Microsoft Intune is a cloud-based Mobile device management (MDM) solution that helps organizations manage devices, including mobile devices, tablets, and laptops. In addition to standardizing endpoint configurations, it is responsible for providing configuration on how the endpoint can obtain a device/user certificate. These certificates are necessary for users and devices to prove their identity and authenticate against a remote server/application to use its services, such as WiFi authentication and enterprise VPN access.

With the advent of modern technology and changes in post-COVID working styles, end users can work anywhere, from the office to their homes, coffee shops, or any location where they need to carry out their work. This requires a sustainable request and delivery mechanism for certificates to endpoints that are widely dispersed, which can be quite challenging to set up. These challenges can affect the issuing, renewing, and delivery of certificates to the endpoints.

How AppViewX AVX ONE Helps Simplify Certificate Management

AppViewX AVX ONE is a certificate lifecycle and PKI management platform that offers native integration with Intune as well as with various certificate authority (CA) providers. It acts as a registration authority (RA) to issue certificates to endpoints. AVX ONE leverages the Simple Certificate Enrollment Protocol (SCEP), a method recommended and approved by Intune, to validate and issue certificates to requesting endpoints.

With AVX ONE, certificates can be issued by any CA, not just a specific one. If there is a need to change the issuing CA, only minimal configuration changes are required on the AppViewX side. These changes are simple and quick to execute, making the process efficient and flexible.

How the Integration Works

Step 1: The profile for the endpoints is configured in Intune, where the SCEP URL is one of the parameters. This SCEP URL includes the URL of AVX ONE. When this profile is pushed to the endpoint, Intune also provides an encrypted and signed challenge to the endpoint.

Step 2: When the endpoint needs a certificate, it sends a SCEP request to the SCEP URL (AVX ONE). This request contains the CSR (Certificate Signing Request) along with the encrypted challenge sent by Intune.

Step 3: AVX ONE authenticates with Intune and presents the CSR along with the encrypted challenge sent by the endpoint to Intune.

Step 4: Intune validates the encrypted challenge and the CSR. Upon validation, Intune informs AVX ONE to either proceed with issuing the certificate or reject it based on the validation.

Step 5: AVX ONE presents the CSR to the configured CA of choice, gets it signed, and sends the certificate back to the endpoint.

How to Operationalize the Integrated Solution

With the AVX ONE SaaS platform, there are two ways the endpoint can send the certificate request:

1. Directly to the AVX ONE SaaS Platform URL:
   • The endpoint sends the certificate request directly to the AVX ONE SaaS platform URL.
   • This method ensures a straightforward connection and reduces the dependency on any additional network components.
2. Send the Request to the AVX ONE Cloud Connector URL:
   • The endpoint sends the certificate request to the AVX ONE Cloud Connector URL.
   • The AVX ONE Cloud Connector acts as an intermediary Proxy, forwarding the request to the AVX ONE SaaS platform.
   • This method can be useful for additional security layers or if you need granular control over the connections.

Using the AVX ONE SaaS Platform URL

The endpoint sends the request to the AVX ONE SaaS URL on port 443 and, over the same channel, receives the certificate once the challenge is validated with Intune. This URL is accessible over the cloud and can be accessed from anywhere on the Internet.

• Ensure that the AVX ONE SaaS URL is accessible over the internal corporate network, even if there are restrictions on Internet access.
• This will allow endpoints to obtain certificates whether they are inside the corporate network or on the cloud, enabling them to roam between different network environments.

*** This is a Security Bloggers Network syndicated blog from Blogs Archive - AppViewX authored by AppViewX. Read the original post at: https://www.appviewx.com/blogs/appviewx-integration-with-intune-for-certificate-automation/