This article explains how to distribute device certificates used for device checks to macOS and iOS devices using the Microsoft Intune
Note
Note: This article is based on Intune versions up to February 2024. For troubleshooting, please contact Microsoft support.
You can distribute your corporate self-signed certificates to macOS and iOS devices in your network using Microsoft Intune as your MDM. This streamlines the distribution of device certificates across devices. By managing certificate distribution through an MDM, you can centrally control certificate deployment, ensuring robust security measures are consistently enforced.
To distribute certificates to macOS and iOS devices using Microsoft Intune, first create a profile with the certificate in Apple Configurator and then distribute the profile with Microsoft Intune.
-
The device certificate is distributed before the Client is installed on a device
-
You must have administrator permissions for the macOS device
Note: users with root permissions on the device can export the certificate and the private key, we highly recommend that IT admins will restrict it
-
The certificate file must be in a PFX (p12) format
-
You must know the password protecting the key (required to install the certificate)
-
The certificate ‘issuer’ must match the signing certificate that is uploaded in the Cato Management Application
-
Certificates have a maximum allowed size of 2048 bytes. Certificates larger than this size will be ignored
Follow these steps to distribute device certificates to macOS and iOS devices:
-
Step 1: Create an Apple Configurator profile
-
Step 2: Enable the certificate payload
-
Step 3: Enable the VPN payload (this is only required on iOS devices and macOS Client v5.3 and below)
-
Step 4: Distribute the profile with Microsoft Intune
If you do not have Apple Configurator, it can be downloaded from the App Store.
Upload the required certificate to the new profile.
This step is only required for distributing certificates to iOS devices or macOS devices with Client version v5.3 and below.
To enable the VPN Payload:
-
In Apple Configurator, from the navigation menu, click VPN.
-
Click Configure.
-
Configure the following settings:
-
Connection Name: Choose a name for the connection
-
Connection Type: Custom SSL
-
Identifier:
-
For macOS: com.catonetworks.mac.CatoClient
-
For iOS: CatoNetworks.CatoVPN
-
-
Server: vpn.catonetworks.net
-
Account: Add your account name. For example: CatoNetworksAccount
-
ProviderBundle Identifier:
Note: Use the identifier exactly as written below (including the misspelling of extension on the iOS identifier):
-
For macOS: com.catonetworks.mac.CatoClient.CatoClientSysExtension
-
For iOS: CatoNetworks.CatoVPN.CatoVPNNEExtenstion
-
-
Provider Designated Requirement: empty
-
User Authentication: Certificate
-
Identity Certificate: Select the certificate you uploaded in step 1
-
Provider Type: Packet Tunnel
-
Proxy Setup: None
-
-
Click File > Save.
Use Microsoft Intune to distribute the profile you created in Apple Configurator.
To distribute the profile:
-
In Microsoft Intune, from the navigation menu, navigate to Devices > iOS/iPadOS or macOS > Configuration profiles.
-
Click Create > New Policy.
-
From the Profile type drop down, select Templates.
-
Select the Custom template and click Create.
A custom template is created.
-
On the Basics tab, choose a name for the profile and click Next.
-
On the Configuration settings tab, choose a Custom configuration profile name.
-
Upload the profile you created in Apple Configurator and click Next.
-
Configure the Scope tags and Assignments of the configuration profile.
-
Review and Create the configuration profile.
0 comments
Article is closed for comments.