LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Root Certificate
  • Device certificates
  • Example
  • User Certificates
  • Example

Was this helpful?

  1. Certificate Management
  2. Microsoft Intune

macOS

Deploy certificates to MacOS devices via SCEP in Intune using SCEPman.

Last updated 5 months ago

Was this helpful?

The following article describes how to deploy a device or/and user certificates for macOS devices. The deployment of the SCEPman Root Certificate is mandatory. Afterward, you can choose between deploying only device, user or even both certificate types.

Please note that macOS enrols a separate client authentication certificate for each device configuration profile in which a SCEP profile is referenced, in addition to the actual SCEP certificate profile.

Root Certificate

The basis for deploying SCEP certificates is to trust the root certificate of SCEPman. Therefore, you have to download the CA Root certificate and deploy it as a Trusted certificate profile via Microsoft Intune:

Note, that you have to use the same group for assigning the Trusted certificate and SCEP profile. Otherwise, the Intune deployment might fail.

Device certificates

Certificate type: Device

In this section we are setting up a device certificate.

Subject name format: CN={{DeviceName}} or CN={{DeviceId}} or CN={{AAD_Device_ID}}

Recommended: Use {{DeviceName}}for the CN RDN to have a meaningful name of the certificate on the device or when searching for the certificate.

Optional: If configured to CN={{DeviceId}} or CN={{AAD_Device_ID}}, SCEPman uses the CN field of the subject name to identify the device and as a seed for the certificate serial number generation. Microsoft Entra ID (Azure AD) and Intune offer two different IDs:

  • {{AAD_Device_ID}}: This ID is generated and used by Microsoft Entra ID (Azure AD).

In case neither CN={{DeviceId}} nor CN={{AAD_Device_ID}} is used for the CN field (e.g. CN={{DeviceName}}), SCEPman will identify the device based on the Intune Device ID ((URI)Value: IntuneDeviceId://{{DeviceId}}) provided in the subject alternative name (SAN).

Subject alternative name: URI Value:IntuneDeviceId://{{DeviceId}}

The URI field is mandatory in case neither CN={{DeviceId}} nor CN={{AAD_Device_ID}} is used in the Subject name format field.

Other SAN values like DNS can be added if needed.

Certificate validity period: 1 years
Key usage: Digital signature and key encipherment

Please activate both cryptographic actions.

Key size (bits): 2048

SCEPman supports 2048 bits.

Root Certificate: Profile from previous step
Extended key usage: Client Authentication, 1.3.6.1.5.5.7.3.2

Please choose Client Authentication (1.3.6.1.5.5.7.3.2) under Predefined values. The other fields will be filled out automatically.

Important: macOS devices do not support any Extended Key Usages (EKUs) other than Client Authentication . This means that any other EKUs configured in this profile will be ignored.

Renewal threshold (%): 50

This value defines when the device is allowed to renew its certificate (based on remaining lifetime of existing certificate). Please read the note under Certificate validity period and select a suitable value that allows the device the renew the certificate over a long period. A value of 50% would allow the device with a 1 years valid certificate to start renewal 182 days before expiration.

Example

User Certificates

The following section will show you how you can deploy user certificates via Intune Certificate profile on macOS X 10.12 (or later) devices.

Please note: Certificates provisioned through the SCEP protocol - regardless of the type (user or device) - are always placed in the system keychain (System store) of the device.

In case a 3rd party application requires access to such a certificate (e.g. 3rd party VPN client), the slider to Allow all apps access to private key in the keychain must be set to enabled.

Certificate type: User

In this section we are setting up a user certificate.

Subject name format: CN={{UserName}},E={{EmailAddress}}
Subject alternative name: UPN Value:{{UserPrincipalName}}

SCEPman uses the UPN in the SAN to identify the user and as a seed for the certificate serial number generation (e.g.: janedoe@contoso.com). Other SAN values like Email address can be added if needed.

Example

{{DeviceId}}: This ID is generated and used by Intune. (requires SCEPman 2.0 or higher and to be set to Intune or AADAndIntune)

Important: The choice of the CN field affects the of certificates issued to your Intune-managed devices.

You can add other RDNs if needed (e.g.: CN={{DeviceId}}, O=Contoso, CN={{WiFiMacAddress}}). Supported variables are listed in the .

The URI field is for NAC solutions to identify the devices based on their Intune Device ID.

Important: macOS devices ignore the configuration of the validity period via Intune. Please make sure, to configure to a fixed value. You can leave the certificate validity period setting to 1 year because it will be ignored anyway. Important: Also note, that certificates on macOS are only renewed by Intune when the device is unlocked, online, syncing and in scope of the renewal threshold. If certificates are expired (e.g.: device was offline and/or locked for a long time), they won't be renewed any more. Therefore, we recommend to choose an higher value here.

Please select the Intune profile from

SCEP Server URLs: Open the SCEPman portal and copy the URL of

Example

https://scepman.contoso.com/certsrv/mscep/mscep.dll

With our stated settings, we fulfill .

Please follow the instructions of and take care of the following differences:

You can define RDNs based on your needs. Supported variables are listed in the . We recommend to include the username (e.g.: janedoe) and email address (e.g.: janedoe@contoso.com) as baseline setting.

With our stated settings, we fulfill

Microsoft docs
recommended by Microsoft
Apples certificate requirements
Microsoft docs
Apples certificate requirements
#Root certificates
Intune MDM
#Device certificates
automatic revocation behavior
AppConfig:ValidityPeriodDays
AppConfig:IntuneValidation:DeviceDirectory