Hello Everyone!
Recently SCEP certificate authentication was released for Intune with Android Enterprise devices. This means both COPE and Kiosk devices or whatever they are calling them these days.
I just finished setting this up for a customer and let me tell you there were some challenges. I don't have any screenshots of the issues but I just want to run down a list of gotchas that we ran into to help you do the same. Once we had all other platforms working (iOS, Android Legacy, Android Work Profile) we thought Android Fully Managed would be a simple reconfig. It was not.
1.) Deploy the sub cert out with the root, this should always be done in my opinion.
2.) Make sure the devices have a Compliance Policy assigned. Our kiosk devices originally were marked as non compliant because we did not have one assigned as they were already so locked down (this is just the way the customer had their environment configured). We were seeing the SCEP, Root, and Sub certs stuck as 'Pending'. This went on for a day or so until we got Microsoft Support on the line who suggested the Compliance policy as a general fix. He eluded that this is something he does as a baseline because of, well, just Intune being Intune.
3.) I have done iOS kiosk devices in the past that are without user affinity and I have used the DNS attribute in the same name historically. You can not do that with Android from what I have found. The WiFi settings on the device itself will not recognize a certificate unless it has the UPN in the SAN name. It will never even attempt a connection if you give it a DNS SAN cert.
4.) This could be just coincidence but we supplied an external identity in our WiFi profile as well. We just used a generic name of Android Kiosk and once it actually authenticated the identity changed to {{serialnumber}}@domain.com like it was supposed to
5.) We had some issues with time outs attempting to fetch the SCEP certs and WiFi policies. We were able to solve this by syncing from both the Intune app and the built in Android Device Policy app. My running theory on this (and im sure I am going to butcher it) is that the Intune certificate connector doesn't look at any Google API syncs from the Device Policy app. So when you sync from there you receive the SCEP profile, you hit IIS, hit the connector, and then it just sits waiting for the Intune sync to validate and eventually times out. Moral of the story is to sync from both the Intune App and the Device Policy App.
This is all also assuming you have a healthy SCEP and PKI infra underneath everything which can be a task itself!
These are all just some thoughts from someone who has spent far too long poking at SCEP.
Send help in the form of miniature paints and Chipotle.
Best of luck!
Showing posts with label SCEP. Show all posts
Showing posts with label SCEP. Show all posts
Wednesday, December 18, 2019
Friday, December 8, 2017
Using a Public Certificate For Intune Certificates
Hello Everyone, long time no talk!
Today I want to go over an experience I had with a client setting up Certificate Based Authentication (CBA) to Exchange Online.
To give a brief rundown of how this is accomplished I will put a couple bullett points below
1. Have an Internal PKI
2. Add and NDES Server to your PKI
3. Configure templates
4. Configure cert profiles in Intune
A great guide on how to accomplish this can be found here
https://www.scconfigmgr.com/2016/04/12/prepare-your-environment-for-scep-certificate-enrollment-with-microsoft-intune/
The issue I ran into comes from the use of a trusted public certificate to secure the IIS server and Intune Certificate Connector instead of one from your internal PKI as in the steps Nickolaj provided in his blog.
By default the NDES Server places its own DNS name in certain registry values that it expects the certificate to have. When using a public cert we need to change those values in the registry.
The keys that need to be changed can be found at
After this change was made our SCEP certificates were getting to the devices.
Hope this helps someone out there that may be hung up on this issue.
Until next time.
Today I want to go over an experience I had with a client setting up Certificate Based Authentication (CBA) to Exchange Online.
To give a brief rundown of how this is accomplished I will put a couple bullett points below
1. Have an Internal PKI
2. Add and NDES Server to your PKI
3. Configure templates
4. Configure cert profiles in Intune
A great guide on how to accomplish this can be found here
https://www.scconfigmgr.com/2016/04/12/prepare-your-environment-for-scep-certificate-enrollment-with-microsoft-intune/
The issue I ran into comes from the use of a trusted public certificate to secure the IIS server and Intune Certificate Connector instead of one from your internal PKI as in the steps Nickolaj provided in his blog.
By default the NDES Server places its own DNS name in certain registry values that it expects the certificate to have. When using a public cert we need to change those values in the registry.
The keys that need to be changed can be found at
The values that hold the server name should be changed to the namespace on the public cert. See example below. Client information has been removed but you get the idea.
After this change was made our SCEP certificates were getting to the devices.
Hope this helps someone out there that may be hung up on this issue.
Until next time.
Wednesday, May 24, 2017
Intune NDES Connector
Hello Everyone!
Short post here today.
I have recently been doing a lot more Intune work and ran into a small gotcha that was not documented by Microsoft anywhere.
I am not going to dive into the details of setting up an NDES server or PKI infrastructure, god have mercy on you if you have to do this and dont know how, but what I will do is link you to some good articles.
The official document from MS - Take heed my warning comment and the one from Sassan!
https://docs.microsoft.com/en-us/intune-classic/deploy-use/Configure-certificate-infrastructure-for-scep
My prefered document
https://www.scconfigmgr.com/2016/04/12/prepare-your-environment-for-scep-certificate-enrollment-with-microsoft-intune/
Both very similar documents but the second one is easier to follow and a little more fleshed out in my opinion.
What I want to address today is this part
This is where you create the certificate that the Intune Connector is going to use. What it doesnt tell you is that this connector does not accept certs issued with a template above schema version 2.
See here
So if you are using custom templates and are on more than schema 2 do not copy from that template, use the built in template.
The Intune Connector does not tell you why the install fails, only that it does.
Somtimes I just....
(╯°□°)╯︵ ┻━┻
Short post here today.
I have recently been doing a lot more Intune work and ran into a small gotcha that was not documented by Microsoft anywhere.
I am not going to dive into the details of setting up an NDES server or PKI infrastructure, god have mercy on you if you have to do this and dont know how, but what I will do is link you to some good articles.
The official document from MS - Take heed my warning comment and the one from Sassan!
https://docs.microsoft.com/en-us/intune-classic/deploy-use/Configure-certificate-infrastructure-for-scep
My prefered document
https://www.scconfigmgr.com/2016/04/12/prepare-your-environment-for-scep-certificate-enrollment-with-microsoft-intune/
Both very similar documents but the second one is easier to follow and a little more fleshed out in my opinion.
What I want to address today is this part
This is where you create the certificate that the Intune Connector is going to use. What it doesnt tell you is that this connector does not accept certs issued with a template above schema version 2.
See here
So if you are using custom templates and are on more than schema 2 do not copy from that template, use the built in template.
The Intune Connector does not tell you why the install fails, only that it does.
Somtimes I just....
(╯°□°)╯︵ ┻━┻
Subscribe to:
Posts (Atom)