使用 SCEP 在 Intune 中新增協力廠商憑證授權單位Add partner certification authority in Intune using SCEP

搭配 Intune 使用協力廠商憑證授權單位 (CA)。Use third-party certification authorities (CA) with Intune. 協力廠商 CA 可以使用簡單憑證註冊通訊協定 (SCEP) 以搭配新或已更新的憑證來佈建行動裝置,並可以支援 Windows、iOS/iPadOS、Android 及 macOS 裝置。Third-party CAs can provision mobile devices with new or renewed certificates by using the Simple Certificate Enrollment Protocol (SCEP), and can support Windows, iOS/iPadOS, Android, and macOS devices.

使用這項功能分成兩部分:開放原始碼 API 和 Intune 系統管理員工作。There are two parts to using this feature: open-source API, and the Intune administrator tasks.

第 1 部分 - 使用開放原始碼 APIPart 1 - Use an open-source API
Microsoft 已建立 API 來與 Intune 整合。Microsoft created an API to integrate with Intune. 透過該 API,您可以驗證憑證、傳送成功或失敗通知,以及使用 SSL (特別是 SSL 通訊端 Factory) 來與 Intune 通訊。Though the API you can validate certificates, send success or failure notifications, and use SSL, specifically SSL socket factory, to communicate with Intune.

API 提供於 Intune SCEP API 公用 GitHub 存放庫,供您下載並用於解決方案。The API is available on the Intune SCEP API public GitHub repository for you to download, and use in your solutions. 使用此 API 搭配協力廠商 SCEP 伺服器,來在 SCEP 將憑證佈建給裝置之前,對 Intune 執行自訂挑戰驗證。Use this API with third-party SCEP servers to run custom challenge validation against Intune before SCEP provisions a certificate to a device.

與 Intune SCEP 管理解決方案整合提供使用 API、其方法和測試您建置之解決方案的更多詳細資料。Integrate with Intune SCEP management solution provides more details on using the API, its methods, and testing the solution you build.

第 2 部分 - 建立應用程式和設定檔Part 2 - Create the application and profile
使用 Azure Active Directory (Azure AD) 應用程式,您可以委派權限,讓 Intune 處理來自裝置的 SCEP 要求。Using an Azure Active Directory (Azure AD) application, you can delegate rights to Intune to handle SCEP requests coming from devices. Azure AD 應用程式包含應用程式識別碼和驗證金鑰值,可在開發人員建立的 API 解決方案內使用。The Azure AD application includes application ID and authentication key values that are used within the API solution the developer creates. 系統管理員接著會使用 Intune 建立並部署 SCEP 憑證設定檔,並可以檢視針對裝置上部署狀態的報告。Administrators then create and deploy SCEP certificates profiles using Intune and can view reports on the deployment status on the devices.

本文從系統管理員的觀點,提供這項功能的概觀,包括建立 Azure AD 應用程式。This article provides an overview of this feature from an Administrator-perspective, including creating the Azure AD application.

概觀Overview

下列步驟提供在 Intune 中使用 SCEP 憑證的概觀:The following steps provide an overview of using SCEP for certificates in Intune:

  1. 在 Intune 中,系統管理員會建立 SCEP 憑證設定檔,然後將設定檔的目標設為使用者或裝置。In Intune, an administrator creates a SCEP certificate profile, and then targets the profile to users or devices.
  2. 裝置簽入至 Intune。The device checks in to Intune.
  3. Intune 會建立唯一的 SCEP 挑戰。Intune creates a unique SCEP challenge. 它也會新增額外的完整性檢查資訊,例如預期的主體和 SAN 應該是什麼。It also adds additional integrity-check information, such as what the expected subject and SAN should be.
  4. Intune 會加密並簽署挑戰和完整性檢查資訊,然後將此資訊以 SCEP 要求傳送到裝置。Intune encrypts and signs both the challenge and integrity-check information, and then sends this information to the device with the SCEP request.
  5. 裝置會根據從 Intune 推送的 SCEP 憑證設定檔,在裝置上產生憑證簽署要求 (CSR) 和公開/私密金鑰組。The device generates a certificate signing request (CSR) and public/private key pair on the device based on the SCEP certificate profile that's pushed from Intune.
  6. CSR 與加密/簽署的挑戰會傳送給協力廠商 SCEP 伺服器端點。The CSR and encrypted/signed challenge are sent to the third-party SCEP server endpoint.
  7. SCEP 伺服器將 CSR 與挑戰傳送至 Intune。The SCEP server sends the CSR and the challenge to Intune. Intune 接著驗證簽章、將內容解密,並比較 CSR 與完整性檢查資訊。Intune then validates the signature, decrypts the payload, and compares the CSR to the integrity-check information.
  8. Intune 將回應傳送回去給 SCEP 伺服器,指出挑戰驗證是否已成功。Intune sends back a response to the SCEP server, and states whether the challenge validation is successful or not.
  9. 如果已成功驗證挑戰,SCEP 伺服器會核發憑證給裝置。If the challenge is successfully verified, then the SCEP server issues the certificate to the device.

下圖顯示協力廠商 SCEP 與 Intune 整合的詳細流程:The following diagram shows a detailed flow of third-party SCEP integration with Intune:

協力廠商憑證授權單位 SCEP 如何與 Microsoft Intune 整合How third-party certification authority SCEP integrates with Microsoft Intune

設定協力廠商 CA 整合Set up third-party CA integration

驗證協力廠商憑證授權單位Validate third-party certification authority

在整合協力廠商憑證授權單位與 Intune 之前,請確認您使用的 CA 支援 Intune。Before integrating third-party certification authorities with Intune, confirm that the CA you're using supports Intune. 協力廠商 CA 合作夥伴 (在本文中) 包含一份清單。Third-party CA partners (in this article) includes a list. 您也可以檢查憑證授權單位的指引,以取得詳細資訊。You can also check your certification authority's guidance for more information. CA 可能會包含實作特定的設定指示。The CA may include setup instructions specific to their implementation.

授權 CA 與 Intune 之間的通訊Authorize communication between CA and Intune

若要讓協力廠商 SCEP 伺服器能執行與 Intune 的自訂挑戰驗證,請在 Azure AD 中建立應用程式。To allow a third-party SCEP server to run custom challenge validation with Intune, create an app in Azure AD. 此應用程式可提供委派權限給 Intune,以便驗證 SCEP 要求。This app gives delegated rights to Intune to validate SCEP requests.

請確認您具有必要權限,才能註冊 Azure AD 應用程式。Be sure you have the required permissions to register an Azure AD app. 請參閱 Azure AD 文件中的必要權限 (部分機器翻譯)。See Required permissions, in the Azure AD documentation.

在 Azure Active Directory 中建立應用程式Create an application in Azure Active Directory

  1. Azure 入口網站中,移至 [Azure Active Directory] > [應用程式註冊] ,然後選取 [新增註冊] 。In the Azure portal, go to Azure Active Directory > App Registrations, and then select New registration.

  2. 在 [註冊應用程式] 頁面上,指定下列詳細資料:On the Register an application page, specify the following details:

    • 在 [名稱] 區段中,輸入有意義的應用程式名稱。In the Name section, enter a meaningful application name.
    • 針對 [支援的帳戶類型] 區段,選取 [任何組織目錄中的帳戶] 。For the Supported account types section, select Accounts in any organizational directory.
    • 針對 [重新導向 URI] 保留 Web 的預設值,然後為協力廠商 SCEP 伺服器指定登入 URL。For Redirect URI, leave the default of Web, and then specify the sign-on URL for the third-party SCEP server.
  3. 選取 [註冊] 以建立應用程式,並開啟新應用程式的 [概觀] 頁面。Select Register to create the application and to open the Overview page for the new app.

  4. 在應用程式的 [概觀] 頁面上,複製 [應用程式 (用戶端) 識別碼] 值,並加以記錄以供稍後使用。On the app Overview page, copy the Application (client) ID value and record it for later use. 您稍後將需用到此值。You'll need this value later.

  5. 在應用程式的瀏覽窗格中,移至 [管理] 下方的 [憑證及祕密]。In the navigation pane for the app, go to Certificates & secrets under Manage. 選取 [新增用戶端密碼] 按鈕。Select the New client secret button. 在 [描述] 中輸入值、針對 [到期] 選取任意選項,然後選擇 [新增] 以產生用戶端密碼的「值」 。Enter a value in Description, select any option for Expires, and then and choose Add to generate a value for the client secret.

    重要

    離開此頁面之前,複製用戶端密碼的值並加以記錄,以便稍後搭配您的協力廠商 CA 實作使用。Before you leave this page, copy the value for the client secret and record it for later use with your third-party CA implementation. 此值無法再次顯示。This value is not shown again. 務必檢閱您協力廠商 CA 的指引,以了解他們想要如何設定應用程式識別碼、驗證金鑰及租用戶識別碼。Be sure to review the guidance for your third-party CA on how they want the Application ID, Authentication Key, and Tenant ID configured.

  6. 記錄您的租用戶識別碼Record your Tenant ID. 租用戶識別碼是您帳戶中 @ 符號之後的網域文字。The Tenant ID is the domain text after the @ sign in your account. 例如,如果您的帳號是 *admin@name.onmicrosoft.com* ,則您的租用戶識別碼是 name.onmicrosoft.comFor example, if your account is *admin@name.onmicrosoft.com*, then your tenant ID is name.onmicrosoft.com.

  7. 在應用程式的瀏覽窗格中,移至 [管理] 下方的 [API 權限],然後選取 [新增權限]。In the navigation pane for the app, go to API permissions under Manage, and then select Add a permission.

  8. 在 [要求 API 權限] 頁面上,選取 [Intune] ,然後選取 [應用程式權限] 。On the Request API permissions page, select Intune, and then select Application permissions. 選取 scep_challenge_provider 的核取方塊 (SCEP 查問驗證)。Select the checkbox for scep_challenge_provider (SCEP challenge validation).

    選取 [新增權限] 以儲存此設定。Select Add permissions to save this configuration.

  9. 仍然在 [API 權限] 頁面上,選取 [代表 Microsoft 授與管理員同意] ,然後選取 [是] 。Remain on the API permissions page, and select Grant admin consent for Microsoft, and then select Yes.

    Azure AD 中的應用程式註冊程序已完成。The app registration process in Azure AD is complete.

設定及部署 SCEP 憑證設定檔Configure and deploy a SCEP certificate profile

以系統管理員身分,建立 SCEP 憑證設定檔以便將目標設為使用者或裝置。As the administrator, create a SCEP certificate profile to target to users or devices. 然後,指派設定檔。Then, assign the profile.

移除憑證Removing certificates

當您取消註冊或抹除裝置時,會移除憑證。When you unenroll or wipe the device, the certificates are removed. 不會撤銷憑證。The certificates aren't revoked.

協力廠商憑證授權單位合作夥伴Third-party certification authority partners

下列協力廠商憑證授權單位支援 Intune:The following third-party certification authorities support Intune:

如果您是有興趣將產品與 Intune 整合的協力廠商 CA,請檢閱 API 指引:If you're a third-party CA interested in integrating your product with Intune, review the API guidance:

請參閱See also