Hello everyone, today we have an article from Intune Support Engineer Saurabh Sarkar. In this article, Saurabh explains why you can’t deploy a PKCS profile to a DEP device without user affinity and why in that scenario SCEP may be the better choice. If you have any questions or feedback please leave us a comment below.
=====
Recently I’ve had a few customers ask me how to deploy a PKCS certificate to their iOS devices that were enrolled as DEP devices without user affinity so they could seamlessly authentication to their Wi-Fi network. This isn’t something that is currently supported but I wanted to take a minute to explain why just in case anyone else was trying to do the same.
The Infrastructure
In this example, we’re assuming the following environment:
- The Intune connector was installed and showing as active on the Intune console.
- The PKCS template was correctly configured on the CA with all necessary permissions.
- The PKCS profile was deployed from Intune to a device group that had the correct information pertaining to Template name, Cert expiry, CA FQDN and CA Friendly Name.
The Testing
I tested the following scenarios just to confirm which ones worked and which ones did not:
- I enrolled a standard iOS device (not DEP) and targeted it using a user group for the PKCS deployment. The certificate was deployed successfully.
- I enrolled a standard iOS device (not DEP) and targeted it using a device group for the PKCS deployment. The certificate was deployed successfully.
- I enrolled a DEP device with user affinity and targeted a user group and a device group (respectively) for the PKCS deployment. The certificate was deployed successfully.
- I enrolled a DEP device without user affinity and targeted a device group for the PKCS deployment. The certificate was NOT obtained by the device and the profile showed an error.
The Explanation
The reason for this is because certificates issued by PKCS are tagged to a user, and when there’s no user affinity, thus no specific user, the certificate cannot be assigned. This contrasts with SCEP where certificates can be tagged to a user or a device, thus can be deployed where there is no user affinity on a device. It is for this reason that if a user enrolls multiple devices and is targeted via a PKCS profile, the same certificate can be distributed to multiple devices, however if the user enrolls multiple devices and is targeted via a SCEP profile, the user gets a different SCEP certificate for each device. It’s also important to note that this allows certificate revocation for just a specific device with SCEP. Certificate revocation for just a specific device (out of multiple devices enrolled by the same user) is not possible in the case of PKCS.
The Summary
The takeaway from this is that a PKCS certificate is tagged to a user and thus has a dependency on a user account, unlike a SCEP certificate. Therefore, you cannot deploy a PKCS profile to a DEP device without user affinity as it does not have a user associated with it. The only viable option in this scenario would be to deploy a SCEP certificate to it instead. Also note that a PKCS profile can be targeted to a user or a device group just so long as the device is not userless.
For more information on working with PKCS, see this documentation: https://docs.microsoft.com/intune/certficates-pfx-configure and for SCEP see docs here: https://docs.microsoft.com/intune/certificates-scep-configure
Saurabh Sarkar
Intune Support Engineer
