Niklas Blog

Exploring Device Management.

Request and Deploy SCEP Certificates with the Intune NDES Connector

31 December 2023

Request and Deploy SCEP Certificates with the Intune NDES Connector

In today’s fast-paced digital landscape, enterprises are continually seeking efficient and secure ways to manage their ever-growing fleet of devices. Microsoft Intune has emerged as a leading cloud-based solution for modern device management, enabling organizations to streamline their device management processes and enhance data security. One critical component of Intune is the Intune NDES (Network Device Enrollment Service) connector. In this blog post, we will explore what the Intune NDES connector is, why enterprises might need it, and how it empowers organizations to leverage modern device management capabilities over Microsoft Intune.

What is the Intune NDES Connector?

The Intune NDES connector is a software component that integrates Microsoft Intune with a Network Device Enrollment Service (NDES) infrastructure. NDES is a Microsoft technology that allows devices to obtain certificates from a Certification Authority (CA) for secure access to network resources. By leveraging the Intune NDES connector, organizations can seamlessly distribute certificates to mobile devices enrolled in Intune, facilitating secure connections to corporate resources, such as VPNs, Wi-Fi networks, and email servers.

Why Enterprises Need the Intune NDES Connector?

  • Enhanced Security: Certificate-based authentication provides a higher level of security compared to traditional username/password authentication. By using the Intune NDES connector, enterprises can ensure that only authorized devices with valid certificates can access sensitive corporate resources, minimizing the risk of data breaches.
  • Simplified Certificate Distribution: The Intune NDES connector automates the process of distributing certificates to enrolled devices. This eliminates the need for manual certificate provisioning, reducing administrative overhead and ensuring consistent and efficient certificate deployment across the organization.
  • Seamless User Experience: With the Intune NDES connector, users experience a seamless and hassle-free certificate enrollment process. Once devices are enrolled in Intune, certificates are automatically provisioned, allowing users to quickly and securely access corporate resources without complex manual configuration steps.

What Can Enterprises Do with the Intune NDES Connector?

  • Secure VPN Access: The Intune NDES connector enables enterprises to secure Virtual Private Network (VPN) connections by issuing and managing certificates for VPN clients. This ensures that only authorized devices can establish a VPN connection, safeguarding the organization’s network from unauthorized access.
  • Wi-Fi Network Authentication: By leveraging the Intune NDES connector, enterprises can streamline Wi-Fi network authentication using certificate-based security. Certificates are provisioned to devices automatically, eliminating the need for users to manually enter network credentials and enhancing the overall user experience.
  • Email and S/MIME Security: With the Intune NDES connector, organizations can enhance email security by using certificates for email authentication and encryption (S/MIME). This ensures that only devices with valid certificates can access and send encrypted emails, protecting sensitive information from unauthorized access.
  • Client or User Authentication: Deployed certificates from the Intune NDES Connector can be used to grant secure access to resources by using your PKI certificates.

Definition of SCEP for Certificate Deployment

In the context of certificate deployment, SCEP stands for Simple Certificate Enrollment Protocol. SCEP is a communication protocol used to facilitate the secure issuance and management of digital certificates. It enables devices, such as mobile devices and computers, to request and obtain certificates from a Certificate Authority (CA) or a Registration Authority (RA) in an automated and scalable manner.

The SCEP protocol operates by establishing a secure channel between the device and the certificate authority, allowing the device to submit certificate enrollment requests and receive the corresponding certificates. This simplifies the process of deploying certificates to a large number of devices, making it an ideal solution for enterprises that require efficient and automated certificate management.

Within the Microsoft Intune ecosystem, the Intune NDES connector acts as a bridge between Intune and SCEP, enabling seamless integration and communication between the two. The Intune NDES connector leverages the SCEP protocol to streamline the deployment of certificates to enrolled devices, ensuring secure access to corporate resources and enhancing overall data security.

By utilizing SCEP and the Intune NDES connector, enterprises can automate the certificate enrollment process, eliminate manual configuration steps, and efficiently manage certificates for their device fleet. This not only enhances security but also reduces administrative overhead, ensuring a smooth and scalable certificate deployment experience within the Microsoft Intune environment.

Prerequisites

There are a few perquisites to be setup before you can setup and use certificate deployment with the Intune NDES Connector.

  • Existing PKI environment.
  • Licensed Intune Admin.
  • Access to Application Proxy within Azure AD, we will cover the setup in this guide.
  • Service Account for the NDES role (Logon as Service, Issue and Manage Certificates on the CA, Read and Enroll permissions on the template, Permission to the Key Storage Provider (KSP).)

Microsoft has a own page on Microsoft Learn about the perquisites-

NDES Connector Setup

Now we are going to see how we can install the Intune NDES Connector on top to your NDES Server.

So lets start with the Installation steps.

Go to https://endpoint.microsoft.com and switch to the „Connectors and tokens“ view in the „Tenant administration“ blade to download the Connector installer:

The download is on the blue link „certificate connector“:

Run the installer with administrative priviledges on the NDES server:

When you click on „Configure Now“ the wizard should start and you can configure it:

Check the features that you need. This example will talk about SCEP certificates so I am checking SCEP and Certificate revocation:

Enter the credentials from the Service Account:

If needed define the proxy settings from your network:

If everything is ok, the wizard will tell you when you’re missing some perquisites:

Sign in to your Azure tenant with an Global- or Intune Administrator account:

After a few seconds it should be finished:

You can now see an active connector in your Intune environment, when you refresh the page where you’ve downloaded the connector:

Install the Azure AD Application Proxy Now we should deploy an Azure AD Application Proxy. You might ask why you would need this and the simple answer is „for your security“. With this Application Proxy solution you do not have to publish your NDES server to the Internet and instead use the Application Proxy Feature to use Azure for the deployment of the Backend and to communicate with Endpoints from the Internet without the need to be connected to your local Network.

Start by navigating to https://portal.azure.com and switch to the „Application proxy“ in the „Azure Active Directory“ blade and download a new connector service:##

Run the installer with local administrative privileges:

Follow the installation wizard:

Sign in with your Azure credentials:

The installer should be finished within a few minutes:

In the portal you can now see the new connector. It is a best practise to create a own Connector group for your deployment. So lets do that:

Define a new Name and select Connectors to add to this group. Optionally you can define the group location:

Now lets configure an App for our NDES Connector from our NDES Server:

Define the Name, Internal-URL, Authentication and the Connector group. The external URL will be created automatically but you can change it if you want. Also you can use custom domains if you added them to your tenant:

Now the NDES Connector is published securely over Azure AD App Proxy to the Internet.

Intune SCEP Configuration Profile

Next we need to Upload the Trusted Root CA Certificate so that the client devices can request and trust new certificates from your Enterprise CA. So navigate to https://endpoint.microsoft.com and create a new Configuration Profile for your platform device. In this example we are going to use Windows as our platform. Search for the „Trusted certificate“ in the Templates.

Upload your Root CA certificate and set the Destination store to „Computer certificate store – Root“:

Deploy the profile to your devices with a scope group.

Now we need to create an SCEP profile in Intune to request User Authentication certificates. Start by creating a new configuration profile with „SCEP certificate“ from the Templates:

Now you need to configure the SCEP request details, which will then be send from the client to Intune, forwarding to the NDES Connector which reqests the certificate from your Enterprise CA. The generated certificate will then be send backwards this way to your device.

Define the values for:

  • Certificate type: In this example we set this to User
  • Subject name format: Also set to the UserName and his EmailAddress in this example
  • Attribute: Set to UPN in this example
  • Certificate validity period: Set to 1 Year in this example
  • KSP: Set to TPM if available
  • Key size: 2048
  • Hash algorithm: Set to SHA-2
  • Root Certificate: Pick the Root CA certificate that you have uploaded earlier.

Continue with configuring:

  • Key Usage: In this example we need to authenticate clients so we picked Client Authentication.
  • Renewal threshold: Define on how much percent of the time the certificate should be renewed. In this example it will renew when the time until expiration hits 20% of the full lifetime.
  • SCEP Server URLs: Configure the Azure AD App Proxy URL and optional you can configure the internal URL which can be used for clients that are in the same network as your NDES Server.

If you need more or other certificate requests you can create more SCEP profiles with other purposes.

Conclusion

The Intune NDES connector plays a pivotal role in Microsoft Intune’s modern device management capabilities, empowering enterprises to enhance security and streamline the management of their mobile device fleet. By seamlessly integrating with a Network Device Enrollment Service (NDES) infrastructure, the Intune NDES connector simplifies certificate distribution, strengthens security, and enables organizations to protect their network resources while delivering a seamless user experience. With its comprehensive range of features, the Intune NDES connector is an invaluable tool for enterprises seeking to embrace modern device management and elevate their data security practices within the Microsoft Intune ecosystem.