Enterprise Wifi Profiles Deployment for Non-User Based (Kiosk) macOS devices via Intune and NDES.

Brass Contributor



I'm trying to leverage SCEP (or other potential options) to deploy an Enterprise Wifi profile to macOS devices (non-user based Kiosk devices). Could we still make use of SCEP and would the CA be able to issue device certificates for this purpose ?


Tried the following specifications with no luck so far.


-Root Certificate Deployed

-Intune has pushed both SCEP and Wifi Profiles successfully to the devices

-Devices are Intune Managed (non-user based)


My thinking is that we can't use generic SAN attributes such as email address, UPN here due to the fact that the device has no user account associated? Would URI work ? or the DNS ?

Any guidance on what attributes to use in the SCEP certificate/profile and the CA certificate SANs/CNs would be highly appreciated!



4 Replies

Hi @Curious_Kevin16,

to deploy enterprise Wi-Fi profiles to non-user based (kiosk) macOS devices using Intune and NDES, you can use the following steps:

  1. Create a SCEP certificate profile in Intune.

    • Go to Devices > Configuration profiles > Create profile.
    • Select Platform > macOS.
    • Select Profile type > Certificates.
    • Select SCEP certificate profile.
    • Enter a Name and Description for the profile.
    • Under Subject name format, select {{AAD_Device_ID}} or {{AzureADDeviceId}}.
    • Under Subject alternative name (SAN), select URI and enter IntuneDeviceId://{{DeviceId}}.
    • Under Trusted root certificate profile, select the trusted root certificate profile that you have deployed to your devices.
    • Click Next and Create.
  2. Configure the NDES server.

  3. Deploy the SCEP certificate profile and Wi-Fi profile to your devices.

    • Go to Devices > Configuration profiles > All profiles.
    • Select the SCEP certificate profile and the Wi-Fi profile that you want to deploy.
    • Click Assign and select the devices or groups that you want to deploy the profiles to.
    • Click Assign.
  4. Restart the devices.

Once the devices have restarted, they will obtain a device certificate from the NDES server and use it to authenticate to the enterprise Wi-Fi network.

Here are some additional links for reference:

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.

If the post was useful in other ways, please consider giving it Like.

Kindest regards,

Leon Pavesic

Hi @LeonPavesic

Very keen on this one as I'm facing a similar situation.

I'd assume, {{AAD_Device_ID}} or {{AzureADDeviceId}} won't be recognized if the macs are AAD Joined (not Hybrid joined hence the device object is missing in local AD which apparently won't work in a NPS environment)

Also, do you happen to know how would this work with non-user based (no user affinity) macOS devices in a NPS enabled environment ?

Any thoughts anyone ?

I have the same problem and i had to create one AD object for all devices

Great to hear!. 


Would be fantastic to hear a bit more details such as what your scenario was and how you configured the SCEP, Wifi Profile Attributes to solve this. 


Thank you!