Intune
Introduction
This section details the Microsoft Endpoint Manager - Intune SCEP integration with Horizon, used to enroll, renew and revoke certificates on Intune managed devices.
This integration involves at least three infrastructure components:
-
Microsoft Endpoint Manager / Intune
-
Azure Active Directory
-
EverTrust Horizon
The enrolled devices interface with these components in order to retrieve their certificate.
The diagram displays these components as well as the various flows involved in an enrollment.
Microsoft describes the integration principles on their website: https://docs.microsoft.com/en-us/mem/intune/protect/certificate-authority-add-scep-overview
Finally, this integration will require to set up, on Horizon side, the following elements:
-
an Intune Connector, which holds the configuration items required for Horizon to connect to Azure AD and Intune
-
an Intune Profile, which holds the configuration items specifying how Horizon should issue certificates for the specified Intune Connector
-
an Intune Scheduled Task, which holds configuration items defining the scheduled task in charge of performing revocation upon decommissioning devices from Azure AD. This is optional.
Intune Connector
This section details how to configure an Intune Connector.
Prerequisites
On Horizon side, you might need to set up a Proxy, used to reach Azure/Intune, if necessary.
On Azure AD side, it is required to set up an application by following Microsoft’s guide. Please note that you must add the Microsoft Graph / Directory.Read.All permission as well for the revocation feature to work properly. After performing these steps, you will get the following information, required later:
-
the Tenant ID
-
the Application ID
-
the Application Authentication Key
How to configure Intune Connector
1. Log in to Horizon Administration Interface.
2. Access Intune Connector from the drawer or card: Third Parties > Intune > Connectors.
3. Click on 
.
4. Fill the mandatory fields.
Connection
-
Name* (string input):
Enter a meaningful connector name. It must be unique for each connector. Horizon uses the name to identify the connector. -
Azure Tenant* (string input):
Enter the Tenant ID. -
App ID* (string input):
Enter the Application ID. -
App Key* (string input):
Enter the Application Authentication Key. -
Proxy (select):
The HTTP/HTTPS proxy used to reach Azure AD and Intune. -
Timeout (finite duration):
Timeout set on the connection used to reach Azure AD and Intune. Configured by default at 10 seconds. Must be a valid finite duration.
Assets identification and management
-
OS query string (string input):
This allows to restrict devices by OS when performing the devices listing used for the revocation feature. Leave blank to use the default setting if unsure. -
Intune resource URL (string input):
This allows to point at a specific Intune installation. Used only in Hybrid Intune setups, leave blank otherwise. -
Legacy revocation mode (boolean):
Activate the legacy revocation mode. Default value is set to false.
Actors management
These configuration elements mainly define the number of authorized interactions with the remote service on a defined period. For example, one needs to ensure that the remote service will not be contacted more than 5 times per 3 seconds. Throttle parallelism defines the number of times and Throttle duration the period of time. Therefore, on the above example, throttle parallelism would be set to 5 and throttle duration would be set to 3 seconds.
-
Throttle duration* (finite duration):
Set by default to 3 seconds. Must be a valid finite duration. -
Throttle parallelism* (int):
Set by default to 3.
5. Click on the save button.
You can update 
or delete 
the Intune Connector.
|
You will not be able to delete an Intune Connector if it is referenced in any other configuration element. |
Intune Profile
This section details how to configure an Intune Profile.
Prerequisites
Setting up an SCEP Authority requires you to issue a certificate from the underlying PKI with the following characteristics:
-
the issuing CA should be the same as the one that will issue certificates through the PKI Connector that will be linked to the Intune Profile
-
the certificate key usages must include Digital Signature and Key Encipherment
-
the certificate must be issued as PKCS#12 and then imported into Horizon
How to configure Intune Profile
1. Log in to Horizon Administration Interface.
2. Access Intune Profile from the drawer or card: Third Parties > Intune > Profiles.
3. Click on .
4. Fill the mandatory fields.
General
-
Name* (string input):
Enter a meaningful connector name. It must be unique for each profile. Horizon uses the name to identify the profile. As the name will be part of an URL, it is advised to use only lower case letters and dashes. -
Enabled* (boolean):
Indicates whether the profile is enabled or not. Set to true by default. -
Intune Connector* (select):
Select an Intune Connector previously created. -
PKI Connector (select):
Select a PKI connector previously created. -
Max certificate per holder (int):
If specified, defines the maximum number of active certificates for a given Holder. If the number of active certificates exceeds this parameter, then the oldest certificate(s) above the limit will be automatically revoked.
Assets identification
-
Device ID field name (string input):
Subject DN field used to retrieve the Device ID. The selected field must be set to{{AAD_Device_ID}}on Intune side, e.g. if you select "L", the configured Subject DN in the SCEP profile in Intune must then containL={{AAD_Device_ID}}. This is required to use the automated revocation feature upon device decommission. -
Device ID separator (string input):
Separator used to retrieve the Device ID in the device id field (if defined). This field is present for backward compatibility reasons and should normally be left to blank.
SCEP protocol parameters
-
Mode* (select):
Choose from one of the two modes RA or CA. Usually this should be set to RA. -
SCEP Authority (select):
Select a SCEP Authority previously created. See Prerequisites for details. -
CAPS (select):
Select one or many SCEP Capabilities from the list. If unsure, leave the default. -
Encryption algorithm (select):
Select a SCEP Encryption Algorithm algorithms from the list. If unsure, leave the default.
Renewal management
-
Renewal period (finite duration):
Must be a valid finite duration. -
Revocation on SCEP renew*: (boolean)
Should the expiring certificate be revoked upon SCEP renewal. Set by default to false. -
Revocation reason* (select):
Select the reason from the list. Available only if revocation on SCEP renew is set to true.
Self Permissions
-
Revoke (boolean):
Specify whether the certificate’s owner is authorized to revoke the certificate with no validation workflow. Set to false by default. -
Request Revoke (boolean):
Specify whether the certificate’s owner is authorized to request the revocation of the certificate. Set to false by default. -
Update (boolean):
Specify whether the certificate’s owner is authorized to update the certificate with no validation workflow. Set to false by default. -
Request Update (boolean):
Specify whether the certificate’s owner is authorized to request certificate’s update. Set to false by default.
You can further configure the profile using the Common configuration profile and Notification tabs.
5. Click on the save button.
You can update or delete the Intune Profile once it has been created.
|
You won’t be able to delete an Intune Profile if it is referenced somewhere else. |
Last steps
Once the profile created in Horizon, you need to setup a SCEP profile in Intune by following Microsoft documentation. You will need to match the parameters in the Intune SCEP profile with what has been set up in Horizon and in the underlying PKI. You need to pay special attention to:
-
the certificate lifetime and renewal interval, which must match throughout the solution
-
the Subject and Subject Alternative Name settings must match throughout the solution. In the end, the issued certificate must contain exactly what was configured in Intune for these fields, or the renewal will not work.
-
the SCEP server URL, where you need to input the URL given in the Intune Profile that you created in Horizon
|
To enroll Windows machines or users using Intune, you need to remove the trailing " |
Intune Scheduled Tasks
This section details how to configure scheduled tasks which will run periodically on your Intune profiles, in order to manage automatic revocation upon device decommission.
How to configure Intune Scheduled Tasks
1. Log in to Horizon Administration Interface.
2. Access Intune Scheduled Tasks from the drawer or card: Third Parties > Intune > Scheduled Tasks.
3. Click on .
4. Fill the mandatory fields.
-
Intune Profile* (select):
Select an Intune profile previously created. -
Target Connector* (select):
Select an Intune connector previously created. -
Cron scheduling (cron expression):
Set to every 5 hours by default. -
Revoke (boolean):
Set to false by default. If true, Horizon will revoke any certificate associated to a device that has been deleted from Azure AD (and hence decommissioned). -
Dry run (boolean):
If enabled, revocation actions will not be performed. Instead, a message will be logged, explaining what would have been done.
5. Click on the save button.
You can run 
, update or delete the Scheduled Tasks.