LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
      • Scenarios
        • Certificate-based Network Authentication
        • Certificate-based Authentication for Entra ID
        • Certificate-based Authentication for RDP
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • TLS Inspection (Sub CA) Certificate
      • Code Signing Certificate
      • Device Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
      • cleverbridge
    • FAQs
      • General
      • Certificate Connector
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Entra ID (AAD) vs. Intune
  • SCEPman Configuration
  • Certificate Profiles

Was this helpful?

  1. SCEPman Configuration

Device Directories

Last updated 2 months ago

Was this helpful?

SCEPman offers two options for validating device certificates (e.g. for OCSP requests). Both directories store device objects with different IDs that are checked for existence by SCEPman:

  • Microsoft Entra ID (Azure AD) Device ID

  • Intune (Intune Device ID)

Those IDs are visible in Intune per device under tab "Hardware":

For recognizing the device behind an issued certificate, SCEPman requires the corresponding ID in the subject name:

  • Microsoft Entra ID (Azure AD): CN={{AAD_Device_ID}}

  • Intune: CN={{DeviceId}}

When setting up SCEPman and certificate profiles in Intune, it is important to decide which inventory should be used.

Entra ID (AAD) vs. Intune

Both directories have their pros and cons. In general, we recommend Intune as inventory since SCEPman 2.0:

  • The Entra Device ID can change during enrollment (seen on iOS/iPadOS/macOS): The Entra Device ID is set to the Intune device ID until the device is finally AAD registered. Intune already issues the certificate before the device gets its final ID. As a result, SCEPman cannot find the device in the AAD after this ID change.

  • Intune is often maintained better than Entra ID (AAD): In theory, the AAD and Intune device objects are independent of each other. Deleting a device in Intune, does not delete the corresponding AAD object. In addition, Autopilot devices can only be deleted in Intune and not in Microsoft Entra ID (Azure AD). So, the certificates would still be valid.

SCEPman Configuration

Note, that this requires version 2.0 or newer. SCEPman 1.x only supports Microsoft Entra ID (Azure AD) as directory.

Certificate Profiles

Please also adjust the subject name on your needs as stated under Microsoft Intune.

Please note, that CN={{DeviceId}} is currently not supported for Android Enterprise Fully Managed, Dedicated and Corporate-Owned Work Profile as stated in Microsoft docs. If those device types are in use, think about checking both directories or only Microsoft Entra ID (Azure AD).

SCEPman needs to know which directory/directories should be used for validation. Therefore, we offer the configuration option. Please adjust that value on your needs.

For migrating from Microsoft Entra ID (Azure AD) to Intune ID or vice versa, certificates need to be re-issued on all clients. During that change, please configure SCEPman via to check both directories (so, that both IDs are valid). After migration, you can switch to Intune or AAD as only directory.

AppConfig:IntuneValidation:DeviceDirectory
AppConfig:IntuneValidation:DeviceDirectory