LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Prerequisites
  • 1. Self Service Enrollment
  • 2. App Service Settings
  • 3. Client Prerequisites
  • Enrollment and Renewal Script
  • Considerations
  • Deploy Script

Was this helpful?

  1. Certificate Management
  2. Enrollment REST API
  3. Self Service Enrollment

Intune Managed Linux Client

Last updated 2 months ago

Was this helpful?

Applicable to SCEPman version 2.9 and above

SCEPman Enterprise Edition only

This method can be used to enroll certificates for users and devices that are managed by Intune.

Intune will in this case push a script to leverage the SCEPman REST API that in turn will either enroll a new certificate or renew an already existing one.

Prerequisites

1. Self Service Enrollment

2. App Service Settings

This scenario will enroll certificates of the type IntuneUser and IntuneDevice depending on your choice.

3. Client Prerequisites

Follow the linked documentation to enroll your Linux client to Intune.

Enrollment and Renewal Script

While the script is usually operated by passing the parameters in the terminal we will need to modify some parts of it to be deployed over Intune.

Locate the part of the script that assigns the passed terminal arguments to the variable and adjust them to your needs:

Example configuration:

APPSERVICE_URL="https://scepman.contoso.net/"
API_SCOPE="api://b7d17d51-8b6d-45eb-b42b-3dae638cd5bc/Cert.Enroll"
CERT_DIR=~/certs
CERT_NAME="myCertificate"
KEY_NAME="myKey"
RENEWAL_THRESHOLD_DAYS=30

# Additionally add the following variables
CERT_TYPE="user"
CERT_COMMAND="auto"

APPSERVICE_URL

The URL of the SCEPman app service.

Example: "https://scepman.contoso.net/"

API_SCOPE

This is the API scope you can create in the SCEPman-api app registration in your environment.

The user will be presented with your desired consent dialog and can afterwards user the self service functionality.

Example: "api://b7d17d51-8b6d-45eb-b42b-3dae638cd5bc/Cert.Enroll"

CERT_DIR

The directory the certificate will be created or tried to be renewed. The private key and root certificate will also be placed in here.

Example: ~/certs/

CERT_NAME

The filename (without extension) of the certificate that will be created or read for renewal.

Example: "myCertificate"

KEY_NAME

The filename of the private key that will be created or read for renewal.

Example: "myKey"

RENEWAL_THRESHOLD_DAYS

The amount of days the certificate will need to expire in for the script to begin the renewal process.

Example: 30

CERT_TYPE

The type of certificate that will be enrolled.

Can be either "user" or "device"

CERT_COMMAND

This defines the behavior of the script in relation to enrollment and renewal:

"auto" will create a certificate initially or renew a certificate if it already exists and is about to expire.

"renewal" will renew a certificate if it is about to expire but will not create a certificate initially.

"initial" will only enroll a certificate but not renew a existing one.

Considerations

  • This script does not encrypt the generated keys (this requires passphrase input, so encryption has been omitted to allow for automatic renewal.)

  • If you are renewing passphrase-protected certificates from Certificate Master, you will need to input this passphrase in order to renew them.

Deploy Script

Using Intune we can deploy the modified script on a schedule to initially enroll a certificate with the given parameters and regularly check if it needs to be renewed.

Add a new Linux script deployment and make sure to set the Execution context to User and either upload or paste the content of the modified bash script you created in the prior section.

Adjust the Execution frequency in accordance to your renewal threshold.

The user will be prompted to login to the Azure CLI application on the first execution as they are required to authenticate.

The script will be used to initially receive a certificate as well as checking it on a regular schedule and attempt a renewal in case the threshold is reached.

If you are enrolling or renewing a device certificate the DeviceId will be retrieved from ~/.config/intune/registration.toml and the authenticated user will need to match the owner of the object in the configured .

Intune Enrollment
enrollrenewcertificate.sh
DeviceDirectory

Configuration

Required for certificate renewal

Configure your SCEPman App Service to accept mTLS client certificates. In the Configuration blade of the Settings section, verify that the Client certificate mode in Incoming client certificates is set to Optional.

Do not set the Client certificate mode to Require or Allow, as that would break normal operation of SCEPman on the SCEP endpoints!

Environment Variables

In order to make use of this scenario, you must set the following Environment Variables on the SCEPman app service.

Required for certificate enrollment and renewal

Set this variable to true to enable the validation of certificate signing requests (CSRs).

Required for certificate renewal

Set this variable to true to enable certificate renewals.

Required for certificate renewal

Set this variable to a comma separated list of certificate types that you want to allow the renewal. See the linked variable documentation for a list of possible certificate types.

Example: Static,IntuneUser,IntuneDevice

AppConfig:DbCSRValidation:Enabled
AppConfig:DbCSRValidation:AllowRenewals
AppConfig:DbCSRValidation:ReenrollmentAllowedCertificateTypes

The following prerequisites must be present on the executing client/host to be able to use the Enrollment REST API.

( version 2.61 and above)

The Azure CLI is used to authenticate the enrolling user to check their eligibility and to retrieve the access token.

cURL

Used to send the created CSR to the SCEPman Enrollment API Endpoint and receive certificate.

OpenSSL

OpenSSL is used to generate a private key and create a CSR for enrolling or renewing a certificate.

Azure CLI

To enroll certificates, users must be authenticated to verify their eligibility. Follow this guide for step-by-step instructions on how to set this up

Self Service Enrollment