Author: Chris Green, Program Manager
A key feature of the mobile device management capabilities provided by System Center 2012 R2 Configuration Manager with Windows Intune is the ability to provision client certificates to managed devices. Organizations that use an enterprise PKI for client authentication to resources like WiFi and VPN can use this feature to provision certificates to Windows, Windows Phone, iOS, and Android devices managed through Windows Intune. This article provides an in-depth look at how this feature works, and where you can go to find out all of the information you need to get up and running.
There are many ways to get a certificate onto a device. Some approaches are highly manually but do the job, such as sending a certificate via email or making it available for download from a web page. Other approaches embed the certificate as part of a payload, such as embedding a PFX as part of an MDM protocol command. Another approach involves using an enrollment protocol that lets a client initiate an enrollment request to a registration authority. All approaches have advantages and disadvantages.
Configuration Manager with Windows Intune leverages an enrollment protocol called Simple Certificate Enrollment Protocol (SCEP), which is natively supported by iOS, Windows 8.1 and Windows Phone 8.1, and is also supported through the Windows Intune Company Portal app for Android. Using a certificate enrollment protocol has the definite advantage of having the private key generated directly on the device. The private key is never generated, cached, or stored by either Configuration Manager on-premises components or by the Windows Intune cloud service, which helps to keep it secure.
It is worth noting that SCEP was originally designed for enrolling certificates on networking equipment, and therefore has a simple challenge-based authentication scheme that does not strongly authenticate certificate requests. With this knowledge in mind, the Intune and Active Directory Certificate Services (AD CS) product teams worked closely to produce a secure solution that integrates Configuration Manager with the Network Device Enrollment Service (NDES) role in Windows Server 2012 R2. NDES now supports the ability to configure a policy module, which provides additional validation to prevent unauthorized certificate requests (More details are also outlined by the AD CS team in this Curah page). The next section describes how this solution works.
Here is how Configuration Manager with Windows Intune uses the new NDES policy module feature to provide secure certificate provisioning to mobile devices using SCEP. It first involves setting up an NDES server role and installing a policy module that ships with System Center Configuration Manager 2012 R2 installation media, and then setting up a site system role in Configuration Manager called the Certificate Registration Point (CRP). There are some links to good documentation at the end of this article that provide details on how to get everything set up.
The flow for provisioning certificates is as follows:
As described in the certificate provisioning flow, there are multiple validations performed on the enrollment request to assure its integrity.
There are a couple of measures that can be taken in order to protect against certificates being exported from the managed device, and used on other devices. The first option is to mark the private key as not exportable in the certificate template. This will prevent typical users from exporting certificates with private keys and installing them on different devices. However, this option does not provide strong protection for sophisticated attackers who wish to use the certificate for malicious purposes. To add further protection for Windows 8.1 and Windows Phone 8.1 devices, you can specify that the certificate must be protected by the Trusted Platform Module, which is a chip built into the device that provides hardware-backed protection of private keys and provides protection from “hammering” attacks, in which malicious users make repeated connection attempts as they try to guess the correct credentials. (Note: Windows 8.1 requires KB 2948462 to protect certificates from export using the TPM: http://support.microsoft.com/kb/2948462 ) The screenshot below shows where you can configure this in the SCEP Profile.
There are a few sources of documentation to help guide you through infrastructure set up.
The following log files can be used to trace issues with device enrollment:
Certificate registration point IIS logs
Configuration Manager certificate registration point logs
Component health status
(Requires debug logging to be enabled)
C:\Program Files\Microsoft Configuration Manager\Logs\NDESPlugin.log
The Active Directory Certificate Services (AD CS) team has published an article with recommendations for setting up NDES to be exposed to mobile devices over the Internet.
Configuration Manager Resources
Documentation Library for System Center 2012 Configuration Manager
Configuration Manager 2012 Forums
System Center 2012 Configuration Manager Survival Guide
System Center Configuration Manager Support
This posting is provided "AS IS" with no warranties and confers no rights.