Intune Connector Guide

Use this guide to integrate your Entra / Azure tenant and the Intune Connector in Axiad Conductor.

Prerequisites

Before configuring the integration, you must define certificate templates within the PKI-aas console, which are intended to be used for SCEP enrollment through Intune. Key considerations include:

• Device or user certificate type

• Issuing CA

• Format of certificate subject and SAN

• Intended usage (encryption, digital signature)

Please work with your Axiad Customer Success representative to configure the above prior to deployment.

Entra Tenant Configuration

1. Create an Enterprise App Registration in the Entra tenant, using any descriptive name

2. Click register

3. Within the new Enterprise App, generate a secret

   1. Navigate to Certificate & Secrets > Client Secrets > New client secret

   2. Copy the secret

Important

The secret can only be retrieved at the time of its creation, so be sure to copy it as you will need it later

4. Go to API Permissions > Add a permission > Microsoft Graph > Application Permissions

5. Grant the permissions as followed:

Application.Read.All
User.Read

6. Click on Add a permission > Intune > Application permissions and add the following:

scep_challenge_provider

7. Click on Add a permission > Azure Rights Management Service and add the following:

Application.Read.All

8. Grant consent for your tenant once all configuration is complete

9. Your App Registration settings should appear similar to below

10. Securely provide the following information to Axiad:

    • The API secret for the App registration (generated in step 3)

    • The aad-app-id (the ID of the Enterprise App created)

    • The Entra tenant ID

Intune Configuration

As a first step, we will need to ensure Intune-managed devices enrolling for this particular certificate template will trust the certificate issuer. Afterwards, we will create the actual certificate request template.

Contact Axiad to obtain the required certificates in advance.

1. Within Intune, create a new Device Configuration profile, with the type Template – Trusted Certificate

2. Under Configuration settings, select the Root CA certificate for the Certificate file

3. Select Computer certificate store - Root from the Destination store dropdown

4. Finish the profile configuration

5. Create another Device Configuration profile, with the type Template - Trusted Certificate

6. Under Configuration settings, select the ScepRA certificate for the Certificate file

7. Select Computer certificate store - Intermediate from the Destination store dropdown

8. Finish the profile configuration

9. Create a new Configuration Profile, with the type SCEP certificate

10. Configure the certificate fields, key usages, and SAN names per your requirements, ensuring that this information matches the configuration of the corresponding Certificate Template on Axiad

IMPORTANT

Root Certificate configured under the SCEP Profile MUST match the Root uploaded in step 2

The SCEP URL is bound to a certificate profile, so each URL will map to a different enrollment:

<SERVER_URL>/intune-connect/api/scep/v1.0/enroll/<ENTRA_TENANT_ID>/<AXIAD_CERTIFICATE_PROFILE>/<OS>

Note the following

• SERVER_URL: Defined and provided by Axiad

• ENTRA_TENANT_ID: Your Entra tenant ID

• CERTIFICATE_PROFILE: The name of the certificate template, created on the PKI

• OS: Android, iOS or Windows (gor statistical purposes)

Here is a sample of a SCEP certificate profile

General Troubleshooting

There may be a significant delay before a client attempts enrollment (or fetches an Intune profile). You can trigger a manual sync from the Settings panel on the device itself, as shown below. Often times, a reboot of the client machine may prove to be quicker than waiting for a sync:

By default, Windows will track certificate enrollment failures. These provide information on enrollment attempts through Intune and can be seen in the Event Log > Application > Event ID 87: