This will be the last Christmas blog post from Coretech in 2014. A huge thanks to all of you who followed our Christmas blogs in December. @Coretech we wish you and your loved ones a Merry Christmas and a Happy New Year – We look forward to service you again in 2015 with knowledge, inspiration and best practices on Microsoft technologies
One of the many need features offered by ConfigMgr & Intune is the ability to deploy certificates and WIFI profiles. Both are essential when implementing a MDM/BYOD strategy.
Creating the required SCEP certificate for iOS
As mentioned in a previous blog post, iOS do not support Signature in proof of origin in the NDES General Purpose certificate. In this example the Root certificate and the required NDES certs are already created.
- In the Assets and Compliance workspace, select Compliance Settings, Company Resource Access, Certificate Profiles and create a new SCEP certificate.
- On the SCEP Enrollment page, configure these settings and click Next:
Retries = 5
Retry delays = 2
Devices for certificate enrollment = Allow certificate enrollment of any device.
- On the Certificate Properties page, configure these settings and click Next:
Certificate template name: Select the NDES certificate
Certificate type: User
Subject name format: Common name
Subject alternative name: User Principal name (UPN)
Extended key usage: Client Authentication (comes from the certificate)
Root Ca certificate: Your root certificate, notice this must also be deployed thru ConfigMgr/Intune
- On the Supported Platforms page, select the iOS devices and finish the wizard. I prefer to have a SCEP profile for each of the supported mobile devices Windows Phone, Android and iOS
- Once the certificate profile is created, you should deploy it to all Intune users (not to any devices, always users!)
Create the iOS WI-FI profile
In this example I’ll take you thru the creation of a WI-FI profile using the SCEP certificate created above.
- In the Assets and Compliance workspace, select Compliance Settings, Company Resource Access, WI-FI Profiles and create a new WI-FI profile.
- On the WI-FI profile page, configure the Network/SSID settings and click Next.
- On the Security Configuration page, configure these settings and click Configure (that’s right, click Configure before you click Next!)
Security type: WPA2-Enterprise
EAP type: Smart Card or other Certificate
- On the Smart Card or Other Certificate Properties page, configure these settings and click Advanced.
When connecting: Use a certificate on this computer
When connecting: Use simple certificate selection
- On the Configure Certificate Selection page, configure these settings:
Certificate Issuer: Intermediate Certification Authorities: Select the intermediate certificate
Extended Key Usage (EKU): Enabled
All Purpose: Enabled
Client Authentication: Enabled
- On the AnyPurpose section, click Add, select the Client Authentication EKU and click OK
- Click OK twice and click Next.
- On the Advanced Settings page, configure these settings and click Next.
Specify authentication mode: Enabled
Authentication mode: user authentication
- On the Proxy Settings page, click Next (if you have any Proxy settings, configure those before you click Next)
- On the Supported Platforms page, select the supported iOS devices and click Next
- Once the WI-FI profile is created, you should deploy it to all Intune users.
Happy deploying – after the next synchronization you will see the WI-FI profile being applied on the iOS devices.