Onboard Android devices with certificates using Microsoft Intune and SCEP
In this topic, you will learn how to deploy Portnox™ Cloud certificates to Android devices via Microsoft Intune SCEP.
Turn on the Portnox Cloud SCEP services
In this section, you will configure Portnox™ Cloud to provide SCEP services to your devices.
If you have previously turned on the Portnox Cloud SCEP services, skip to the step in which you get the Cloud SCEP URL for Microsoft Intune.
Portnox Cloud SCEP services let devices contact the Cloud SCEP server and get a unique certificate for the device or for the specific user of the device.
-
In the Cloud portal top menu, click on the Settings option.
-
Enable integration with SCEP services.
- Click on the Edit link.
- Activate the Enable integration checkbox.
- Click on the Save button.
-
Click on the ⧉ icon next to the SCEP URL for MS
Intune field to copy the SCEP URL, and paste it in a text file for later use.
Download the root CA certificate from Portnox Cloud
In this section, you will download the Portnox™ Cloud root CA certificate from the Cloud portal.
You need the root CA certificate so that your managed devices can verify the validity of cloud RADIUS servers, which have certificates signed by this root CA certificate. If the root CA certificate is not distributed to managed devices, some devices may show a security warning each time that the user connects to networks managed by Portnox Cloud.
-
In the Cloud portal top menu, click on the Settings option.
-
In the Cloud portal left-hand side menu, click on the
option.
The right-hand pane shows the list of active servers.
- Click on any of the active RADIUS services to show its configuration.
-
Click on the Download root certificate link to download the root CA certificate.
Save the file on your disk to use it later. The default name of the file is rootCertificate.cer.
Download the tenant CA certificate from Portnox Cloud
In this section, you will download the Portnox™ Cloud tenant CA certificate from the Cloud portal and convert it to the Base-64 encoded X.509 format.
You need the tenant CA certificate from Portnox Cloud so that your managed devices can verify the validity of individual SCEP certificates, which are signed using the tenant CA certificate.
-
In the Cloud portal top menu, click on the Settings option.
-
In the Cloud portal left-hand side menu, click on the
option.
-
In the Trusted Root Certificates section, click on the Download link,
then save the downloaded file.
The default name of the file is Your_tenant_name - Portnox CLEAR.pfx, for example, Vorlon - Portnox CLEAR.pfx.
-
In Windows, right-click on the downloaded file and select Open from the context menu.
The file will be opened in the Windows certificate manager.
-
In the certificate manager window, open the Certificates section in the left-hand pane and
then double-click on Portnox - Portnox CLEAR in the right-hand side pane.
-
In the Certificate window, click on the Details tab and then click on
the Copy to File button.
-
In the Certificate Export Wizard, export the certificate in base-64 encoded format.
Create a profile for the root CA certificate
In this section, you will create a profile in Microsoft Intune for the downloaded Portnox™ Cloud root CA certificate.
- Open the Microsoft Intune portal in your browser: intune.microsoft.com.
-
In the Devices | Configuration pane, in the Policies tab, click on the
Create button and select the New Policy option.
-
In the Create a profile pane:
-
In the Basics step of the Trusted certificate wizard, in the
Name field, type a name for this profile, optionally fill in the
Description field, and click on the Next button.
In this example, we used the name Portnox Cloud root CA Android, but you can use any name you like.
-
In the Configuration settings step of the wizard, click on the 🗀 icon to open the downloaded root CA file and click on the
Next button.
In this example, the file has the default name rootCertificate.cer.
-
In the Assignments step of the wizard, use relevant options to assign this profile to
specific groups or all users/devices, and then click on the Next button.
- In the Review + create step of the wizard, review all the information, and then click on the Create button.
Result: You created a trusted certificate profile for the Portnox Cloud root CA certificate.
Create a profile for the tenant CA certificate
In this section, you will create a profile in Microsoft Intune for the downloaded Portnox™ Cloud tenant CA certificate.
- Open the Microsoft Intune portal in your browser: intune.microsoft.com.
-
In the Devices | Configuration pane, in the Policies tab, click on the
Create button and select the New Policy option.
-
In the Create a profile pane:
-
In the Basics step of the Trusted certificate wizard, in the
Name field, type a name for this profile, optionally fill in the
Description field, and click on the Next button.
In this example, we used the name Portnox Cloud tenant CA Android, but you can use any name you like.
-
In the Configuration settings step of the Trusted certificates wizard,
click on the 🗀 icon to open the downloaded and converted tenant CA file
and click on the Next button.
In this example, the file has the name tenantCertificate.cer.
-
In the Assignments step of the wizard, use relevant options to assign this profile to
specific groups or all users/devices, and then click on the Next button.
- In the Review + create step of the wizard, review all the information, and then click on the Create button.
Result: You created a trusted certificate profile for the Portnox Cloud tenant CA certificate.
Create a profile for the SCEP server’s intermediate certificate
In this section, you will create a profile in Microsoft Intune for the Portnox™ Cloud SCEP server’s intermediate certificate – the Thawte TLS RSA CA G1 certificate.
Most device operating systems, such as Windows, macOS, and iOS, use HTTP requests to contact SCEP servers. However, Android requires HTTPS.
To make HTTPS requests to the Portnox cloud SCEP server, all your devices must have the SCEP server’s intermediate certificate to validate the SCEP server’s identity. The Portnox Cloud SCEP server’s intermediate certificate is the standard Thawte TLS RSA CA G1 certificate.
In many cases, the operating system of the device already has this certificate installed as one of the standard certificates, and you do not need to upload it. However, it is safer to distribute the certificate to make sure that every device can connect using SCEP via HTTPS.
-
Download the Thawte TLS RSA CA G1 certificate from our documentation server: click here to download.
Alternatively, you can download it directly from the DigiCert website.
- Open the Microsoft Intune portal in your browser: intune.microsoft.com.
-
In the Devices | Configuration pane, in the Policies tab, click on the
Create button and select the New Policy option.
-
In the Create a profile pane:
-
In the Basics step of the Trusted certificate wizard, in the
Name field, type a name for this profile, optionally fill in the
Description field, and click on the Next button.
In this example, we used the name Portnox Cloud SCEP Cert Android, but you can use any name you like.
-
In the Configuration settings step of the Trusted certificates wizard,
click on the 🗀 icon to open the downloaded Thawte TLS RSA CA G1
certificate file and click on the Next button.
In this example, the file has the name ThawteTLSRSACAG1.crt.
-
In the Assignments step of the wizard, use relevant options to assign this profile to
specific groups or all users/devices, and then click on the Next button.
- In the Review + create step of the wizard, review all the information, and then click on the Create button.
Result: You created a trusted certificate profile for the Portnox Cloud SCEP server’s intermediate certificate.
Create a profile for SCEP device certificates
In this section, you will create a profile in Microsoft Intune for unique device certificates, which are generated by Portnox™ Cloud for the devices, and obtained through SCEP requests.
You need to complete this task only if you want to use devices enrolled as Android Enterprise Corporate-owned dedicated devices. If you want to use only user devices, complete the next task instead.
- Open the Microsoft Intune portal in your browser: intune.microsoft.com.
-
In the Devices | Configuration pane, in the Policies tab, click on the
Create button and select the New Policy option.
-
In the Create a profile pane:
-
In the Basics step of the SCEP certificate wizard, in the
Name field, type a name for this profile, optionally fill in the
Description field, and click on the Next button.
In this example, we used the name Portnox Cloud SCEP Device Android, but you can use any name you like.
-
In the Configuration settings step of the SCEP certificates wizard,
fill in the fields as follows, and then click on the Next button.
Adjust the proposed values to your requirements and your environment, if needed.
- In the Apps step of the wizard, decide if the user must approve connections for all apps or should Android grant connection permission silently for specific apps. Then, click on the Next button.
-
In the Assignments step of the wizard, use relevant options to assign this profile to
specific groups or all users/devices, and then click on the Next button.
- In the Review + create step of the wizard, review all the information, and then click on the Create button.
Result: You created a profile for device certificates obtained through SCEP.
Create a profile for SCEP user certificates
In this section, you will create a profile in Microsoft Intune for unique user certificates, which are generated by Portnox™ Cloud for the users of devices, and obtained through SCEP requests.
You need to complete this task only if you want to use devices enrolled as Android Enterprise Corporate-owned user devices. If you want to use only dedicated devices, complete the previous task only.
- Open the Microsoft Intune portal in your browser: intune.microsoft.com.
-
In the Create a profile pane:
-
In the Basics step of the SCEP certificate wizard, in the
Name field, type a name for this profile, optionally fill in the
Description field, and click on the Next button.
In this example, we used the name Portnox Cloud SCEP User Android, but you can use any name you like.
-
In the Configuration settings step of the SCEP certificates wizard,
fill in the fields as follows, and then click on the Next button.
Adjust the proposed values to your requirements and your environment, if needed.
- In the Apps step of the wizard, decide if the user must approve connections for all apps or should Android grant connection permission silently for specific apps. Then, click on the Next button.
-
In the Assignments step of the wizard, use relevant options to assign this profile to
specific groups or all users/devices, and then click on the Next button.
- In the Review + create step of the wizard, review all the information, and then click on the Create button.
Result: You created a profile for user certificates obtained through SCEP.
Create a profile for Wi-Fi managed by Portnox Cloud
In this section, you will create a profile in Microsoft Intune for the connection of devices to the Wi-Fi network managed by Portnox™ Cloud.
- Open the Microsoft Intune portal in your browser: intune.microsoft.com.
-
In the Devices | Configuration pane, in the Policies tab, click on the
Create button and select the New Policy option.
-
In the Create a profile pane:
-
In the Basics step of the Wi-Fi wizard, in the
Name field, type a name for this profile, optionally fill in the
Description field, and click on the Next button.
In this example, we used the name Portnox Cloud Wi-Fi Android, but you can use any name you like.
-
In the Configuration settings step of the wizard, in the Wi-Fi type
field, select the Enterprise option, fill in the following fields, and then click on the
Next button.
Adjust the proposed values to your requirements and your environment, if needed.
-
In the Assignments step of the wizard, use relevant options to assign this profile to
specific groups or all users/devices, and then click on the Next button.
- In the Applicability Rules step of the wizard, add rules to apply this configuration profile depending on the operating system version/edition, if necessary, and then click on the Next button.
- In the Review + create step of the wizard, review all the information, and then click on the Create button.
Result: You created a profile for Android devices and the Wi-Fi network managed by Portnox Cloud.