使用 Microsoft Intune 中的证书配置文件确保资源访问的安全性Secure resource access with certificate profiles in Microsoft Intune

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

当你通过 VPN、Wi-Fi 或电子邮件配置文件给予用户对公司资源的访问权限时,你可以使用每个用户设备上安装的证书保护该访问权限。When you give users access to corporate resources through VPN, Wi-Fi, or email profiles, you can secure the access by using a certificate that is installed on each user device. 以下是它的工作原理:Here's how it works:

  1. 请确保你拥有正确的证书基础结构,如 配置 SCEP 证书基础结构配置 PFX 证书基础结构中所述。Make sure you have the right certificate infrastructure in place, as described in Configure certificate infrastructure for SCEP and Configure certificate infrastructure for PFX.

  2. 在每台设备上安装根证书或中间证书颁发机构 (CA) 证书,以便该设备识别 CA 的合法性。Install a root certificate or an intermediate Certification Authority (CA) certificate on each device so that the device recognizes the legitimacy of your CA. 为此,创建并部署受信任的证书配置文件To do this, create and deploy a Trusted Certificate Profile. 在部署此配置文件时,使用 Intune 托管的设备将请求并接收根证书。When you deploy this profile, the devices that you manage with Intune will request and receive the root certificate. 必须为每个平台创建单独的配置文件。You have to create a separate profile for each platform. 受信任的证书配置文件可用于以下这些平台:The Trusted Certificate Profile is available for these platforms:

    • iOS 8.0 及更高版本iOS 8.0 and later
    • Mac OS X 10.9 及更高版本Mac OS X 10.9 and later
    • Android 4.0 及更高版本Android 4.0 and later
    • Android for WorkAndroid for Work
    • Windows 8.1 及更高版本Windows 8.1 and later
    • Windows Phone 8.1 及更高版本Windows Phone 8.1 and later
  3. 创建证书配置文件以便设备请求一个将用于对 VPN、Wi-Fi 和电子邮件访问进行身份验证的证书,如配置 Intune 证书配置文件中所述。Create certificate profiles so that devices request a certificate to be used for authentication of VPN, Wi-Fi, and email access, as described in Configure Intune certificate profiles. 可以为运行以下平台的设备创建并部署 PKCS #12 (.PFX) 证书配置文件 SCEP 证书配置文件You can create and deploy a PKCS #12 (.PFX) Certificate Profile or a SCEP Certificate Profile for devices running these platforms:

    • iOS 8.0 及更高版本iOS 8.0 and later
    • Android 4.0 及更高版本Android 4.0 and later
    • Android for WorkAndroid for Work
    • Windows 10(桌面版和移动版)及更高版本Windows 10 (desktop and mobile) and later

    SCEP 证书配置文件用于运行以下平台的设备:Use a SCEP Certificate Profile for devices running these platforms:

    • Mac OS X 10.9 及更高版本Mac OS X 10.9 and later
    • Windows Phone 8.1Windows Phone 8.1

必须为每个平台创建单独的配置文件。You must create a separate profile for each platform. 在创建配置文件时,将其与已创建的受信任的根证书配置文件关联。When you create the profile, associate it with the Trusted Root Certificate Profile that you've already created.

备注

  • 如果没有企业证书颁发机构,则必须创建一个。If you don't have an Enterprise Certification Authority, you must create one.
  • 如果你决定基于你的设备平台使用简化的证书注册协议 (SCEP) 配置文件,你还需要配置网络设备注册服务 (NDES) 服务器。If you decide, based on your device platforms, to use the Simplified Certificate Enrollment Protocol (SCEP) profile, you'll also need to configure a Network Device Enrollment Service (NDES) server.
  • 无论你计划使用 SCEP 配置文件还是 PFX 配置文件,都必须下载并配置 Microsoft Intune 证书连接器。Whether you plan to use SCEP or .PFX profiles, you must download and configure the Microsoft Intune Certificate Connector.
  • 请在配置 SCEP 证书基础结构配置 PFX 证书基础结构中了解如何配置所有的必备服务。Learn how to configure all of the required services in Configure certificate infrastructure for SCEP or Configure certificate infrastructure for PFX.

后续步骤Next steps