LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Root Certificate
  • Device Certificates
  • Example
  • User Certificates
  • Example
  • Certificate Check

Was this helpful?

  1. Certificate Management
  2. Microsoft Intune

Android

Deploy certificates to Android devices via SCEP using Intune and SCEPman.

Last updated 3 months ago

Was this helpful?

The following article describes how to deploy a device or a user certificate for Android. Android certificate deployment is similar to Windows 10, macOS, and iOS certificate deployments.

Android provides two distinct solution sets: one is the (known as Personally-Owned Work Profile) and the other is the (known also as Fully Managed, Dedicated, and Corporate-Owned Work Profile). In both scenarios, the settings for certificate configuration profiles remain consistent.

Android device administrator management was released in Android 2.2 as a way to manage Android devices. Then beginning with Android 5, the more modern management framework of Android Enterprise was released (for devices that can reliably connect to Google Mobile Services). Google is encouraging movement from device administrator management by decreasing its management support in new Android releases. For more information please check

Root Certificate

The basis for deploying SCEP certificates (device or user) is to trust the root certificate of SCEPman. Therefore, you have to download the CA Root certificate and deploy it as a Trusted certificate profile via Microsoft Intune:

Note, that you have to use the same group for assigning the Trusted certificate and SCEP profile. Otherwise, the Intune deployment might fail.

Device Certificates

Certificate type: Device

In this section, we are setting up a device certificate.

Subject name format: CN={{DeviceId}} or CN={{AAD_Device_ID}}

SCEPman uses the CN field of the subject to identify the device and as a seed for the certificate serial number generation. Microsoft Entra ID (Azure AD) and Intune offer two different IDs:

  • {{AAD_Device_ID}}: This ID is generated and used by Microsoft Entra ID (Azure AD).

Subject alternative name: URI Value:IntuneDeviceId://{{DeviceId}}

Other SAN values like DNS can be added if needed.

Certificate validity period: 1 years

The amount of time remaining before the certificate expires. Default is set at one year.

Key usage: Digital signature and key encipherment

Please activate both cryptographic actions.

Key size (bits): 4096

SCEPman supports 4096 bits.

Root Certificate: Profile from previous step

Please select the Intune profile from [Root Certificate](android.md#root-certificate).

Extended key usage: Client Authentication, 1.3.6.1.5.5.7.3.2

Please choose Client Authentication (1.3.6.1.5.5.7.3.2) under Predefined values. The other fields will be filled out automatically.

Renewal threshold (%): 20

This value defines when the device is allowed to renew its certificate (based on the remaining lifetime of an existing certificate). Please read the note under Certificate validity period and select a suitable value that allows the device the renew the certificate over a long period. A value of 20% would allow the device with 1 year valid certificate to start renewal 73 days before expiration.

Example

User Certificates

Certificate type: User

In this section we are setting up a user certificate.

Subject name format: CN={{UserName}},E={{EmailAddress}}
Subject alternative name: (UPN)Value: {{UserPrincipalName}}

You must add the User principal name as the Subject alternative name. Add '{{UserPrincipalName}}' as Subject Alternative Name of type User principal name (UPN). This ensures that SCEPman can link certificates to user objects in AAD.

Other SAN values like an Email address can be added if needed.

It is required to have a Subject alternative name in the SCEP Certificate, User Type. Without a SAN, you have no access to your company's Wi-Fi.

Example

Certificate Check

To ensure the correct deployment of certificates on your Android device, there are two options:

  • In newer Android versions (e.g. 14), you can verify certificates (user and trusted certs.) from the settings > security and privacy

{{DeviceId}}: This ID is generated and used by Intune (Recommended). (Requires SCEPman 2.0 or higher and to be set to Intune or AADAndIntune

You can add other RDNs if needed (e.g.: CN={{DeviceId}}, O=Contoso, CN={{WiFiMacAddress}}). Supported variables are listed in the .

The URI field is for NAC solutions to identify the devices based on their Intune Device ID.

SCEPman caps the certificate validity to the configured maximum in setting , but otherwise uses the validity configured in the request.

If you are using an , you must still select the Trusted certificate profile for Root CA, not the Intermediate CA!

SCEP Server URLs: Open the SCEPman portal and copy the URL of

Example

https://scepman.contoso.com/certsrv/mscep/mscep.dll

Please follow the instructions of and take care of the following differences:

You can define RDNs based on your needs. Supported variables are listed in the . We recommend to include the username (e.g.: janedoe) and email address (e.g.: janedoe@contoso.com) as baseline setting.

Via 3rd party apps like

Microsoft docs
recommended by Microsoft
Intermediate CA
Microsoft docs
X509 Certificate Viewer Tool
#Intune MDM
#Device certificates
work profile
fully managed device
MS. Intune Decreasing support for Android device admin
AppConfig:ValidityPeriodDays
#AppConfig:IntuneValidation:DeviceDirectory