by Almost everyone knows what certificates are and what it does. Certificates are very important in an Enterprise environment and they are necessary to make a connection with a Wi-Fi network or if the user wants to use a VPN connection to the corporate network. Enterprise environment uses also certificate to secure the network from outsiders like hackers.
To manage certificates for users who use mobile devices is a tricky and hard one. How do you get the certificate on mobile devices like an Android or iOS? This can be done in a manually way, but this is hard to do and time-consuming.
If you have an MDM solution, you can get the certificates enrolled in an automatic way. Microsoft Intune has an NDES connector, which will connect your on-premise Certification Authority with Microsoft Intune. With a SCEP profile, you can manage and enroll the certificates automatically on mobile devices.
In this blog, I will tell you how to configure the integration with Microsoft Intune and how you enroll automatically the certificate to a managed device. This blog is very long, so I have divided into 8 parts.
UPDATE: Microsoft has added a new option for using device certificates. This update is applied in October 2018. Check here for more information:
https://docs.microsoft.com/en-us/intune/whats-new#issue-scep-certificates-to-user-less-devices-
The blog contains the following parts:
-
Configure Microsoft Intune – Certificate – Part 1: Intro
Introduction of this blog.
-
Installation and configuration of Certification Authority.
-
Installation and configuration of Azure Application Proxy Connector.
-
Create and issuing NDES Certificate Templates.
-
Create a CNAME record and create an Application proxy in Azure Active Directory.
-
Create NDES certificates.
-
Installation and configuration of NDES role and Intune NDES connector.
-
Create a Trusted Certificate and SCEP profile in Microsoft Intune.
The requirements for this blog:
- Active Directory
- Premium licensed Azure Active Directory for the Azure Application Proxy feature
- Certification Authority
- Azure Application Proxy connector
- NDES Role
- Intune NDES connector
- Microsoft Intune
I have made this blog for test purpose. Do not use this for a production environment.
Good luck! If you have any questions or comments about this, do not hesitate to contact me by email or by posting a comment here below. I am also active on social media and some community forums, like Technet forum, Yammer, and Techcommunity.
Take care now, bye bye then…
ALBERTNEEF.TECH 
Thanks for this article.
I would like to push a CA (ssl) certificate to my devices through Intune. Do I need to set up NDES or is there a simpler way to add a certificate to the computer certificate store?
Thank you
Thanks for the comment. NDES is require to push the certificate to the managed device. There is no way around to do that besides adding it manually to the device.
Thank you for answering so quickly :). I work at three primary schools in Belgium. We don’t have on premise servers anymore but work with Office 365 and Azure AD.
Our firewall blocks certain websites. The users are then redirected through the firewall to get a message why the certain website has been blocked. As the devices don’t have the certificate of the firewall they just get a message: ‘the website is unsafe (something like that :)). I was hoping for an easy way to add the certificate to the certificate store of the devices…. too bad 😦
No problem at all. The only thing you could do is to set up a Certification Authority and an NDES server in Azure. There is no another way around to do this, unfortunately.
Understood, thank you! 🙂