证书管理选项Certificate management options

备注

本主题是更大的设计注意事项指南的一部分。This topic is part of a larger design considerations guide. 如果你希望从指南的开头开始,请查看主要主题If you'd like to start at the beginning of the guide, check out the main topic. 若要获取此完整指南的可下载副本,请访问 TechNet 库To get a downloadable copy of this entire guide, visit the TechNet Gallery.

Intune 独立版和混合版部署方案均支持使用数字证书管理和证书配置文件。Using digital certificate management and certificate profiles is supported both by Intune standalone and hybrid deployment scenarios. 这些功能允许你将受信任的根证书部署到移动设备以及基于简单证书注册协议 (SCEP) 的配置文件,这将指示移动设备从组织中的 NDES 服务器获取其他证书。These features allow you to deploy trusted root certificates to mobile devices, as well as Simple Certificate Enrollment Protocol (SCEP) based profiles that instruct mobile devices to get additional certificates from a NDES server in your organization.

因为 iOS、Windows 10 和 8.1 以及 Windows Phone 10 和 8.1 本机支持 SCEP,并且通过适用于 Android 的 Microsoft Intune 公司门户应用也可以支持 SCEP,所以使用此注册协议具有直接在移动设备上生成私钥的优势。Since SCEP is natively supported by iOS, Windows 10 and 8.1, and Windows Phone 10 and 8.1, and is also supported through the Microsoft Intune Company Portal app for Android, using this enrollment protocol has the advantage of having the private key generated directly on the mobile device. ConfigMgr 或 Intune 永远无法生成、缓存或存储私钥,这有助于保护移动设备的安全。The private key is never generated, cached, or stored by either ConfigMgr or by Intune - which helps to keep the mobile device secure.

下图显示 Intune 和 ConfigMgr 如何使用 NDES 向使用 SCEP 的移动设备提供安全证书预配:The figure below shows how Intune and ConfigMgr use the NDES to provide secure certificate provisioning to mobile devices using SCEP:

保护证书预配的安全

保护证书预配的安全Secure certificate provisioning

  1. 在 Intune 服务上创建了包括 SCEP 注册证书属性的策略。A policy that includes the properties of the certificate for SCEP enrollment is created on the Intune service.
  2. Intune 将该策略转换为平台移动设备管理协议(比如 Windows 10 和 Windows 8.1 的 OMA-DM)并将其发送至设备Intune converts the policy to a platform mobile device management protocol (like OMA-DM for Windows 10 and Windows 8.1) and sends it to the device
  3. 移动设备接收该策略并从 NDES 启动注册请求The mobile device receives the policy and initiates an enrollment request from NDES
  4. NDES 将该请求转发至 ConfigMgrNDES forwards the request to ConfigMgr
  5. ConfigMgr 比较 SCEP 请求的请求属性以进行身份验证匹配,并将确认发送回 NDES。ConfigMgr compares the request attributes of the SCEP request for an authentication match and sends confirmation back to NDES.
  6. NDES 将证书颁发请求发送至 CA,然后后者将相应证书发送给 NDES 角色。NDES sends a certificate issuance request to the CA and it sends the certificate to the NDES role.
  7. NDES 角色将该证书发送到设备。NDES role sends the certificate to the device.

根据你对任务 3 中的问题的回答,你应该能够确定想要在移动设备管理解决方案中如何管理证书。Depending on how you answered the questions in Task 3, you should be able to determine how you want certificates managed in the mobile device management solution. Office 365 的 MDM 当前不支持管理移动设备的证书配置文件。Currently, MDM for Office 365 doesn’t support managing certificate profiles for mobile devices.

以下列表将帮助你了解 Intune 和混合 Intune 与 ConfigMgr 部署方案的证书配置文件管理的优缺点:The lists below will help you understand the advantages and disadvantages of the certificate profile management for Intune and the hybrid Intune with ConfigMgr deployment scenario:

Intune(独立版)Intune (standalone)

优点Advantages

  • 支持所有主要的移动设备操作系统(Android、iOS、Windows 10、Windows 8.x 以及 Windows Phone)上的证书配置文件Supports certificate profiles on all major mobile device operating systems (Android, iOS, Windows 10, Windows 8.x, and Windows Phone)
  • 平台支持简单证书注册协议 (SCEP)Platform supports the Simple Certificate Enrollment Protocol (SCEP)
  • 证书配置文件可自动配置移动设备,以便可以在无需手动安装证书或使用未经批准的安全过程的情况下访问公司资源。Certificate profiles can automatically configure mobile devices so that company resources can be accessed without having to install certificates manually or use a non-approved security process
  • 在设备退出管理、被选择性擦除或被阻止进入管理层次结构时,证书会自动撤销Certificates can be automatically revoked when the device is retired from management, selectively wiped, or block from the management hierarchy

缺点Disadvantages

  • 若要使用证书配置文件,一些现有的本地基础结构必须存在。To use certificate profiles, some existing on-premises infrastructure must be in place. 你必须通过 Intune 集成以下本地基础结构:You must integrate the following on-premises infrastructure with Intune:
    • 运行网络设备注册服务的服务器A server that runs the Network Device Enrollment Service
    • 企业证书颁发机构An Enterprise Certification Authority
    • 安装在运行 NDES 的服务器上的 Intune NDES 连接器The Intune NDES Connector, which installs on the server that runs NDES

Office 365 的 MDMMDM for Office 365

  • Office 365 的 MDM 中不提供对证书配置文件的支持。Support for certificate profiles aren't supported in MDM for Office 365.

混合版(带 ConfigMgr 的 Intune)Hybrid (Intune with ConfigMgr)

优点Advantages

  • 除了 Intune 独立版的所有优点外,还包括以下优点:All the advantages of Intune standalone, plus the following:
    • 还支持管理非移动设备的证书Also supports managing certificates for non-mobile devices

缺点Disadvantages

  • 若要使用证书配置文件,一些现有的本地基础结构必须存在。To use certificate profiles, some existing on-premises infrastructure must be in place.
  • 你必须通过 Intune 集成以下本地基础结构:You must integrate the following on-premises infrastructure with Intune:
    • 运行网络设备注册服务的服务器A server that runs the Network Device Enrollment Service
    • 企业证书颁发机构An Enterprise Certification Authority
    • 安装在运行 NDES 的服务器上的 Intune NDES 连接器The Intune NDES Connector, which installs on the server that runs NDES

有关移动设备证书管理选项的详细信息,请参阅 Intune 中的启用证书配置文件,并将这些要求和过程与 System Center 2012 R2 Configuration Manager 中的启用证书配置文件的要求和过程进行比较。For more details about mobile device certificate management options, read how to enable certificate profiles in Intune and compare these requirements and procedures to enabling certificate profiles in System Center 2012 R2 Configuration Manager.