Security

 View Only
Expand all | Collapse all

Microsoft Intune SCEP Extension

This thread has been viewed 97 times
  • 1.  Microsoft Intune SCEP Extension

    Posted Jan 17, 2023 04:44 AM
    We are planning to roll out device certificates through the Intune SCEP Extension for Onboard Enrollment according to this technote: https://www.arubanetworks.com/techdocs/ClearPass/TechNotes/Extensions-Intune-Onboard/Default.htm
    Unfortunately, the Intune SCEP extension relies on the deprecated Azure Active Directory Graph API, which will be shut down after June 30, 2023. Are there any plans to migrate the extension to the Microsoft Graph API soon? Or would it be wise to go for another workflow?

    ------------------------------
    Thanks
    Daniel
    ------------------------------


  • 2.  RE: Microsoft Intune SCEP Extension

    Posted Jan 17, 2023 11:49 PM
    You can use PacketFence's Intune SCEP integration by itself, I helped patch it for the MS Graph API a few months ago. PacketFence is a whole RADIUS server but you don't need to touch the RADIUS bits to use its CA. Also AGPL is a lot cheaper than Onboard licensing ...


  • 3.  RE: Microsoft Intune SCEP Extension

    Posted Jan 18, 2023 03:32 PM
    The official support of Intune SCEP is coming 'shortly'.


  • 4.  RE: Microsoft Intune SCEP Extension
    Best Answer

    Posted Jan 18, 2023 04:34 PM
    The current extension ID now points to a 1.1.0 version that removes the deprecated API.  You no longer need the AD Graph permission.  Docs and a formal public release coming soon.


  • 5.  RE: Microsoft Intune SCEP Extension

    Posted Jan 19, 2023 10:29 AM
    Garth,

    thanks for your reply. Didn't expect such a quick response, really appreciate that. At first glance, version 1.1.0 works fine for us!

    ------------------------------
    Thanks
    Daniel
    ------------------------------



  • 6.  RE: Microsoft Intune SCEP Extension

    Posted Jan 19, 2023 11:32 AM
    Great to hear.  Feel free to tag me with any feedback.  Do you use it in conjunction with the Intune inventory extension for policy?


  • 7.  RE: Microsoft Intune SCEP Extension

    Posted Mar 21, 2023 09:14 AM

    I like to share some experiences we made so far with the current extension. At this point, we do not use the inventory extension yet but we plan to.

    We noticed that at least for iOS devices Intune will request two certificates which will lead to two times more licenses (OnBoard) beeing used. But it seems that this is a known/expected behaviour of Intune and we have to deal with this via Script/API.

    We also noticed, that the extension shuts down unexpectedly sometimes without any errors logged. We have to further investigate on that.

    Looking forward to the formal public release of this!



    ------------------------------
    Thanks
    Daniel
    ------------------------------



  • 8.  RE: Microsoft Intune SCEP Extension

    Posted Mar 22, 2023 06:35 AM

    Have you create a TAC Case for both issues? If not, please do as it would either get you a fix, or speed up the fix for yourself and others.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 9.  RE: Microsoft Intune SCEP Extension

    Posted Mar 22, 2023 10:23 AM

    I'll second Herman's tip.  First we have heard of any crashes so that is something we will need to understand and possible get some logs or insight.  A ticket is the best means of communication.

    Can you expand on 'shuts down'?  Crash and stop until you restart?  Crash and auto restart?  Freeze and require a restart?  Is CPPM under excessive load that may put it under memory pressure?  We have seen extensions be one of the fist things affected when the OS level out of memory killer kicks in.

    As for the two licenses, if you can link to anything to back up expected behavior that would help.  Are you seeing a chain built or is it creating one for each network?  I will ask around to see if they see 2x their devices as well. 




  • 10.  RE: Microsoft Intune SCEP Extension

    Posted Mar 22, 2023 11:00 AM

    Thanks for both of your quick replies. Regarding the crashing extensions I think "Crash and stop until you restart?" fits best. But your hint on the OS memory could be a bullsyeye, we recently had issues with that on the server. A reboot fixed things for now.

    Regarding the double certificates we could see that already the mobile devices (iOS in our environment) send two requests to the SCEP server with a gap of 8-10 seconds. So we are pretty sure that's related to Intune, not CPPM. Most information we found are on r/Intune:

    https://www.reddit.com/r/Intune/comments/idwo7k/intune_pushing_duplicate_certs_to_ios_devices/

    https://www.reddit.com/r/Intune/comments/nm4yca/intune_pkcs_duplicate_certs/

    https://www.reddit.com/r/Intune/comments/u6gcfr/ios_ipads_getting_2_scep_certificate_for_vpn/

    Our most important task at the moment is the migration to 6.11. If we experience any issues after that we will have time to raise TAC cases and do further testing.



    ------------------------------
    Thanks
    Daniel
    ------------------------------



  • 11.  RE: Microsoft Intune SCEP Extension

    Posted Mar 23, 2023 09:20 AM
    Edited by Mflowers@beta.team Mar 23, 2023 09:26 AM

    https://docs.scepman.com/certificate-deployment/microsoft-intune

    I would suggest SCEPman for the CA.  Unless you need/want the certs pushed by Clearpass, then this will work.  

    I originally tried to use Clearpass onboard CA for the certs and was trying to follow the same document you linked and ran into all kinds of issues and it never worked.  Whoever wrote the document (before they updated it) did not understand how Azure applications work and the documentation was telling you search for the HPE Intune SCEP in your directory and that was the first step to setting this up.  The person that created the documentation did not understand that you needed to create the application and people would not be able to search HPE's Azure directory for the application they created directly in their own Azure.  There was other examples of this all throughout the document that I do not directly remember now.  It seemed like someone got this setup/working once and then threw it over the fence to another team to get something wrote up about it and the person that wrote the original document did not truly understand how it worked/needed to be setup. 

    This shows to me that the Intune-SCEP extension is not well tested or well documented.  They did not have an expert (or at least a someone I would consider Junior level) in this area document/test this service and trying to get it setup would likely lead to problems/wasted time/wasted productivity.  I do not know how well tested/documented this is now but the initial Tech Note was released on Jun1, 2022 (public release).  This means for over 6 months, the product was in the state it was with poor/incorrect documentation and would not function.  Even if it does work now, how well has it been tested and if there is any issues, how long until it gets fixed/properly updated? 




  • 12.  RE: Microsoft Intune SCEP Extension

    Posted Mar 23, 2023 12:56 PM

    Mflowers@beta.team" data-itemmentionkey="cdbd209d-c937-4b71-9072-662d23d3473c" biobubblekey="mentionf778aa81-7f17-4336-ad60-0f6d4583d23a" href="https://community.arubanetworks.com/profile?UserKey=f778aa81-7f17-4336-ad60-0f6d4583d23a" data-can-remove="False">@Mflowers@beta.team  Yes there were few issues with the original documentation due to a difference in internal processes as to how this extension was developed. We have since updated the documentation.

    The extension has also been updated to work with just Microsoft Graph API without needing deprecated Azure AD Graph API. The app permissions section of the doc will be updated to reflect this change shortly.

    Updated documentation can be found here:

    https://www.arubanetworks.com/techdocs/ClearPass/TechNotes/Extensions-Intune-Onboard/Default.htm#CD-INT-verify-deployment.htm%3FTocPath%3DIntune-SCEP%2520Extension%2520for%2520Onboard%2520Enrollment%7C_____5