued by the same CA that issues the device certificates. Create an RA certificate in PKCS#12 format containing the full CA chain with the following keyusages or extended keyusages:
  
  • Digital Signature
  • Key Encipherment
  • Certificate Request Agent

To authorize communication between Protocol Gateway and Azure Intune you need to create a new registration app in your company Azure portal.

1. Navigate to the Azure Portal at https://portal.azure.com/.
2. Navigate to Azure Active Directory > App registrations and select New registration.
3. Give the app registration a Name, which is the user-facing display name, for example Intune App. 
4. Set Supported account types to Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).

5. In Redirect URI, select Web and set the URI to the Protocol Gateway SCEP Intune endpoint:

   Example: Protocol Gateway SCEP Intune endpoint

   CODE

   https://example.com/pgwy/scep/intune/pkiclient.exe

6. Click on Register to finalize the app registration.
7. You are directed to the App overview page. Copy the Application (client) id, this is your app id and needs to be configured in the Protocol Gateway SCEP properties later.
8. Navigate to Certificates & secrets and create a Client secret. Copy the value before leaving the page, it can not be retrieved later. This value needs to be configured in the Protocol Gateway SCEP properties later. 

9. Navigate to API permissions. You need to add two separate application permissions.
   Click Add a permission and then:

   1. On the Request API permissions page, select Intune and then select Application permissions.

      1. Select the checkbox for scep_challenge_provider (SCEP challenge validation).
      2. Click Add permissions to save this configuration.

      3. Click Add a permission again.

   2. On the Request API permissions page, select Microsoft Graph > Application permissions.

      1. Expand Application and select the checkbox for Application.Read.All (Read all applications).

      2. Click Add permissions to save this configuration.

      3. Click Add a permission again.

10. Click on Grant admin consent for... and click Yes.

To allow Windows 10 devices to enroll using Intune, Microsoft Intune Mobility MDM (Mobile Device Management) must be enabled.  

1. Navigate to Azure Active Directory > Mobility (MDM and MAM) and select Microsoft Intune.
2. Change MDM user scope to either All or limit the enrollment access to specific groups with the option Some.
3. Make sure that MAM user scope is set to None. Mobile Application Management (MAM) must be inactive for Intune to work. 

To establish the necessary certificate trust stores for the devices to successfully enroll with Intune, the following Trusted certificate profiles need to be configured: 

• Computers trusted root store - Root CA

• Computers trusted intermediate store - Root CA

• Computers trusted intermediate store - Intermediate CA

Follow this guide to configure each of the trusted certificate profiles: 

1. Navigate to the Azure Endpoint manager (https://endpoint.microsoft.com/).
2. Navigate to Devices => Configuration Profiles, and select Create profile.
3. Perform the following settings:
   
   1. Set Platform to Windows 10 or later.
   2. Set Profile type to templates.
   3. Select Template name to trusted certificate and click Create.
   4. Enter a profile name and optionally a description, then click Next.
   5. Upload the certificate that should be trusted, in DER format, and specify the 'Destination store'. Then click on next.
      
      1. For Root CA in trusted root store: upload the root CA certificate and set Destination store to Computer certificate store - Root.
      2. For Root CA in trusted intermediate store: upload the root CA certificate and set Destination store to Computer certificate store - Intermediate.
      3. For Intermediate CA in trusted intermediate store: upload the intermediate CA certificate and set Destination store to Computer certificate store - Intermediate.
   6. Configuring the access rights to this profile can be done either by applying it to all devices or by applying it to a selected group that the users requesting certificates via Intune will be a part of. Once the assignments have been configured click on next.
   7. If no device limitation is required, configuration of the accessibility rules can be skipped. Click on Next to proceed.
   8. Review your settings and verify that they are correct and then click on Create.

A SCEP Certificate Profile needs to be created for Intune to know how the end user certificate should be defined and which CA to deliver the CSR to.

1. Navigate to the Azure Endpoint manager at https://endpoint.microsoft.com/.
2. Navigate to Devices > Configuration Profiles and select Create profile.
3. Perform the following settings:
   1. Set Platform to Windows 10 or later.
   2. Set Profile type to templates.
   3. Select Template name to SCEP certificate and click Create.
   4. Enter a Profile name and optionally a Description. Click Next.
   5. The configurations determine the content of the CSR that will be sent to Protocol Gateway and should be adapted per installation.
      However, some settings are mandatory, for example the following:  
      1. Set Certificate type to Device.
      2. Set Key storage provider (KSP) to Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP.
      3. Set Root Certificate to the Root CA Trusted Profile that was configured in the trusted root store.
      4. In Extended key usage, add Client Authentication via the Predefined values.

      5. Set SCEP Server URLs to the Protocol Gateway Intune endpoint:

         Example: Protocol Gateway SCEP Intune endpoint

         CODE

         https://example.com/pgwy/scep/intune

   6. Click on Next.
4. Configure the access rights to the profile, either by applying it to all devices or by applying it to a selected group that the users requesting certificates via Intune will be a part of. Click on Next.
5. If no device limitation is required, the configuration of the accessibility rules can be skipped. Click on Next. 
6. Verify the settings and click on Create.

To set the properties for the SCEP protocols: 

1. Open scep.properties for editing.
   1. On Linux, this is found in /var/cm-gateway/conf.
   2. On Windows, this is found in C:/ProgramData/Nexus/cm-gateway/conf.
2. Set the SCEP properties as follows: 
   1. Enable the SCEP protocol by setting start to true. 

   2. Set default.ra.keyfile to the Protocol Gateway RA token file and default.ra.password to the related PIN.

      

      The certificate format linked to the token procedure should not handle verifications (that is, rfc5280 can be used).

3. In a handler, set the following Intune parameters, to be able to verify the incoming device CSRs: 

   1. Set filter and format according to the SCEP.properties example below. 
   2. Set tenant to the fully qualified domain name (FQDN) of the organization configured in Intune.
   3. Set azure_app_id to the Application (client) id that was received in the Register app section above.  
   4. Set azure_app_key to the Client secret that was received in the Register app section above.

   5. Set certificateAuthority to the name of the issuing CA for the end user certificates.

      

      For more information on how to configure verifications of certificate requests in .properties files, see Certificate request verifications in Protocol Gateway.

4. If needed, scramble sensitive parameters in the configuration file. See Scramble sensitive data in configuration files in Protocol Gateway.
5. Save the file. 

# SCEP parameters
start = true
default.tokenprocedure = SCEP Registration and Enroll Procedure
default.ra.keyfile = protocol-gateway-ra.p12
default.ra.password = <Protocol Gateway RA PIN>

# Intune parameters
handler.x.filter = intune/pkiclient.exe
handler.x.format = scep-intune
handler.x.tenant = {azure-tenant}
handler.x.azure_app_id = {app-id}
handler.x.azure_app_key = {app-key}
handler.x.certificateAuthority = {CA_name}

Additional optional attributes for Intune, revocation via Intune and proxy are available and described in the SCEP INTUNE section of the scep.properties file.

1. Restart the Tomcat service. 

See the following Microsoft guide on how to enroll Windows 10 devices: https://docs.microsoft.com/en-us/mem/intune/enrollment/quickstart-enroll-windows-device. 

To forcefully sync a Windows 10 device against the Intune MDM it is possible to do the following:

1. Start an instance of the Microsoft Edge web browser.
2. Enter the url: ms-device-enrollment:?mode=mdm
3. Follow the on-screen directions to authenticate and connect the device.