Managing WIFI certificates for iOS devices with ConfigMgr MDM

This will be the last Christmas blog post from Coretech in 2014. A huge thanks to all of you who followed our Christmas blogs in December. @Coretech we wish you and your loved ones a Merry Christmas and a Happy New Year – We look forward to service you again in 2015 with knowledge, inspiration and best practices on Microsoft technologies

One of the many need features offered by ConfigMgr & Intune is the ability to deploy certificates and WIFI profiles. Both are essential when implementing a MDM/BYOD strategy.

Creating the required SCEP certificate for iOS

As mentioned in a previous blog post, iOS do not support Signature in proof of origin in the NDES General Purpose certificate. In this example the Root certificate and the required NDES certs are already created.

  1. In the Assets and Compliance workspace, select Compliance Settings, Company Resource Access, Certificate Profiles and create a new SCEP certificate.
    image
  2. On the SCEP Enrollment page, configure these settings and click Next
    Retries = 5
    Retry delays = 2
    Devices for certificate enrollment = Allow certificate enrollment of any device.
    image
  3. On the Certificate Properties page, configure these settings and click Next:
    Certificate template name: Select the NDES certificate
    Certificate type: User
    Subject name format: Common name
    Subject alternative name: User Principal name (UPN)
    Extended key usage: Client Authentication (comes from the certificate)
    Hash: SHA-1
    Root Ca certificate: Your root certificate, notice this must also be deployed thru ConfigMgr/Intune

    image

  4. On the Supported Platforms page, select the iOS devices and finish the wizard. I prefer to have a SCEP profile for each of the supported mobile devices Windows Phone, Android and iOS
    image
  5. Once the certificate profile is created, you should deploy it to all Intune users (not to any devices, always users!)

Create the iOS WI-FI profile

In this example I’ll take you thru the creation of a WI-FI profile using the SCEP certificate created above.

  1. In the Assets and Compliance workspace, select Compliance Settings, Company Resource Access, WI-FI Profiles and create a new WI-FI profile.
    image
  2. On the WI-FI profile page, configure the Network/SSID settings and click Next.
  3. On the Security Configuration page, configure these settings and click Configure (that’s right, click Configure before you click Next!)
    Security type: WPA2-Enterprise
    Encryption: AES
    EAP type: Smart Card or other Certificate
    image
  4. On the Smart Card or Other Certificate Properties page, configure these settings and click Advanced.
    When connecting: Use a certificate on this computer
    When connecting: Use simple certificate selection
    image
  5. On the Configure Certificate Selection page, configure these settings:
    Certificate Issuer: Intermediate Certification Authorities: Select the intermediate certificate
    Extended Key Usage (EKU): Enabled
    All Purpose: Enabled
    Client Authentication: Enabled
    AnyPurpose: Enabled 
    image
  6. On the AnyPurpose section, click Add, select the Client Authentication EKU and click OK
    image
  7. Click OK twice and click Next.
  8. On the Advanced Settings page, configure these settings and click Next.
    Specify authentication mode: Enabled
    Authentication mode: user authentication
    image
  9. On the Proxy Settings page, click Next (if you have any Proxy settings, configure those before you click Next)
  10. On the Supported Platforms page, select the supported iOS devices and click Next
  11. Once the WI-FI profile is created, you should deploy it to all Intune users.

Happy deploying – after the next synchronization you will see the WI-FI profile being applied on the iOS devices.


Comments (2):

  1. Charl says:

    Hi Kent, thank for a great article. I have Wi-Fi profiles working for iOS and Windows using SCEP and NDES with SCCM 2012 R2 SP1. It does not seem to work for Android devices. Have you perhaps tested this for Android or come across such an implementation for Android? Thank you.

  2. Sean says:

    Hi Kent, Charl,

    Same question – (Charl, any chance you got this solved?)

    Everything’s working fine on iOS.
    And for Android devices, the SCEP certs are getting issued by the CA to the NDES service account, but then mysteriously vanish… And never make it to Android devices’ stores.

    Tested on an S4 on 5.0.1 and an S6 Edge on 5.1.1.

    Any ideas?
    Cheers

Leave a Reply