cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Support Tip: AE Work Profile Device + Wi-Fi Profile “Error” when Using Device-Based Certs
By
Intune_Support_Team
Published May 30 2019 05:38 PM 7,471 Views
Intune_Support_Team
Microsoft
‎May 30 2019 05:38 PM

Support Tip: AE Work Profile Device + Wi-Fi Profile “Error” when Using Device-Based Certs

‎May 30 2019 05:38 PM

By Jack Poehlman | Service Engineer on the Enterprise Mobility and Customer Experience Team

 

We’ve heard from a few customers recently about this experience setting up Wi-Fi profiles. The cases were very similar; the customer was attempting to setup certificate-based Wi-Fi profiles on Android Enterprise work profile devices and reported that the Wi-Fi profile is constantly reporting “Error”.  Looking into these reports, we found that the customer was deploying a device-based certificate instead of a user-based certificate. Furthermore, the device-based certificate was configured with only a subject name such as CN={{AAD_Device_ID}} however no “Subject alternative name” was defined.

 

Reviewing this scenario, we discovered the cause for the Wi-Fi profile error in the processing. Currently, a UPN attribute is a requirement for Wi-Fi profile certificate selection. While we look into this further and investigate full resolution, we have tested and confirmed with these customers that there’s a reasonably simple workaround. If you run into this, error, where the Wi-Fi profile on Android Enterprise work profile errors out constantly, simply add a SAN with a UPN attribute to your Device base certificate SCEP profile like this:

 

AEWorkProfileDevices.png

 

We will update this blog posted as we investigate this issue further and hope this helps with some advanced troubleshooting.

3 Comments
Andrew Allston
Iron Contributor
‎Jul 08 2019 04:49 AM
‎Jul 08 2019 04:49 AM

Will this work with a normal SCEP User Cert setup? Because it doesn't seem to work for me by just changing the settings in the profile that you mention. There is no documentation about Device Certificates in Intune that i have ever found (if anyone knows otherwise i would love the link). All of the other devices that we manage use User certs so my NDES and SCEP connector are obviously set up for that User certificate. If i need to deploy Device Certs to AE devices, i assume i would need to stand up a new NDES and SCEP connector and issue a new Device cert to these devices, is that correct?

 

Thanks in advance! 

0 Likes
Like
Jack Poehlman
Microsoft
‎Jul 23 2019 03:51 PM
‎Jul 23 2019 03:51 PM

If you are asking if Wi-Fi Profiles can be assigned and work with Android Enterprise Work Profile enrolled devices using Certificate based Auth or a User based certificate profile (that was a mouth full)?  Yes, this should work without issue.

 

Do note, that currently, as per our Android Enterprise Fully Managed Preview blog, Certificate and Wi-fi Profiles are not yet available for Fully Managed devices..... only BYOD Work profile enrolled devices.

 

As per our Docs, Create a SCEP certificate profile, Step 6 details:

..."Certificate type: Choose User for user certificates. A User certificate type can contain both user and device attributes in the subject and SAN of the certificate. Choose Device for scenarios such as user-less devices, like kiosks, or for Windows devices, placing the certificate in the Local Computer certificate store. Device certificates can only contain device attributes in the subject and SAN of the certificate. Device certificates are available for the following platforms"....

 

The NDES Connector and related server configuration is the same for User and Device based certificate deployments.  the Difference is in the settings of the SCEP Policy define in the Intune Admin Console.  When selecting Device based certificates, the device's attributes are used to build the Subject and SAN for the certificate request vs the User's attributes.  Device Based CAN be used for devices that do not have User Affinity as well.

 

Hope the helps clear up the confusion.  If you are facing an issue with Profiles not deploying as expected, please open a support case via the Intune Admin console's Help and Support.  Our support folks would be happy to assist in determine what's wrong with your configuration.

0 Likes
Like
grantmm
Copper Contributor
‎Sep 30 2019 12:41 AM
‎Sep 30 2019 12:41 AM

Hi, Not sure if anyone has experience on this one.

I've been trying to get iOS devices to device authentication against NPS to a wifi network, very similar to this post but iOS. Certificates come down, Scep profile comes down, wifi profile comes down to the device, however client fields and NPS logs state

The specified user account does not exist

 

Have tried:

UPN set to {{DeviceName}}@domainname.com

DNS set to {{DeviceName}}@domainname.com

 

UPN set to {{Device_Serial}}@domainname.com

DNS set to {{Device_Serial}}@domainname.com

 

Confirmed on iOS device that these fields are passing correctly to the device. On-Prem ADObject created of the device name. I feel like I'm missing a setting or Intune is passing that its a user account not a device. I've tried {{Device_Serial}}@domain.com and that get the same error. Creating a user account with as that serial number works, however I want to be using AD computer objects instead.

 

In our previous MDM platform I'd state "DeviceName$" which is currently working on the old MDM platform. You can't put dollar signs in the UPN to encourage it to identify as a computer.

 

Resolved:

This has been resolved by setting the attribute on the computer object of "UserPrinicipalName". 

Using powershell:

New-AdComputer "Computername" -UserPrincipalName "Computername@domain.com"

0 Likes
Like
Version history
Last update:
‎Dec 19 2023 01:30 PM
Updated by: