The following article describes how to deploy a device or/and user certificates for macOS devices. The deployment of the SCEPman Root Certificate is mandatory. Afterward, you can choose between deploying only device, user or even both certificate types.
Please note that macOS enrols a separate client authentication certificate for each device configuration profile in which a SCEP profile is referenced, in addition to the actual SCEP certificate profile.
Root Certificate
The basis for deploying SCEP certificates is to trust the root certificate of SCEPman. Therefore, you have to download the CA Root certificate and deploy it as a Trusted certificate profile via Microsoft Intune:
Note, that you have to use the same group for assigning the Trusted certificate and SCEP profile. Otherwise, the Intune deployment might fail.
Device certificates
Certificate type: Device
In this section we are setting up a device certificate.
Subject name format: CN={{DeviceName}} or CN={{DeviceId}} or CN={{AAD_Device_ID}}
Recommended: Use {{DeviceName}}for the CN RDN to have a meaningful name of the certificate on the device or when searching for the certificate.
Optional: If configured to CN={{DeviceId}} or CN={{AAD_Device_ID}}, SCEPman uses the CN field of the subject name to identify the device and as a seed for the certificate serial number generation. Microsoft Entra ID (Azure AD) and Intune offer two different IDs:
{{AAD_Device_ID}}: This ID is generated and used by Microsoft Entra ID (Azure AD).
In case neither CN={{DeviceId}} nor CN={{AAD_Device_ID}} is used for the CN field (e.g. CN={{DeviceName}}), SCEPman will identify the device based on the Intune Device ID ((URI)Value:IntuneDeviceId://{{DeviceId}}) provided in the subject alternative name (SAN).
Important: The choice of the CN field affects the automatic revocation behavior of certificates issued to your Intune-managed devices.
You can add other RDNs if needed (e.g.: CN={{DeviceId}}, O=Contoso, CN={{WiFiMacAddress}}). Supported variables are listed in the Microsoft docs.
Subject alternative name: URI Value:IntuneDeviceId://{{DeviceId}}
The URI field is recommended by Microsoft for NAC solutions to identify the devices based on their Intune Device ID.
The URI field is mandatory in case neither CN={{DeviceId}} nor CN={{AAD_Device_ID}} is used in the Subject name format field.
Please choose Client Authentication (1.3.6.1.5.5.7.3.2) under Predefined values. The other fields will be filled out automatically.
Important:macOS devices do not support any Extended Key Usages (EKUs) other thanClient Authentication. This means that any other EKUs configured in this profile will be ignored.
Renewal threshold (%): 50
This value defines when the device is allowed to renew its certificate (based on remaining lifetime of existing certificate). Please read the note under Certificate validity period and select a suitable value that allows the device the renew the certificate over a long period. A value of 50% would allow the device with a 1 years valid certificate to start renewal 182 days before expiration.
SCEP Server URLs: Open the SCEPman portal and copy the URL of Intune MDM
The following section will show you how you can deploy user certificates via Intune Certificate profile on macOS X 10.12 (or later) devices.
Please note: Certificates provisioned through the SCEP protocol - regardless of the type (user or device) - are always placed in the system keychain (System store) of the device.
In case a 3rd party application requires access to such a certificate (e.g. 3rd party VPN client), the slider to Allow all apps access to private key in the keychain must be set to enabled.
Please follow the instructions of #Device certificates and take care of the following differences:
Certificate type: User
In this section we are setting up a user certificate.
Subject name format: CN={{UserName}},E={{EmailAddress}}
You can define RDNs based on your needs. Supported variables are listed in the Microsoft docs. We recommend to include the username (e.g.: janedoe) and email address (e.g.: janedoe@contoso.com) as baseline setting.
Subject alternative name: UPN Value:{{UserPrincipalName}}
SCEPman uses the UPN in the SAN to identify the user and as a seed for the certificate serial number generation (e.g.: janedoe@contoso.com).
Other SAN values like Email address can be added if needed.
{{DeviceId}}: This ID is generated and used by Intune.
(requires SCEPman 2.0 or higher and to be set to Intune or AADAndIntune)
Important:macOS devices ignore the configuration of the validity period via Intune. Please make sure, to configureto a fixed value. You can leave the certificate validity period setting to 1 year because it will be ignored anyway.Important:Also note, thatcertificates on macOS are only renewedby Intune when the device isunlocked, online, syncing and in scope of the renewal threshold. If certificates are expired (e.g.: device was offline and/or locked for a long time), they won't be renewed any more. Therefore, we recommend to choose an higher value here.
