Managing WIFI certificates for iOS devices with ConfigMgr MDM

This will be the last Christmas blog post from Coretech in 2014. A huge thanks to all of you who followed our Christmas blogs in December. @Coretech we wish you and your loved ones a Merry Christmas and a Happy New Year – We look forward to service you again in 2015 with knowledge, inspiration and best practices on Microsoft technologies

One of the many need features offered by ConfigMgr & Intune is the ability to deploy certificates and WIFI profiles. Both are essential when implementing a MDM/BYOD strategy.

Creating the required SCEP certificate for iOS

As mentioned in a previous blog post, iOS do not support Signature in proof of origin in the NDES General Purpose certificate. In this example the Root certificate and the required NDES certs are already created.

  1. In the Assets and Compliance workspace, select Compliance Settings, Company Resource Access, Certificate Profiles and create a new SCEP certificate.
  2. On the SCEP Enrollment page, configure these settings and click Next
    Retries = 5
    Retry delays = 2
    Devices for certificate enrollment = Allow certificate enrollment of any device.
  3. On the Certificate Properties page, configure these settings and click Next:
    Certificate template name: Select the NDES certificate
    Certificate type: User
    Subject name format: Common name
    Subject alternative name: User Principal name (UPN)
    Extended key usage: Client Authentication (comes from the certificate)
    Hash: SHA-1
    Root Ca certificate: Your root certificate, notice this must also be deployed thru ConfigMgr/Intune


  4. On the Supported Platforms page, select the iOS devices and finish the wizard. I prefer to have a SCEP profile for each of the supported mobile devices Windows Phone, Android and iOS
  5. Once the certificate profile is created, you should deploy it to all Intune users (not to any devices, always users!)

Create the iOS WI-FI profile

In this example I’ll take you thru the creation of a WI-FI profile using the SCEP certificate created above.

  1. In the Assets and Compliance workspace, select Compliance Settings, Company Resource Access, WI-FI Profiles and create a new WI-FI profile.
  2. On the WI-FI profile page, configure the Network/SSID settings and click Next.
  3. On the Security Configuration page, configure these settings and click Configure (that’s right, click Configure before you click Next!)
    Security type: WPA2-Enterprise
    Encryption: AES
    EAP type: Smart Card or other Certificate
  4. On the Smart Card or Other Certificate Properties page, configure these settings and click Advanced.
    When connecting: Use a certificate on this computer
    When connecting: Use simple certificate selection
  5. On the Configure Certificate Selection page, configure these settings:
    Certificate Issuer: Intermediate Certification Authorities: Select the intermediate certificate
    Extended Key Usage (EKU): Enabled
    All Purpose: Enabled
    Client Authentication: Enabled
    AnyPurpose: Enabled 
  6. On the AnyPurpose section, click Add, select the Client Authentication EKU and click OK
  7. Click OK twice and click Next.
  8. On the Advanced Settings page, configure these settings and click Next.
    Specify authentication mode: Enabled
    Authentication mode: user authentication
  9. On the Proxy Settings page, click Next (if you have any Proxy settings, configure those before you click Next)
  10. On the Supported Platforms page, select the supported iOS devices and click Next
  11. Once the WI-FI profile is created, you should deploy it to all Intune users.

Happy deploying – after the next synchronization you will see the WI-FI profile being applied on the iOS devices.

By | 2014-12-23T14:09:31+00:00 December 23rd, 2014|Configuration Manager (SCCM), General info|3 Comments

About the Author:

Kent Agerlund
Microsoft Regional Director, Enterprise Mobility MVP. Microsoft Certified Trainer and Principal consultant. I have been working with Enterprise client management since 1992. Co-founder of System Center User Group Denmark in 2009. Certified MCITP: Enterprise Administrator, MCSA+Messaing, and much more. Member of: Microsoft Denmark System Center Partner Expert Team The Danish Technet Influencers program System Center Influencers Program.


  1. Charl September 29, 2015 at 13:44 - Reply

    Hi Kent, thank for a great article. I have Wi-Fi profiles working for iOS and Windows using SCEP and NDES with SCCM 2012 R2 SP1. It does not seem to work for Android devices. Have you perhaps tested this for Android or come across such an implementation for Android? Thank you.

  2. Sean April 18, 2016 at 3:37 - Reply

    Hi Kent, Charl,

    Same question – (Charl, any chance you got this solved?)

    Everything’s working fine on iOS.
    And for Android devices, the SCEP certs are getting issued by the CA to the NDES service account, but then mysteriously vanish… And never make it to Android devices’ stores.

    Tested on an S4 on 5.0.1 and an S6 Edge on 5.1.1.

    Any ideas?

    • Doug July 11, 2016 at 13:06 - Reply

      Hi Sean,

      Did you find any resolution to this? From early investigation it looks like we are experiencing the same thing. ConfigMgr with NDES – iOS and Windows Phones work OK but Android doesn’t get the user cert.


Leave A Comment