Part 1 – Deploy certificates to mobile devices using Microsoft Intune NDES – Overview

With the recent updates of Microsoft Intune it is possible now deploying certificate profiles using Network Device Enrollment Service (NDES) to mobile devices.

In this blog series I’ll cover the different aspects of certificate enrollment proces by using Microsoft Intune (standalone).

• Part 1 – Deploy certificates to mobile devices using Microsoft Intune NDES – Overview
• Part 2 – Deploy certificates to mobile devices using Microsoft Intune NDES – Connector
• Part 3 – Deploy certificates to mobile devices using Microsoft Intune NDES – Deployment
• Part 4 – Deploy certificates to mobile devices using Microsoft Intune NDES – Troubleshooting

Overview

Before going in details about NDES and hereby an brief overview of how NDES process works in relation to Microsoft Intune.

1. Administrator configures SCEP Certificate Profile (policy) in Microsoft Intune. The cert policy are used to create the challenge for the device(s). Challenge is based on a number of variables, an important one is the requestor (alias) that can not be tampered with the profile.
2. Policy (profile) is pushed instantly to mobile devices by Microsoft Intune. This policy contains the URL of the NDES server as well as the challenge generated by Microsoft Intune.
3. Device contacts the NDES server using the URL from #3 and provides the challenge response. (This is why your NDES server needs to be available externally in some way)
4. NDES Server (using Microsoft Intune NDES connector) talks to the Certificate Registration Service to validate the challenge.
5. The Certificate Registration Service on the NDES server has access to the necessary certificate to decrypt and inspect the challenge to verify the CSR (Certificate Signing Request) was not tampered with.
6. Microsoft Intune responds to NDES server with “true” or “false” to challenge verification (Again, over 443 SSL).
7. If challenge is OK then the NDES server communicates with the CA to get a certificate for the device. You’ll need to make sure that the appropriate ports are open between NDES and CA for this to happen.
8. NDES delivers certificate to mobile device. Private key is generated on the device and marked as non-exportable.

NDES: Microsoft Intune vs. Configuration Manager 2012 R2

It was already possible for Configuration Manager 2012 R2 + Microsoft Intune (UDM) administrators to deploy certificate profiles. Both scenarios shares on-premise infrastructure components such as a Domain Controller (ADDS), Certificate Authorithy (ADCS) and Network Device Enrollment Service (NDES). In a Microsoft Intune standalone scenario no such components like Microsoft Intune connector and Certificate Registration Point (CRP) are required. In other words less infrastructure components

Key difference is the role of certificate registration service. In a hybrid UDM scenario the certificate registration service is a site system role (CRP) in Configuration Manager 2012 R2 where in a standalone scenario the certificate registration service is part of the Microsoft Intune NDES connector installation installed on NDES server.

Background

NDES allows mobile devices running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP). The user certificates can be used for managing company resources (E-mail, WiFi- and VPN profiles) instead of using user name + password. This existing technique is recently emphatically re-evaluated by the use and application for mobile device management in relation to BYOD scenarios.

Certificate profiles in Microsoft Intune work with Active Directory Certificate Services and the Network Device Enrollment Service role to provision authentication certificates for managed devices so that users can seamlessly access company resources. For example, you can create and deploy certificate profiles to provide the necessary certificates for users to initiate VPN and wireless connections.

Certificate profiles in Intune provide the following management capabilities:

• Certificate enrollment and renewal from an enterprise certification authority (CA) for devices that run iOS, Windows 8.1, Windows Phone 8.1 and Android, These certificates can then be used for Wi-Fi and VPN connections.
• Deployment of trusted root CA certificates and intermediate CA certificates to configure a chain-of-trust with devices for VPN and Wi-Fi connections when server authentication is required.
• Monitor and report about the installed certificates.

Certificate profiles can automatically configure user devices so that company resources such as Wi-Fi networks and VPN servers can be accessed without having to install certificates manually or use an out-of-band process. Certificate profiles can also help to keep company resources secure because you can use more secure settings that are supported by your enterprise public key infrastructure (PKI). For example, you can require server authentication for all Wi-Fi and VPN connections because you have provisioned the required certificates on the managed devices.

There are two types of certificate profile in Intune:

• Trusted CA certificate – Allows you to deploy a trusted root CA or intermediate CA certificate to form a certificate chain-of-trust when the device is authenticated by a server.
• Simple Certificate Enrollment Protocol (SCEP) settings – Allows you to request a certificate for a device or user, by using the SCEP protocol and the Network Device Enrollment Service on a server running Windows Server 2012 R2.

In the next blog – part 2 – I will cover the prerequisites and installation of the Microsoft Intune NDES connector.

Resources

Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)

SCEP certificate enrolling using ConfigMgr 2012, CRP, NDES and Windows Intune

Enable access to company resources using certificate profiles