Security

Introduction

Many companies use a Public Key Infrastructure (PKI) to issue certificates, ensuring secure certificate-based logins for VPNs, wired networks, and wireless authentications. These PKI solutions can be either legacy on-premise systems or cloud-based services. In this blog, we explore various PKI solutions and how they can be utilized with a cloud-managed MDM such as Microsoft Intune.

Microsoft On-Premise PKI

Most companies use a traditional on-premise PKI environment. In most cases, this infrastructure consists of three servers: a root server, an intermediate server, and an issuing server. Disadvantages of an on-premise setup include operational costs such as purchasing hardware, licenses, cooling, and electricity. The company is also responsible for security and keeping the system up to date. With the advent of cloud mobile device management solutions like Microsoft Intune, inbound firewall rules will also need to be configured. This involves using an NDES server, which is almost always positioned in the DMZ zone of the internal network. For many companies, it is often difficult to apply security hardening to these servers. Costs vary significantly, depending on factors such as rackspace, hardware, electricity costs, Microsoft Server licenses, and expenses related to daily management to keep the systems running.

Microsoft Cloud PKI

In March 2024, Microsoft introduced Cloud PKI to the market. This solution is part of the Microsoft Intune Suite and enables companies to easily set up a PKI in the cloud to deploy certificates to devices managed by Intune. Since this solution resides in the Microsoft cloud alongside Intune, the need for an NDES server or inbound firewall rules is eliminated. Other advantages include that security is automatically managed in the cloud. From a cost perspective, it is also very attractive; the standalone add-on license costs only 1.87 euros per user per month in Europe. One disadvantage is that certificates can only be deployed to devices managed by Intune, and as of the time of writing, it is not possible to validate whether the certificate is still valid or has been revoked using OCSP (Online Certificate Status Protocol). Microsoft Cloud PKI can be configured quickly for VPN or other certificate-based authentication methods, particularly when managing only Intune-managed devices.

SCEPman

SCEPman is another cloud-based PKI certificate authority designed for use with Microsoft Intune, available as a SaaS solution from the Microsoft Marketplace. The NDES/SCEP web URL provided in the SCEPman solution is used by Intune to deploy certificates. A significant advantage over Microsoft Cloud PKI is that SCEPman can issue certificates for devices that are not managed by Intune and supports certificate validation using OCSP. Based on an environment with 1000 users, SCEPman costs 0.53 euros per user per month (excluding VAT), with pricing varying based on the number of users. SCEPman depends mainly on the CPU resources. Memory and disc are less important. There are additional costs associated with the resource in Azure. The SCEPman 2.5 instance runs on one Azure P0V3 App Service Plan, capable of serving around 2000 requests per minute.

Aruba ClearPass Onboard

Our favorite authentication server, Aruba ClearPass, can also serve as a PKI server. If a company already uses Aruba ClearPass, it can be expanded with ClearPass Onboard licenses to integrate the authentication server and PKI into a single managed server solution. Aruba ClearPass is typically installed on-premises (though it can also be deployed in the cloud), requiring inbound firewall rules for deploying certificates via Microsoft Intune and performing OCSP validation. The cost per deployed certificate is 1.62 euros per month if using 1 year subscriptions, excluding expenses for the purchase of ClearPass and support. Another option is to pay for perpetual licenses which is 2.32 euro, again excluding yearly support costs.

Any suggestions are welcome :)

------------------------------
Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
------------------------------

Introduction

Many companies use a Public Key Infrastructure (PKI) to issue certificates, ensuring secure certificate-based logins for VPNs, wired networks, and wireless authentications. These PKI solutions can be either legacy on-premise systems or cloud-based services. In this blog, we explore various PKI solutions and how they can be utilized with a cloud-managed MDM such as Microsoft Intune.

Microsoft On-Premise PKI

Most companies use a traditional on-premise PKI environment. In most cases, this infrastructure consists of three servers: a root server, an intermediate server, and an issuing server. Disadvantages of an on-premise setup include operational costs such as purchasing hardware, licenses, cooling, and electricity. The company is also responsible for security and keeping the system up to date. With the advent of cloud mobile device management solutions like Microsoft Intune, inbound firewall rules will also need to be configured. This involves using an NDES server, which is almost always positioned in the DMZ zone of the internal network. For many companies, it is often difficult to apply security hardening to these servers. Costs vary significantly, depending on factors such as rackspace, hardware, electricity costs, Microsoft Server licenses, and expenses related to daily management to keep the systems running.

Microsoft Cloud PKI

In March 2024, Microsoft introduced Cloud PKI to the market. This solution is part of the Microsoft Intune Suite and enables companies to easily set up a PKI in the cloud to deploy certificates to devices managed by Intune. Since this solution resides in the Microsoft cloud alongside Intune, the need for an NDES server or inbound firewall rules is eliminated. Other advantages include that security is automatically managed in the cloud. From a cost perspective, it is also very attractive; the standalone add-on license costs only 1.87 euros per user per month in Europe. One disadvantage is that certificates can only be deployed to devices managed by Intune, and as of the time of writing, it is not possible to validate whether the certificate is still valid or has been revoked using OCSP (Online Certificate Status Protocol). Microsoft Cloud PKI can be configured quickly for VPN or other certificate-based authentication methods, particularly when managing only Intune-managed devices.

SCEPman

SCEPman is another cloud-based PKI certificate authority designed for use with Microsoft Intune, available as a SaaS solution from the Microsoft Marketplace. The NDES/SCEP web URL provided in the SCEPman solution is used by Intune to deploy certificates. A significant advantage over Microsoft Cloud PKI is that SCEPman can issue certificates for devices that are not managed by Intune and supports certificate validation using OCSP. Based on an environment with 1000 users, SCEPman costs 0.53 euros per user per month (excluding VAT), with pricing varying based on the number of users. SCEPman depends mainly on the CPU resources. Memory and disc are less important. There are additional costs associated with the resource in Azure. The SCEPman 2.5 instance runs on one Azure P0V3 App Service Plan, capable of serving around 2000 requests per minute.

Aruba ClearPass Onboard

Our favorite authentication server, Aruba ClearPass, can also serve as a PKI server. If a company already uses Aruba ClearPass, it can be expanded with ClearPass Onboard licenses to integrate the authentication server and PKI into a single managed server solution. Aruba ClearPass is typically installed on-premises (though it can also be deployed in the cloud), requiring inbound firewall rules for deploying certificates via Microsoft Intune and performing OCSP validation. The cost per deployed certificate is 1.62 euros per month if using 1 year subscriptions, excluding expenses for the purchase of ClearPass and support. Another option is to pay for perpetual licenses which is 2.32 euro, again excluding yearly support costs.

Any suggestions are welcome :)

------------------------------
Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
------------------------------

Note that ClearPass Onboard is licensed per user (that has one or more certificates active) as well, not per certificate. And Onboard is more than just a PKI, it includes self-service certificate installation.

Further, its good to have your view. Microsoft published an even more extensive (just) list of compatible SCEP providers (PKI solutions) for Intune, without recommending a specific solution.

Introduction

Many companies use a Public Key Infrastructure (PKI) to issue certificates, ensuring secure certificate-based logins for VPNs, wired networks, and wireless authentications. These PKI solutions can be either legacy on-premise systems or cloud-based services. In this blog, we explore various PKI solutions and how they can be utilized with a cloud-managed MDM such as Microsoft Intune.

Microsoft On-Premise PKI

Most companies use a traditional on-premise PKI environment. In most cases, this infrastructure consists of three servers: a root server, an intermediate server, and an issuing server. Disadvantages of an on-premise setup include operational costs such as purchasing hardware, licenses, cooling, and electricity. The company is also responsible for security and keeping the system up to date. With the advent of cloud mobile device management solutions like Microsoft Intune, inbound firewall rules will also need to be configured. This involves using an NDES server, which is almost always positioned in the DMZ zone of the internal network. For many companies, it is often difficult to apply security hardening to these servers. Costs vary significantly, depending on factors such as rackspace, hardware, electricity costs, Microsoft Server licenses, and expenses related to daily management to keep the systems running.

Microsoft Cloud PKI

In March 2024, Microsoft introduced Cloud PKI to the market. This solution is part of the Microsoft Intune Suite and enables companies to easily set up a PKI in the cloud to deploy certificates to devices managed by Intune. Since this solution resides in the Microsoft cloud alongside Intune, the need for an NDES server or inbound firewall rules is eliminated. Other advantages include that security is automatically managed in the cloud. From a cost perspective, it is also very attractive; the standalone add-on license costs only 1.87 euros per user per month in Europe. One disadvantage is that certificates can only be deployed to devices managed by Intune, and as of the time of writing, it is not possible to validate whether the certificate is still valid or has been revoked using OCSP (Online Certificate Status Protocol). Microsoft Cloud PKI can be configured quickly for VPN or other certificate-based authentication methods, particularly when managing only Intune-managed devices.

SCEPman

SCEPman is another cloud-based PKI certificate authority designed for use with Microsoft Intune, available as a SaaS solution from the Microsoft Marketplace. The NDES/SCEP web URL provided in the SCEPman solution is used by Intune to deploy certificates. A significant advantage over Microsoft Cloud PKI is that SCEPman can issue certificates for devices that are not managed by Intune and supports certificate validation using OCSP. Based on an environment with 1000 users, SCEPman costs 0.53 euros per user per month (excluding VAT), with pricing varying based on the number of users. SCEPman depends mainly on the CPU resources. Memory and disc are less important. There are additional costs associated with the resource in Azure. The SCEPman 2.5 instance runs on one Azure P0V3 App Service Plan, capable of serving around 2000 requests per minute.

Aruba ClearPass Onboard

Our favorite authentication server, Aruba ClearPass, can also serve as a PKI server. If a company already uses Aruba ClearPass, it can be expanded with ClearPass Onboard licenses to integrate the authentication server and PKI into a single managed server solution. Aruba ClearPass is typically installed on-premises (though it can also be deployed in the cloud), requiring inbound firewall rules for deploying certificates via Microsoft Intune and performing OCSP validation. The cost per deployed certificate is 1.62 euros per month if using 1 year subscriptions, excluding expenses for the purchase of ClearPass and support. Another option is to pay for perpetual licenses which is 2.32 euro, again excluding yearly support costs.

Any suggestions are welcome :)

------------------------------
Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
------------------------------