IdExchange adds security controls and installation flexibility to greatly enhance the InTune Mobile Certificate Distribution capability. In this blog, we explore how these platforms can help enterprises drastically improve their ability to add PKI certificates to their mobile devices.
Microsoft InTune (InTune) is Microsoft’s mobile device management (MDM) platform. InTune manages the settings and configurations of mobile devices that are registered with it allowing for central management of disparate mobile devices. This capability helps organizations enforce security policies on mobile platforms. For enterprises wanting to implement MFA, InTune also has the capability to distribute PKI certificates to its devices. This feature can rapidly enable a device to use digital certificates for VPN, web access, and message security.
An important feature that is often overlooked in modern devices (iOS, Droid, Microsoft Surface Pro) is there extensive built in cryptography support enabling PKI based MFA out of the box. Combining these built in crypto capabilities with the InTune’s certificate distribution features enables an organization to rapidly MFA enable all of their devices. The only thing that is missing, is the certificate.
Linking InTune to the CA – SCEP
So, just how does InTune interact with the certificate authority (CA)? How does your device actually get a certificate? Well, there can be many ways, but most of them are proprietary and not always supported by the MDM. Therefore, we want to focus on a protocol that is well documented and has been adopted by every reputable MDM platform, the SCEP protocol. SCEP is short for Simple Certificate Enrollment Protocol. It was initially developed as a way for network devices to obtain certificates. It implements a set of integrity controls to allow the device to securely send a certificate signing request to a CA and then have that certificate response securely sent back to the device.
Using SCEP to distributing certificates to mobile devices does have unique challenges. Although SCEP fundamentally secures its communication with cryptographic techniques, it lacks the features relating to device verification, identity proofing, and ease of installation that are typically required by an enterprise. Let’s review some of these limitations below:
- First, although SCEP is a standard protocol, it is not natively supported by many CA platforms out of the box and requires additional modules to be installed to work.
- It does not enable custom issuance rules or specification of certificate templates
- Difficult to use if leveraging a cloud MDM or do not have direct domain access
- SCEP can be hard to troubleshoot. For example, it is challenging to see when a SCEP request has been submitted and what may have caused it to fail.
How IdExchange overcomes the SCEP limitations
We built on the fundamental SCEP protocol by adding security controls and architecture flexibility to provide both the security and ease of installation improvements to drastically enhance the InTune mobile certificate distribution capability. We used a combination of Microsoft SCEP Validation API calls, NIST Derived Credential identity proofing protocols, and built a SCEP relay service that allows organizations to use InTune with their internal CA without requiring any firewall changes. The list below describes the improvements in more detail.
- External SCEP Validation: IdExchange will validate the SCEP request using the Microsoft API calls to ensure the request is legitimate and properly formed.
- Custom issuance rules: In addition to validating the SCEP request externally, we also verify internal security rules to ensure items such as: the device has been verified, there are multiple-verifications for the certificate request, the user has been proofed properly.
- SCEP request and distribution monitoring: We also monitor the SCEP responses to ensure the certificate is distributed properly.
- Existing CA interoperability: We updated our IdExchange to convert SCEP requests to the native CA protocol so no changes to the existing CA are required. Simply put, we just point InTune to our IdExchange system and it contacts the CA and generates the certificate without any additional modules.
- Employment status monitoring: One of the final improvements we implement was to automatically monitor the user’s employment status and revoke the certificate if the user’s employment was terminated.
What can this do for my Enterprise?
InTune combined with IdExchange can allow you to easily distribute MFA certificates to all of your mobile devices in a way that meets the highest security controls and does not require you to change your PKI infrastructure or firewall. With this capability, you can now easily add PKI based credentials in a way that works for you. To learn more, visit our InTune Page. If you have any questions, always email us at firstname.lastname@example.org.