Part 3 – Deploy certificates to mobile devices using Microsoft Intune NDES – Deployment

In the first two blog posts I covered the theory how deployment of certificates works to mobile devices using Microsoft Intune NDES connector followed by setup and configuring the connector.

• Part 1 – Deploy certificates to mobile devices using Microsoft Intune NDES – Overview
• Part 2 – Deploy certificates to mobile devices using Microsoft Intune NDES – Connector
• Part 3 – Deploy certificates to mobile devices using Microsoft Intune NDES – Deployment
• Part 4 – Deploy certificates to mobile devices using Microsoft Intune NDES – Troubleshooting

In this third blog – part 3 – I’ll outline the depoyment of both Trusted CA Certificate Profile and SCEP Certificate profiles to mobile devices.

Deployment

Before you can deploy a Simple Certificate Enrollment Protocol settings profile, you must create a Trusted CA certificate profile. You will need to have one of each of these profiles for each tenant server and for each mobile device platform.

The policy templates for both Trusted Certificate Profile and SCEP Certificate profiles are available for Android 4 >, iOS 5 >, Windows 8.1 > and Windows Phone 8.1 >.

Imported: take into account when defining SCEP Certificate Profile policies, the properties configured (key usage, validity period, size, hash-algorithm & extended key usage) corresponds with your NDES certificate template!

• In the Intune administration console, click Policy > Add Policy
• Select Trusted Certificate Profile (Windows Phone 8.1 and later) and click Create Policy

• Use the following to configure settings for an Android, iOS, or Windows Phone 8.1 Trusted Certificate Profile:
  • Name (Provide a descriptive name for the certificate profile)
  • Description (Provide an optional description for the certificate profile)
  • Certificate file (Click Import to select the Root CA certificate).

• When you are finished, click Save Policy. You’ll be prompted to deploy the created Trusted CA certificate profile policy.

• Deploy the Trusted CA certificate profile policy preferably to a user group (not a device group), as this will allow certificates to be published to the device very quickly after it is enrolled.

After you have created a Trusted CA certificate profile, you can create SCEP certificate profiles to allow you to deploy certificates to mobile devices.

• In the Microsoft Intune administration console, click Policy > Add Policy.
• Select SCEP Certificate Profile (Windows Phone 8.1 and later) and click Create Policy

• Use the following to configure settings for a Windows Phone 8.1 and later SCEP Certificate Profile:
  • Name (Provide a descriptive name for the certificate profile)
  • Description (Provide an optional description for the certificate profile)
  • Renewal threshold (%) (Specify the percentage of the certificate lifetime that remains before the device requests renewal of the certificate)
  • Key Storage Provider (KSP)Specify where the key to the certificate will be stored. Choose from one of the following:
    • Install to Trusted Platform Module (TPM) if present – Installs the key to the TPM. If the TPM is not present, the key will be installed to the storage provider for the software key.
    • Install to Trusted Platform Module (TPM) otherwise fail – Installs the key to the TPM. If the TPM module is not present, the installation will fail.
    • Install to Software Key Storage Provider – Installs the key to the storage provider for the software key.
  • SCEP server URL (For example, a SCEP server URL could be the following: https://yourdomain.com/certsrv/mscep/mscep.dll. You can publish your SCEP server by Web Application Proxy, Azure Application Proxy or a 3rd party reverse proxy.)

• Subject name format (From the list, select how Intune automatically creates the subject name in the certificate request. If the certificate is for a user, you can also include the user’s email address in the subject name)
• Subject Alternative Name (Choose how Intune automatically creates the values for the subject alternative name (SAN) in the certificate request)
• Certificate validity period (Specify the amount of time before the certificate expires)
• Key Usage
  • Specify key usage options for the certificate. You can choose from the following options:
    • Key Encipherment Certificate can be used for encryption.
    • Digital Signature – Data can be digitally signed by this certificate.
• Key size (bits) (Select the size of the key in bits. 1024 or 2048)
• Hash algorithm (Select one of the available hash algorithm types to use with this certificate. Select the strongest level of security that the connecting devices support)
• Extended Key Usage (Click Select to add values for the certificate’s intended purpose. In most cases, the certificate will require Client Authentication so that the user or device can authenticate to a server. However, you can add any other key usages as required)

• Select Root Certificate. Click Select to choose a root CA certificate profile that you have previously configured and deployed to the user or device. This CA certificate must be the root certificate for the CA that will issue the certificate that you are configuring in this certificate profile.

• When you are finished, click Save Policy. You’ll be prompted to deploy the created SCEP certificate profile policy.

• Deploy the SCEP Certificate profile policy preferably to a user group (not a device group), as this will allow certificates to be published to the device very quickly after it is enrolled.

• After refreshing my workplace policy on my Windows Phone device, both Trusted Certificate Profile and SCEP Certificate Profile policy came down to my device.

The challenge response from my device is sent to the NDES server and being verified. When the challenge response is ok, a certificate is generated by the certifcate authority and send to my Windows Phone.

Using the Certificate Compliance Reports in Microsoft Intune provides you the possibility to monitor the status of issued certificates and there compliance status.

With this I have come to the end of 3rd blog post in the series of how to deploy certificates to mobile devices using Microsoft Intune NDES connector. In the last blog post I’ll cover the proces of throubleshooting the setup and configuration of the Microsoft Intune NDES Connector…probably the most interested one of this series.

So this is it for this year…stay tuned and hopefully ‘til next year! Have a good end year and best wishes for 2015…