Part 1 – Deploying Microsoft Intune PFX connector in an Enterprise world…common practices

Last year I had the change to implement PFX certificate infrastructure for a large enterprise customer. Occasion of the project was a migration of Citrix XenMobile (XDM) to Microsoft Intune as strategic mobile device- and application management solution.

In a series of blogposts I’m sharing my experiences, design decisions, common practices and challenges of implementing Microsoft Intune PFX connector as certificate deployment mechanism in an enterprise environment.

• Part 1 – Deploying Microsoft Intune PFX connector in an Enterprise world: common practices
• Part 2 – Deploying Microsoft Intune PFX connector in an Enterprise world: troubleshooting

One of the main challenges was providing the same level (IST) of security controls but preferably the proposed solution has to provide a higher level of security (SOLL). Another complicating factor was an organization merge to a single infrastructure while maintaining functionality during migration, as a big-bang migration was no option. In this blog I’ll not go into details of the migration itself (although this topic might a blog worthwhile).

As the default Microsoft Conditional Access (CA) didn’t provide the full desired functionality, protecting on premise resources including and securely unlocking line of business apps and access to corporate Wi-Fi network. During the design phase we were considering multiple options and facing ditto challenges with pros and cons. Our best fit, given the architectural design principal and available technology was Certificate Based Authentication (CBA). Using CBA provided us a single solution which fulfills most of our requirements in relative ease way with respect to the current infrastructure.

• Providing secure (conditional) access to e-mail based on Microsoft Exchange on premise;
• Providing secure access to corporate (back-end) resources using auto-VPN;
• Seamless experience of connecting to secure corporate Wi-Fi networks;
• Access to all corporate resources blocked/revoked in a single action.

As we implemented Microsoft Intune in a standalone (cloud only) scenario we had the option to implement a certificate infrastructure to deploy user certificates to devices by using the Intune Certificate connector. The Intune Certificate connector offers two options to deploy certificates :

• Certificate infrastructure based on SCEP (Simple Certificate Enrollment Protocol)
• Certificate infrastructure based on PFX (Personal Information Exchange) aka PKCS12* (Public Key Cryptographic Standards)

*https://en.wikipedia.org/wiki/PKCS 

Simple Certificate Enrollment Protocol (SCEP)

• Mobile device generates the private/public key pair;
• Unlike PFX method, the private key never leaves the device;
• Unique key and certificate on every device allows certificate revocation for just a specific device;
• Has larger infrastructure footprint compared to PFX (complex);
• Supports Windows Hello for Business certificate based scenario.

 

Challenge	Solution
An old protocol designed for closed networks. Does not strongly authenticate certificate requests	Intune and Configuration Manager integrates closely with Network Device Enrollment Service (part of Active Directory Certificate Services) to provide higher security of certificate requests
Private keys can be exported from client devices	Devices must be rooted or jail broken, and Intune can detect these devices. Certificates for Windows and Windows Mobile can be protected by TPM

Personal Information Exchange (PFX)

• MDM servers generates private key and certificate and deploys it to the mobile device.
• Entire certificate is self-contained and can be issued on behalf of the user and stored in Intune’s KRA (Key Recovery Agent)
• The same certificate can be distributed to multiple devices of the same user. Thus, provides S/MIME support for email encryption and digital signatures
• Has smaller infrastructure footprint compared to SCEP (simplified).

Challenge	Solution
How does Intune secure PFX files	The PFX file is always encrypted by Intune’s KRA certificate and the device management certificate to which it is targeted

The solution

We decided to implement certificate infrastructure based on PFX to deploy user certificates and allows us to achieve the requirements mentioned above including certificate based authentication (CBA) which allows us to access various applications like e-mail-, VPN-, Wi-Fi profiles.

The process

Certificate traffic originates shortly after enrollment of a device as it will receive a certificate profile policy. Intune is aware of this enrollment and sends a certificate request to the PFX connector. The PFX connector will “forward” this request to the Issuing certificate authority (CA). The Issuing CA receives the request and will create a user certificate, based on a pre-configured certificate template. The CA will send the certificate to the PFX connector. The PFX connector sends the certificate to Intune. Intune ultimately sends the certificate to the device of the user that has started the enrollment.

1. Intune administrator creates a PFX certificate profile and deploys it;
2. Intune service sends a certificate request to the PFX connector;
3. The PFX connector receives the PFX blob and send the certificate request including configuration to the on-perm CA;
4. The CA issues an user certificate and sends it back to the PFX connector;
5. The PFX connector sends the encrypted user certificate to the Intune service;
6. Intune decrypts the PFX user certificate with KRA and re-encrypts the certificate using the device management certificate, then sends it to the device.
7. The certificate status is reported back to the Intune service.

High Availability

Important subjects for an enterprise architecture are most often non-functional requirements. An enterprise architecture must provide a high available solution taking into account disaster recovery process/procedures. By design the PFX connector doesn’t provide support for high availability. The PFX connector is installed as an single instance with no option for multiple active PFX connectors. You can install multiple PFX connectors but there can only one active at the same time.

Multiple PFX connectors can be installed however only a single PFX connector can be actively registered to the Intune service to perform operational certificate tasks such as certificate requests, renewals or revocations. As the PFX connector is key component in this solution we required to provide a disaster recovery plan to minimize downtime in case of failure. Devices which contains a valid certificate are not directly effected as they’re still able to access corporate resources. Once a devices is retired/wiped we must be sure that the certificate is removed on the device, but more important the certificate is revoked on the CA.

Below some examples of disaster recovery scenarios whereby the second PFX connector is pre-installed on a 2nd server which is already pre-configured (prerequisites like firewall, connectivity, etc.).

Revocation

Besides issuing- and renewing certificates, the revocation process is the most critical process of certificate based authentication. In case when an user is leaving the organization or in occasion of a lost/stolen device, we must be sure that access to corporate resources is prohibited instantly.

The table below shows you an overview the action performed based on an event occurred. In a hybrid scenario the Certificate Registration Point (CRP) initiates the revocation whereby in a standalone scenario the PFX connector issues the revocation action.

Event	Intune Standalone	Intune Hybrid
Retire (User initiated)	Certificate deleted & revoked	Certificate deleted & revoked
Retire (Admin initiated)	Certificate deleted & revoked	Certificate deleted & revoked
Block	N/A	Revoked
Delete	N/A	Certificate deleted & revoked
Leave group/collection	Certificate deleted & revoked	Certificate deleted & revoked
Delete SCEP/PFX profile	Certificate deleted & revoked	Certificate deleted & revoked
Remove targeting / deployment	Certificate deleted & revoked	Certificate deleted & revoked

In my next blog of this series I’ll go into more details about where to start troubleshoot when you’re facing issues deploying certificates using Microsoft Intune PFX connector. We’ll drill down into the behavior and anatomy of the Microsoft Intune Connector.

In meantime stay productive and secure! :-)

Sources

• Configure certificate infrastructure (classic Intune portal)

https://docs.microsoft.com/en-us/intune/deploy-use/configure-certificate-infrastructure-for-pfx

• How to configure certificates in Microsoft Intune (new Intune Azure portal)

https://docs.microsoft.com/en-us/intune-azure/configure-devices/how-to-configure-certificates

• Configure your Microsoft Intune certificate infrastructure for PKCS (PFX)

https://docs.microsoft.com/en-us/intune-azure/configure-devices/configure-certificate-infrastructure-for-pfx

• Configure certificate infrastructure for SCEP in Microsoft Intune

https://docs.microsoft.com/en-us/intune-azure/configure-devices/configure-certificate-infrastructure-for-scep