Delegated SCEP for Windows with Microsoft Intune

Configuring a Certificate Authority (CA) allows you to issue client certificates to your targeted devices through your Mobile Device Management (MDM) software. These certificates grant access to specific API endpoints that Okta Verify uses to establish device identity.

Purpose

Okta Device Access certificate

Platform

Windows

MDM

Microsoft Intune

SCEP URL

Delegated

Before you begin

Make sure that you have access to the following:

  • Certificates that are deployed for digital signature, but not for other purposes (for example, encryption)

  • Okta Admin Console

  • Microsoft Intune

  • Microsoft Azure

Okta as a CA doesn't support renewal requests. Instead, redistribute the profile before the certificate expires to replace the expired certificate.

Configure all MDM SCEP policies to allow for profile redistribution.

Start this task

  1. Register the Azure Active Directory app credentials for Okta

  2. Generate a SCEP URL in Okta

  3. Download the x509 certificate from Okta

  4. Create a trusted certificate profile in Microsoft Intune

  5. Create a SCEP profile in Microsoft Intune

  6. Verify the certificate installation on your Windows devices

Register the Azure Active Directory app credentials for Okta

  1. In Microsoft Azure, click App registrations.

  2. Click + New registration.

  3. On the Register an application page, enter the following:

    1. Name: Enter a meaningful name for the app.

    2. Supported account types: Select the appropriate supported account type.

      The following procedure uses Accounts in this organizational directory only ([Your_Tenant_Name] only - Single tenant).

    3. Redirect URI (optional): Either leave this field blank, or select Web and then enter a redirect URI.

    4. Click Register.

  4. On the app page under Essentials, copy the Application (client) ID.

    The image indicates where to find the Application (client) ID.

    This value is required in the Okta Admin Console in the following task.

  5. Add a client secret:

    1. In the left pane, click Certificates & secrets.

    2. Under Client secrets, click + New client secret.

    3. In the Add a client secret section, enter the following:

      • Description: Optional. Enter a description for the client secret.

      • Expires: Select an expiration time period.

    4. Click Add.

      The secret appears under Client secrets.

    5. In the Client secrets tab, copy the Value.

      The image indicates where to find the client secret value.

  6. Set the scep_challenge_provider permissions:

    1. In the left pane, click API permissions.

    2. Click + Add a permission.

    3. On the Request API permissions page, scroll down and click Intune.

    4. Under What type of permissions does your application require?, click Application permissions.

    5. In the Select permissions search field, enter scep. Select the scep_challenge_provider checkbox.

      The image shows the Request API permissions settings.

    6. Click Add permissions.

    7. In the Configured permissions section, click Grant admin consent for [Your_Tenant_Name].

      The image indicates the location of the Grant admin consent button.

    8. Click Yes in the message that appears.

  7. Set the Microsoft Graph permissions:

    1. Click + Add a permission.

    2. In the Request API permissions section, click Microsoft Graph.

    3. Under What type of permissions does your application require? click Application permissions.

    4. In the Select permissions search field, enter application. Expand the Application list and select Application.Read.All.

    5. Click Add permissions.

    6. In the Configured permissions section, click Grant admin consent for [Your_Tenant_Name].

    7. Click Yes in the message that appears.

Generate a SCEP URL in Okta

  1. In the Admin Console, go to SecurityDevice integrations.

  2. On the Device Access tab, click Add SCEP configuration.

  3. On the Add SCEP configuration page, select the following option:

    • SCEP URL challenge type: Dynamic SCEP URL and select Microsoft Intune (delegated SCEP).

  4. Click Generate.

  5. Copy and save the SCEP URL in a secure location.

  6. Click Save.

Download the x509 certificate from Okta

  1. In the Admin Console, go to SecurityDevice integrations.

  2. Click the Certificate authority tab.

  3. In the Actions column for your Okta CA, click the Download x509 certificate icon.

  4. Rename the downloaded file so that it includes a .cer extension.

    You need the certificate (CER) file when you create a trusted certificate profile in Microsoft Intune.

Create a trusted certificate profile in Microsoft Intune

  1. In the Microsoft Intune admin center, go to Devices.

  2. Click Configuration profiles.

  3. Click + Create profile.

  4. On the Create a profile page:

    1. Platform: Select Windows 10 and later.

    2. Profile type: Select Templates.

    3. In the Template name section, click Trusted certificate.

      The interface page for creating a profile in the Microsoft Endpoint Configuration Manager.

    4. Click Create.

  5. On the Basics tab of the Trusted certificate page, complete the following fields:

    1. Name: Enter a name for the certificate.

    2. Description: Optional. Enter a description for the certificate.

      The image shows the trusted certificate screen in the Microsoft Intune configuration manager.

    3. Click Next.

  6. On the Configuration settings tab of the Trusted certificate page, select the following:

    1. Certificate file: Select the x509 certificate (CER) file that you downloaded from Okta.

    2. Destination store: Select Computer certificate store - Intermediate.

    3. Click Next.

  7. On the Assignments tab of the Trusted certificate page, select the following:

    1. Included groups: Assign the trusted certificate profile to one or more user groups. The user groups must be the same as the groups where you're going to assign the SCEP profile.

      Make sure the user groups specified in both profiles are the same.

    2. Click Next.

  8. On the Applicability rules tab of the Trusted certificate page:

    1. Configure any required rules.

    2. Click Next.

  9. On the Review + create tab of the Trusted certificate page, review the configuration and then click Create.

Create a SCEP profile in Microsoft Intune

  1. In the Microsoft Intune admin center, go to Devices.

  2. Click Configuration profiles.

  3. Click + Create profile.

  4. On the Create a profile page, select the following:

    1. Platform: Select Windows 10 or later.

    2. Profile type: Select Templates.

    3. Template name: Select SCEP certificate.

      The image shows the Create a profile screen.

    4. Click Create.

  5. On the Basics tab of the SCEP certificate page, complete the following fields:

    1. Name: Enter a name for the certificate.

    2. Description: Optional. Enter a description for the certificate.

      The image shows the SCEP certificate screen.

    3. Click Next.

  6. On the Configuration settings tab of the SCEP certificate page, complete the following fields:

    1. Certificate type: Select a certificate type, depending on how you plan to use the profile.

      • User: Select User when configuring Okta as a CA.

      • Device: Use Device when setting up a SCEP certificate for Device Access.

    2. Subject name format: Enter a subject name for the certificate. For example, CN={{UserPrincipalName}},G={{GivenName}},SN={{SurName}}.

      Okta has no specific format requirements for this field. You can use this field to indicate the certificate's purpose as a device management signal for Okta or use profile variables provided by Microsoft Intune.

      For a list of supported variables, see Use SCEP certificate profiles with Microsoft Intune.

    3. Certificate validity period: Set to 1 year.

    4. Key storage provider (KSP): Select Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP.

    5. Key usage: Select Digital signature.

    6. Key length: Select 2048.

    7. Hash algorithm: Select SHA-2.

    8. Click + Root Certificate.

    9. On the Root Certificate page, select the trusted certificate that you created in the previous task.

    10. Click OK.

    11. Under Extended key usage, set Predefined values to Client Authentication.

    12. Renewal threshold: Set this percentage to 20. This means that the MDM will renew the certificate on the device when the certificate is 80% expired.

    13. SCEP Server URLs: Enter the SCEP URL that you generated in Okta.

      Microsoft Endpoint Configuration Manager SCEP certificate screen.

    14. Click Next.

  7. On the Assignments tab of the SCEP certificate page, assign the certificate to the same user groups to which you assigned the trusted certificate profile. Click Next.

    Make sure the user groups specified in both profiles are the same.

  8. On the Applicability Rules tab of the SCEP certificate page, configure any required rules, and click Next.

  9. On the Review + create tab of the SCEP certificate page, review the configuration and then click Create.

Verify the certificate installation on your Windows devices

On a Windows computer, verify that the client certificate was installed:

  1. Click Start, and then type cert.

  2. Click Manage user certificates.

  3. Under Certificates - Current User, click PersonalCertificates.

  4. Make sure that the client certificate exists.

Verify the Certificate Authority (CA):

  1. In Certificates - Local Computer, select Intermediate Certificate AuthorityCertificates.

  2. In the Issued To column, find Organization Intermediate Authority.

  3. Make sure that the Issued By column specifies Organization Root Authority for Organization Intermediate Authority.

If you don't find the certificate, check the Windows event log:

  1. On the Windows computer, click Start, type Event, and then click Event Viewer.

  2. Look in Applications and Service LogsMicrosoftWindowsDeviceManagement-EnterpriseAdmin.

  3. In the General tab, find the following:

    • SCEP: Certificate installed successfully.

    • SCEP: Certificate request generated successfully