Hello everyone, today we have an article from Intune Support Engineer Saurabh Sarkar. In this article, Saurabh explains why you can’t deploy a PKCS profile to a DEP device without user affinity and why in that scenario SCEP may be the better choice. If you have any questions or feedback please leave us a comment below.
Recently I’ve had a few customers ask me how to deploy a PKCS certificate to their iOS devices that were enrolled as DEP devices without user affinity so they could seamlessly authentication to their Wi-Fi network. This isn’t something that is currently supported but I wanted to take a minute to explain why just in case anyone else was trying to do the same.
In this example, we’re assuming the following environment:
I tested the following scenarios just to confirm which ones worked and which ones did not:
The reason for this is because certificates issued by PKCS are tagged to a user, and when there’s no user affinity, thus no specific user, the certificate cannot be assigned. This contrasts with SCEP where certificates can be tagged to a user or a device, thus can be deployed where there is no user affinity on a device. It is for this reason that if a user enrolls multiple devices and is targeted via a PKCS profile, the same certificate can be distributed to multiple devices, however if the user enrolls multiple devices and is targeted via a SCEP profile, the user gets a different SCEP certificate for each device. It’s also important to note that this allows certificate revocation for just a specific device with SCEP. Certificate revocation for just a specific device (out of multiple devices enrolled by the same user) is not possible in the case of PKCS.
The takeaway from this is that a PKCS certificate is tagged to a user and thus has a dependency on a user account, unlike a SCEP certificate. Therefore, you cannot deploy a PKCS profile to a DEP device without user affinity as it does not have a user associated with it. The only viable option in this scenario would be to deploy a SCEP certificate to it instead. Also note that a PKCS profile can be targeted to a user or a device group just so long as the device is not userless.
For more information on working with PKCS, see this documentation: https://docs.microsoft.com/intune/certficates-pfx-configure and for SCEP see docs here: https://docs.microsoft.com/intune/certificates-scep-configure
Intune Support Engineer
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.