The extension has also been updated to work with just Microsoft Graph API without needing deprecated Azure AD Graph API. The app permissions section of the doc will be updated to reflect this change shortly.
https://www.arubanetworks.com/techdocs/ClearPass/TechNotes/Extensions-Intune-Onboard/Default.htm#CD-INT-verify-deployment.htm%3FTocPath%3DIntune-SCEP%2520Extension%2520for%2520Onboard%2520Enrollment%7C_____5
Original Message:
Sent: Mar 23, 2023 09:20 AM
From: Mflowers@beta.team
Subject: Microsoft Intune SCEP Extension
https://docs.scepman.com/certificate-deployment/microsoft-intune
I would suggest SCEPman for the CA. Unless you need/want the certs pushed by Clearpass, then this will work.
I originally tried to use Clearpass onboard CA for the certs and was trying to follow the same document you linked and ran into all kinds of issues and it never worked. Whoever wrote the document (before they updated it) did not understand how Azure applications work and the documentation was telling you search for the HPE Intune SCEP in your directory and that was the first step to setting this up. The person that created the documentation did not understand that you needed to create the application and people would not be able to search HPE's Azure directory for the application they created directly in their own Azure. There was other examples of this all throughout the document that I do not directly remember now. It seemed like someone got this setup/working once and then threw it over the fence to another team to get something wrote up about it and the person that wrote the original document did not truly understand how it worked/needed to be setup.
This shows to me that the Intune-SCEP extension is not well tested or well documented. They did not have an expert (or at least a someone I would consider Junior level) in this area document/test this service and trying to get it setup would likely lead to problems/wasted time/wasted productivity. I do not know how well tested/documented this is now but the initial Tech Note was released on Jun1, 2022 (public release). This means for over 6 months, the product was in the state it was with poor/incorrect documentation and would not function. Even if it does work now, how well has it been tested and if there is any issues, how long until it gets fixed/properly updated?
Original Message:
Sent: Mar 22, 2023 10:59 AM
From: djanssen
Subject: Microsoft Intune SCEP Extension
Thanks for both of your quick replies. Regarding the crashing extensions I think "Crash and stop until you restart?" fits best. But your hint on the OS memory could be a bullsyeye, we recently had issues with that on the server. A reboot fixed things for now.
Regarding the double certificates we could see that already the mobile devices (iOS in our environment) send two requests to the SCEP server with a gap of 8-10 seconds. So we are pretty sure that's related to Intune, not CPPM. Most information we found are on r/Intune:
https://www.reddit.com/r/Intune/comments/idwo7k/intune_pushing_duplicate_certs_to_ios_devices/
https://www.reddit.com/r/Intune/comments/nm4yca/intune_pkcs_duplicate_certs/
https://www.reddit.com/r/Intune/comments/u6gcfr/ios_ipads_getting_2_scep_certificate_for_vpn/
Our most important task at the moment is the migration to 6.11. If we experience any issues after that we will have time to raise TAC cases and do further testing.
------------------------------
Thanks
Daniel
Original Message:
Sent: Mar 22, 2023 10:23 AM
From: gbenedict
Subject: Microsoft Intune SCEP Extension
I'll second Herman's tip. First we have heard of any crashes so that is something we will need to understand and possible get some logs or insight. A ticket is the best means of communication.
Can you expand on 'shuts down'? Crash and stop until you restart? Crash and auto restart? Freeze and require a restart? Is CPPM under excessive load that may put it under memory pressure? We have seen extensions be one of the fist things affected when the OS level out of memory killer kicks in.
As for the two licenses, if you can link to anything to back up expected behavior that would help. Are you seeing a chain built or is it creating one for each network? I will ask around to see if they see 2x their devices as well.
Original Message:
Sent: Mar 21, 2023 09:14 AM
From: djanssen
Subject: Microsoft Intune SCEP Extension
I like to share some experiences we made so far with the current extension. At this point, we do not use the inventory extension yet but we plan to.
We noticed that at least for iOS devices Intune will request two certificates which will lead to two times more licenses (OnBoard) beeing used. But it seems that this is a known/expected behaviour of Intune and we have to deal with this via Script/API.
We also noticed, that the extension shuts down unexpectedly sometimes without any errors logged. We have to further investigate on that.
Looking forward to the formal public release of this!
------------------------------
Thanks
Daniel
Original Message:
Sent: Jan 19, 2023 11:32 AM
From: gbenedict
Subject: Microsoft Intune SCEP Extension
Great to hear. Feel free to tag me with any feedback. Do you use it in conjunction with the Intune inventory extension for policy?
Original Message:
Sent: Jan 19, 2023 10:29 AM
From: djanssen
Subject: Microsoft Intune SCEP Extension
Garth,
thanks for your reply. Didn't expect such a quick response, really appreciate that. At first glance, version 1.1.0 works fine for us!
------------------------------
Thanks
Daniel
Original Message:
Sent: Jan 18, 2023 04:33 PM
From: gbenedict
Subject: Microsoft Intune SCEP Extension
The current extension ID now points to a 1.1.0 version that removes the deprecated API. You no longer need the AD Graph permission. Docs and a formal public release coming soon.
Original Message:
Sent: Jan 18, 2023 03:31 PM
From: gbenedict
Subject: Microsoft Intune SCEP Extension
The official support of Intune SCEP is coming 'shortly'.
Original Message:
Sent: Jan 17, 2023 04:44 AM
From: djanssen
Subject: Microsoft Intune SCEP Extension
We are planning to roll out device certificates through the Intune SCEP Extension for Onboard Enrollment according to this technote: https://www.arubanetworks.com/techdocs/ClearPass/TechNotes/Extensions-Intune-Onboard/Default.htm
Unfortunately, the Intune SCEP extension relies on the deprecated Azure Active Directory Graph API, which will be shut down after June 30, 2023. Are there any plans to migrate the extension to the Microsoft Graph API soon? Or would it be wise to go for another workflow?
------------------------------
Thanks
Daniel
------------------------------