Recently I got a question from a customer about SCEP.
SCEP as in “Simple Certificate Enrollment Protocol”, not “System Center Endpoint protection”.
Pretty important difference, although SC (System Center as in SCCM) is involved in this case.
customer investigating integration of ADCS (Active Directory Certificate Services) with Intune.
Customer found an interesting article: “Simple Certificate Enrollment Protocol (SCEP) does not strongly authenticate certificate requests” (http://www.kb.cert.org/vuls/id/971035)
In short, the article mentions (quote):
“SCEP was designed for use “…in a closed environment” and is not well suited for MDM and “bring your own device” (BYOD) applications where untrusted users and devices are in use.
When a user or a device requests a certificate, the SCEP implementation may require a challenge password. It may be possible for a user or device to take their legitimately acquired SCEP challenge password and use it to obtain a certificate that represents a different user with a higher level of access such as a network administrator, or to obtain a different type of certificate than what was intended.”
In Windows Server 2012 R2 the Active Directory Certificate Services (AD CS), NDES supports a policy module that provides additional security SCEP.
Windows Server 2012 R2 AD CS NDES does not ship with a policy module. You must create it yourself or obtain it as part of a software solution from a MDM vendor.
Microsoft Intune DOES HAVE that module.
But how do you integrate your ADCS with Intune?
Well, here’s the interesting stuff, there is a bunch of interesting reading and even step-by-step guides available from one of our Microsoft colleagues.
Just to be clear: all credits go to the original authors of ALL these articles I point you to.
But I thinks the links below must be in your favorites collection.
The technical background info you can find on TechNet had an update, recently:
- Enable access to company resources using certificate profiles with Microsoft Intune
- “The Intune Certificate Connector, which installs on the Windows Server 2012 R2 server that runs NDES”
- Enable access to company resources with Microsoft Intune
- Learn about multifactor authentication, and how you can use it to increase the security of your data.
- Learn about conditional access and compliance policies which can be used to block access to services when certain conditions are not met, for example, if a device is not managed by Intune.
If you really want to dive into it, with practical hands-on, please check this out (credits to Pieter Wigleven)
Pieter has put quite some effort to document the procedures step-by-step with very interesting screenshots.
Enjoy and share!