You can distribute your corporate self-signed certificates to Android devices in your network using Microsoft Intune as your MDM. This streamlines the distribution of device certificates across devices. By managing certificate distribution through an MDM, you can centrally control certificate deployment, ensuring robust security measures are consistently enforced.
This article explains how to configure two policies in Intune for Android devices:
-
A trusted certificate profile for the Root CA certificate
-
A PKCS certificate profile for the client certificate deployment
-
In Microsoft Intune, go to Devices > Android > Configuration.
-
Under Policies, click Create and select New Policy.
-
In the Create a profile panel, configure these settings:
-
Platform: Android Enterprise
-
Profile type: Templates
-
Template name: Trusted certificate
-
-
Click Create. The Trusted certificate page opens.
-
In the Basics tab, enter a name and description for the profile, and then click Next.
-
In Configuration settings, upload the Root CA certificate file to the Certificate file field, and then click Next.
-
In Assignments, add the required user groups or device groups in Included groups, and then click Next.
-
In Review + create, review the summary and click Create.
The PKCS profile is the policy that defines the client certificate that Intune requests and deploys to the Android devices. Intune does not let you upload a private key directly in this workflow. Instead, Intune uses the certificate authority infrastructure to request the certificate securely and deliver it to the assigned managed devices. This profile depends on the trusted CA certificate profile from the previous section.
-
In Microsoft Intune, go to Devices > Android > Configuration.
-
Under Policies, click Create and select New Policy.
-
In the Create a profile panel, configure these settings:
-
Platform: Android Enterprise
-
Profile type: Templates
-
Template name: PKCS certificate
-
-
Click Create.
-
In the Basics tab, enter a name and description for the profile, and then click Next.
-
In Configuration settings, enter the certificate settings for your Active Directory certificate authority environment.
-
Configure these PKCS settings:
-
Certification authority: Enter the FQDN of the certificate authority that Intune communicates with.
-
Certification authority name: Enter a friendly name for the certificate authority.
-
Certificate template name: Enter the name of the certificate template defined in Entra ID for this certificate deployment.
-
Certification authority type: Select Microsoft.
-
Certificate type: Select User.
-
Subject name format: for example, CN={{UserName}},E={{EmailAddress}}
Note: This format must match the certificate template configuration.
-
Extended key usage: Configure Client authentication with the default values.
Enter custom values for the Client authentication if required.
-
Root certificate: Select the trusted certificate profile that you created in the previous section.
-
-
Configure any other certificate values required by your certificate authority, and then click Next.
-
In Apps, select Require user approval for all apps, and then click Next.
-
In Assignments, add the required user groups or device groups in Included groups, and then click Next.
-
In Review + create, review the summary and click Create.
Note: When the certificate Device Check is enabled for the account, after installing the certificate, the user will be prompted to select the certificate the first time they connect using the Cato Client.
0 comments
Article is closed for comments.