Certificates & Intune

Somesh Pathak -

When planning to deploy certificates with Intune, there will be two obvious questions that will pop up:

  • Do I need to deploy a user certificate or a device certificate?
  • What can I do with these certificates?

The most common scenarios include network authentication using a device or user certificate. Such as authentication to the VPN, corporate Wi-Fi or corporate LAN using the device or user certificate. You can also use these certificates for signing & encrypting emails.

Some Basics first...

Access any application has to go through two steps- 

  • Authentication – The user’s authenticity is checked
  • Authorization –  The user is subjected to some conditions, depending on which a decision is made on whether access should be given or denied.  

Think of those conventional times when users were required to enter their credentials to authenticate to corporate connections or resources. The concept of using certificate-based authentication makes it more secure and seamless as users are no longer required to provide their credentials every time to authenticate.

Using Intune, you can deploy two types of certificates, i.e., Simple Certificate Enrollment Protocol (SCEP) and Public Key Cryptography Standards (PKCS). 

SCEP or PKCS ??? Both have their own advantages and disadvantages, so please discuss this thoroughly within your teams/organization to decide which one to configure and deploy. 

However, there are certain pre-requisites before you deploy the SCEP or PKCS certificate(s); you should have:

  • Certification Authority –  It can be a Microsoft CA or a third-party CA.
  • On-premises infrastructure – Depending on what type of certificate (PKCS, SCEP, or Imported PKCS) you will deploy.
  • Trusted root certificate – Trusted certificate profile in Intune

Once a trusted root certificate is deployed, you can deploy certificate profiles to provide users and devices with certificates for authentication. 

Supported platforms for deploying certificate profiles

  1.  Android Device Administrator (Legacy)
  2.  Android Enterprise – Fully Managed (Device Owner) 
  3.  Android Enterprise – Dedicated (Device Owner) 
  4.  Android Enterprise – Corporate-Owned Work Profile 
  5.  Android Enterprise – Personally-Owned Work Profile 
  6.  Android (AOSP) 
  7. macOS
  8.  iOS/iPadOS
  9. Windows 10/11