Author : Chris Green, Program Manager
A key feature of the mobile device management capabilities provided by System Center 2012 R2 Configuration Manager with Windows Intune is the ability to provision client certificates to managed devices. Organizations that use an enterprise PKI for client authentication to resources like WiFi and VPN can use this feature to provision certificates to Windows, Windows Phone, iOS, and Android devices managed through Windows Intune. This article provides an in-depth look at how this feature works, and where you can go to find out all of the information you need to get up and running.
Certificate enrollment through Simple Certificate Enrollment Protocol
There are many ways to get a certificate onto a device. Some approaches are highly manually but do the job, such as sending a certificate via email or making it available for download from a web page. Other approaches embed the certificate as part of a payload, such as embedding a PFX as part of an MDM protocol command. Another approach involves using an enrollment protocol that lets a client initiate an enrollment request to a registration authority. All approaches have advantages and disadvantages.
Configuration Manager with Windows Intune leverages an enrollment protocol called Simple Certificate Enrollment Protocol (SCEP), which is natively supported by iOS, Windows 8.1 and Windows Phone 8.1, and is also supported through the Windows Intune Company Portal app for Android. Using a certificate enrollment protocol has the definite advantage of having the private key generated directly on the device. The private key is never generated, cached, or stored by either Configuration Manager on-premises components or by the Windows Intune cloud service, which helps to keep it secure.
It is worth noting that SCEP was originally designed for enrolling certificates on networking equipment, and therefore has a simple challenge-based authentication scheme that does not strongly authenticate certificate requests . With this knowledge in mind, the Intune and Active Directory Certificate Services (AD CS) product teams worked closely to produce a secure solution that integrates Configuration Manager with the Network Device Enrollment Service (NDES) role in Windows Server 2012 R2. NDES now supports the ability to configure a policy module, which provides additional validatio... (More details are also outlined by the AD CS team in this Curah page ). The next section describes how this solution works.
Certificate provisioning through Configuration Manager and Windows Intune
Here is how Configuration Manager with Windows Intune uses the new NDES policy module feature to provide secure certificate provisioning to mobile devices using SCEP. It first involves setting up an NDES server role and installing a policy module that ships with System Center Configuration Manager 2012 R2 installation media, and then setting up a site system role in Configuration Manager called the Certificate Registration Point (CRP). There are some links to good documentation at the end of this article that provide details on how to get everything set up.
The flow for provisioning certificates is as follows:
- The Desktop admin creates and deploys a policy that includes the properties of the certificate for SCEP enrollment. User- or device-specific properties like subject name and SAN are populated from AD. NDES URL is added to the policy (if multiple NDES are configured to talk to Configuration Manager, one will be chosen at random)
- The Intune Gateway Proxy generates a challenge string which is a combination of certain properties like SN, SAN, Key Usage and Key Length. The challenge string is injected into the policy. The policy is converted to the platform MDM protocol (like OMA-DM for Windows 8.1) and sent to the device.
- The Device receives the policy with SCEP payload (including NDES URL, and SCEP challenge), and then initiates an enrollment request from NDES
- The NDES role receives the enrollment request, and forwards it to the Policy Module plug-in. The Policy Module forwards request to the Certificate Registration Point (CRP)
- The CRP compares the attributes of the SCEP request with the challenge string stored in the DB to confirm that they match. The CRP sends confirmation to the Policy Module plug-in.
- The Policy Module plug-in returns the API call with a success or failure . If the call returns a success, NDES sends a certificate issuance request to the Certificate Athourity (CA).
- The CA issues the certificate based on the configured template, and returns the certificate to the NDES role.
- The NDES role sends the certificate to the device.
Enrollment request and SCEP challenge security
As described in the certificate provisioning flow, there are multiple validations performed on the enrollment request to assure its integrity.
- A unique challenge string is generated per SCEP profile. This string is a combination of request properties such as Subject Name, Subject Alternative Name, EKU and Key length. The challenge string is generated in memory in an isolated server within a Microsoft datacenter and is never cached.
- The SCEP challenge string is signed by a Windows Intune certificate before it is added to the SCEP profile and sent to the device.
- Upon receiving the enrollment request, the challenge string is forwarded to the Certificate Registration Point where the contents are compared against the enrollment request, the Microsoft certificate signature is verified, and the enrollment request properties are compared to the Configuration Manager database. This process verifies that the request is for the same user or device account that the policy was targeted to, and that the purpose of the certificate is the same. The challenge string is then recorded as having been used in order to prevent “replay attacks”, in which a previously used challenge string is re-used for malicious purposes.
Protecting client certificates on managed devices
There are a couple of measures that can be taken in order to protect against certificates being exported from the managed device, and used on other devices. The first option is to mark the private key as not exportable in the certificate template. This will prevent typical users from exporting certificates with private keys and installing them on different devices. However, this option does not provide strong protection for sophisticated attackers who wish to use the certificate for malicious purposes. To add further protection for Windows 8.1 and Windows Phone 8.1 devices, you can specify that the certificate must be protected by the Trusted Platform Module, which is a chip built into the device that provides hardware-backed protection of private keys and provides protection from “hammering” attacks, in which malicious users make repeated connection attempts as they try to guess the correct credentials. (Note: Windows 8.1 requires KB 2948462 to protect certificates from export using the TPM: http://support.microsoft.com/kb/2948462 ) The screenshot below shows where you can configure this in the SCEP Profile.
Setup and troubleshooting of NDES, CRP and Configuration Manager policy module
There are a few sources of documentation to help guide you through infrastructure set up.
- Configuring Certificate Profiles in Configuration Manager This TechNet article outlines the three main steps and includes references on how to set up NDES.
- SCEP certificate enrolling using ConfigMgr 2012, CRP, NDES and Windows Intune A great step-by-step guide by Pieter Wigleven, Technical Solution Professional for Windows Intune.
The following log files can be used to trace issues with device enrollment:
|
Content |
Location |
|
Certificate registration point IIS logs |
C:inetpublogsLogFilesW3SVC1 |
|
Configuration Manager certificate registration point logs |
C:SMS_CCMCRPLogsCRP.log |
|
Component health status |
SMS_CERTIFICATE_REGISTRATION_POINT |
|
NDES |
C:Users%username%mscep.log ( Requires debug logging to be enabled ) |
|
NDED Plug-in |
C:Program FilesMicrosoft Configuration ManagerLogsNDESPlugin.log |
Configuring Internet-facing NDES
The Active Directory Certificate Services (AD CS) team has published an article with recommendations for setting up NDES to be exposed to mobile devices over the Internet.
http://technet.microsoft.com/en-us/library/dn473016.aspx
--Chris Green
Configuration Manager Resources
Documentation Library for System Center 2012 Configuration Manager
Configuration Manager 2012 Forums
System Center 2012 Configuration Manager Survival Guide
System Center Configuration Manager Support
This posting is provided "AS IS" with no warranties and confers no rights.