Configure Intune certificate profiles

Applies to: Intune in the classic portal
Looking for documentation about Intune in the Azure portal? Go here.

After you've configured your infrastructure and certificates as described in Configure certificate infrastructure for SCEP or Configure certificate infrastructure for PFX, you can create certificate profiles. Here's the process:

  • Task 1: Export the Trusted Root CA certificate
  • Task 2: Create Trusted certificate profiles
  • Task 3: Create one of two certificate profile types:
    • SCEP certificate profiles
    • .PFX certificate profiles

Task 1: Export the Trusted Root CA certificate

Export the Trusted Root Certification Authorities (CA) certificate as a .cer file from the issuing CA, or from any device that trusts your issuing CA. Do not export the private key.

You'll import this certificate when you set up a Trusted certificate profile.

Task 2: Create Trusted certificate profiles

You must create a Trusted certificate profile before you can create a Simple Certificate Enrollment Protocol (SCEP) or a PKCS #12 (.PFX) certificate profile. You need a Trusted certificate profile and an SCEP or .PFX profile for each mobile device platform.

To create a Trusted certificate profile

  1. In the Intune administration console, choose Policy > Add Policy, and choose a device platform. You can create a trusted certificate profile for these devices:
  • Android 4 and later

  • Android for Work

  • iOS 7.1 and later

  • Mac OS X 10.9 and later

  • Windows 8.1 and later

  • Windows Phone 8.1 and later

  1. Add a Trusted Certificate Profile policy.

    Learn more: Manage settings and features on your devices with Microsoft Intune policies.

  2. Enter the requested information to configure the Trusted certificate profile settings for Android, iOS, Mac OS X, Windows 8.1, or Windows Phone 8.1.

  3. In the Certificate file setting, import the Trusted Root CA certificate (.cer file) that you exported from your issuing CA. The Destination store setting applies only to devices running Windows 8.1 and later, and only if the device has more than one certificate store.

  4. Choose Save Policy.

The new policy is shown in the Policy workspace. Now you can deploy it.

Note

Android and Android for Work devices will display a notice that a third party has installed a trusted certificate.

Task 3: Create SCEP or .PFX certificate profiles

After you create a Trusted CA certificate profile, create SCEP or .PFX certificate profiles for each platform you want to use. When you create an SCEP certificate profile, you must specify a Trusted certificate profile for that same platform. This links the two certificate profiles, but you still must deploy each profile separately.

To create an SCEP certificate profile

  1. In the Intune administration console, choose Policy > Add Policy and choose a device platform. You can create a SCEP certificate profile for these devices:
  • Android 4 and later

  • Android for Work

  • iOS 7.1 and later

  • Mac OS X 10.9 and later

  • Windows 8.1 and later

  • Windows Phone 8.1 and later

  1. Add a SCEP Certificate Profile policy

    Learn more: Manage settings and features on your devices with Microsoft Intune policies.

  2. Follow the instructions on the profile configuration page to configure the SCEP certificate profile settings.

    Note

    Under Subject name format, select Custom to enter a custom subject name format (in iOS profiles, only).

    The two variables currently supported for the custom format are Common Name (CN) and Email (E). By using a combination of these variables and static strings, you can create a custom subject name format, like this one:

    CN={{UserName}},E={{EmailAddress}},OU=Mobile,O=Finance Group,L=Redmond,ST=Washington,C=US
    

    In this example, the admin created a subject name format that, in addition to the CN and E variables, uses strings for Organizational Unit, Organization, Location, State, and Country values. CertStrToName function lists supported strings.

  3. Choose Save Policy.

The new policy is shown in the Policy workspace. Now you can deploy it.

To create a .PFX certificate profile

  1. In the Intune administration console, choose Policy > Add Policy, and choose a device platform. .PFX certificates are supported for:

    • Android 4 and later
    • Android for Work
    • Windows 10 and later
    • Windows Phone 10 and later
    • iOS 8.0 and later)
  2. Add a .PFX Certificate Profile policy. Learn more: Manage settings and features on your devices with Microsoft Intune policies.

  3. Enter the information requested on the policy form.
  4. Choose Save Policy.

The new policy is shown in the Policy workspace. Now you can deploy it.

Deploy certificate profiles

When you deploy certificate profiles, the certificate file from the Trusted CA certificate profile is installed on the device. The device uses the SCEP or .PFX certificate profile to create a certificate request by the device.

Certificate profiles install only on devices running the platform you use when you create the profile.

  • You can deploy certificate profiles to user collections or to device collections.

    Tip

    To publish a certificate to a device quickly after the device enrolls, deploy the certificate profile to a user group rather than to a device group. If you deploy to a device group, a full device registration is required before the device receives policies.

  • Although you deploy each profile separately, you also need to deploy the Trusted Root CA and the SCEP or .PFX profile. Otherwise, the SCEP or .PFX certificate policy will fail.

Deploy certificate profiles the same way you deploy other policies for Intune:

  1. In the Policy workspace, select the policy you want to deploy, and then choose Manage Deployment.
  2. In the Manage Deployment dialog box:
    • To deploy the policy, select one or more groups to deploy the policy to, and then choose Add > OK.
    • To close the dialog box without deploying it, choose Cancel.

When you select a deployed policy, you can see more information about the deployment in the lower part of the list of policies.

Next steps

Next, learn how to use certificates to help secure email, Wi-Fi, and VPN profiles.