First published on CloudBlogs on Apr 06, 2015
We have just published a new
that describes best practices for securing and hardening the Network Device Enrollment Service (NDES) server role for use with
System Center Configuration Manager
Deploying certificates via the Simple Certificate Enrollment Protocol (SCEP) ensures that unique private keys are kept on mobile devices and are not accessible by other systems, services, or personnel. These keys can be further protected by using Trusted Platform Modules (TPMs) on Windows or Windows Phone, and by detecting and blocking jailbroken iOS devices or rooted Android devices to ensure the keys are not being exported.
Microsoft’s policy module technology ensures that the SCEP protocol can be used securely for distributing certificates to Internet-facing mobile devices. This whitepaper details how the policy module secures certificate deployment through NDES as well as best practices for how to secure NDES behind a reverse proxy such as Windows Server 2012 R2 Web Application Proxy or Azure Active Directory Application Proxy.
Download the whitepaper
You can also find additional resources here: