Blog Post

Security, Compliance, and Identity Blog
1 MIN READ

Whitepaper: Securing and Hardening NDES for Microsoft Intune and System Center Configuration Manager

Intune Team's avatar
Intune Team
Icon for Microsoft rankMicrosoft
Sep 08, 2018

First published on CloudBlogs on Apr 06, 2015
We have just published a new whitepaper that describes best practices for securing and hardening the Network Device Enrollment Service (NDES) server role for use with Microsoft Intune and System Center Configuration Manager .  Deploying certificates via the Simple Certificate Enrollment Protocol (SCEP) ensures that unique private keys are kept on mobile devices and are not accessible by other systems, services, or personnel. These keys can be further protected by using Trusted Platform Modules (TPMs) on Windows or Windows Phone, and by detecting and blocking jailbroken iOS devices or rooted Android devices to ensure the keys are not being exported.  Microsoft’s policy module technology ensures that the SCEP protocol can be used securely for distributing certificates to Internet-facing mobile devices. This whitepaper details how the policy module secures certificate deployment through NDES as well as best practices for how to secure NDES behind a reverse proxy such as Windows Server 2012 R2 Web Application Proxy or Azure Active Directory Application Proxy. Download the whitepaper You can also find additional resources here:

- Chris Green, Senior Program Manager

Updated Jan 23, 2023
Version 2.0
  • Thomps_0's avatar
    Thomps_0
    Brass Contributor

    Is there an updated document for securing and hardening NDES for Intune using application proxy through Azure or is this the only document that is available?