Forum Discussion

Steven_Crawford's avatar
Steven_Crawford
Copper Contributor
Jan 03, 2024

iOS App Mututal TLS

I am in the process of planning the migration of multiple enterprise Apps from MobileIron to Intune.  The existing Apps receive user-specific client certificates from MobileIron which are used for authentication against various backends via mutual TLS.

 

I have been unable to find a method to deliver user-specific specific client certificates to an iOS App via Intune, without using hacks such as sending the certificate via email with a custom file extension so that it opening the certificate will load it in the app.

 

Migrating to using OIDC with JWTs would involve a lot of effort to modify the backends to accept JWTs.

 

Is there a method to deliver user specific client certificates with the associated private key to an iOS App using Intune?  If possible we would prefer to access the SCEP certificates already present on the device to use for mutual TLS against our backends.

Intune
mobile device management (mdm)

2 Replies

  • DBerry645's avatar
    DBerry645
    Copper Contributor
    Jan 03, 2024

    Hey Steven,

     

    I was pretty much in your place about a year ago, MobileIron to Intune move. I ended up setting up NDES for SCEP and a PKI to deploy user certificates to iOS devices using the Intune certificate connector. https://youtu.be/4EZRszjsZJs?si=PKsYFLUQ4RGNkNNk

     

    So far it has worked really well for us, only things you'll really need to think about is having a public place to host your PKIs CRL, a azure storage account and a script to copy it up will do the job and setting up a set of NDES and SCEP servers along with Azure AD App Proxy for deployment though you don't need the App Proxy it's just a nice way to do it.

    • Steven_Crawford's avatar
      Steven_Crawford
      Copper Contributor
      Jan 03, 2024

      Hallo DBerry,

       

      that sounds interesting and I'll look at the video.  Just to clarify: we already have SCEP certificates on the device, the problem is that the App cannot access them, as they are in the system keychain.

       

      Did you manage to get the certificates accessible from within an App using this method?  Or did you get the Azure AD App proxy to add the client certificate to the request going to the backend?

       

      Technically I don't need mutual TLS to the backend, but I do need to provide a user certificate in the "SSL_CLIENT_CERT" HTTP header.

       

       

Resources