Intune PKCS Connector
This section details how to configure the Intune PKCS Connector.
This integration involves at least three infrastructure components:
-
Microsoft Endpoint Manager / Intune
-
Azure Active Directory
-
EverTrust Horizon
The enrolled devices interface with these components in order to retrieve their certificate.
The diagram displays these components as well as the various flows involved in an enrollment.
How to configure Intune PKCS Connector
1. Log in to Horizon Administration Interface.
2. Access Intune PKCS Connectors from the drawer or card: Third Parties > Intune PKCS > Connectors.
3. Click on 
.
4. Fill the mandatory fields.
General
-
Name* (string input):
Enter a meaningful connector name. It must be unique for each connector. Horizon uses the name to identify the connector. -
Azure Tenant* (string input):
Value must be set to Azure Tenant. -
App ID* (string input):
Value must be set to Azure App ID. -
App Key* (string input):
Value must be set to Azure App Key. -
Proxy (select):
The HTTP/HTTPS proxy to use. -
Timeout (finite duration):
Set by default at 10 seconds. Must be in valid finite duration. -
Search Filter (string input):
Enter search filter. -
Max stored certificates per holder (int):
When specified, define the maximum number of certificates stored in the third party for a given holder.
Assets identification and management
-
Key Name (string input):
Enter key name. -
Key Type (select):
Select one key type from the list. -
Provider Name (string input):
Enter provider name. -
Public Key (string input):
Enter public key in PEM format. -
Intended Purpose (select):
Select one intended certificate usage from the list.
Actors and renewal management
These configuration elements mainly define the number of authorized interactions with the remote service on a defined period. For example, one needs to ensure that the remote service will not be contacted more than 5 times per 3 seconds. Throttle parallelism defines the number of times and Throttle duration the period of time. Therefore, on the above example, throttle parallelism would be set to 5 and throttle duration would be set to 3 seconds.
-
Throttle duration* (finite duration):
Set by default at 3 seconds. Must be a valid finite duration. -
Throttle parallelism* (int):
Set by default at 3. -
Renewal period (finite duration):
Must be a valid finite duration.
5. Click on the save button.
You can update 
or delete 
the Intune PKCS Connector.
|
You won’t be able to delete an Intune PKCS Connector if it is referenced in any other configuration element. |
Intune PKCS Profile
This section details how to configure the Intune PKCS Profile
How to configure Intune PKCS Profile
1. Log in to Horizon Administration Interface.
2. Access Intune PKCS Profiles from the drawer or card: Third Parties > Intune PKCS > Profiles.
3. Click on .
4. Fill the mandatory fields.
General
-
Name* (string input):
Enter a meaningful connector name. It must be unique for each profile. Horizon uses the name to identify the profile. -
Enabled* (boolean):
Is the profile enabled or not. Set at true by default. -
Max certificate per holder (int):
When specified, define the maximum number of active certificates for a given Holder. -
PKI Connector (select):
Select a PKI connector previously created. -
Intune PKCS Connector* (select):
Select an Intune PKCS Connector previously created.
Crypto Policy
-
Private key escrowing (boolean):
Is the private key escrowing. Set at false by default. -
PKCS#12 Password generation mode* (select):
Define if the PKCS#12 password is chosen by the user on the request (manual) or generate randomly (random). -
Password policy for PKCS#12 password* (select):
Select a password policy previously created. -
Store encryption type (select):
Select from the list the encryption type. If unsure, leave on default "DES_AVERAGE". -
Show PKCS#12 Password On Recover (boolean):
Should the PKCS#12 password be displayed on recover. Activated with the private key escrowing. Set to false by default.-
Show PKCS#12 On Recover (boolean):
Should the PKCS#12 be displayed on recover. Activated with the private key escrowing. Set to false by default.
-
Self Permissions
-
Revoke (boolean):
Have the right to self revoke. Set by default at false. -
Request Revoke (boolean):
Have the right to self request revoke. Set by default at false. -
Update (boolean):
Have the right to self update. Set by default at false. -
Request Update (boolean):
Have the right to self request update. Set by default at false. -
Recover (boolean):
Have the right to self Recover the certificate. Set by default at false. -
Request recover (boolean):
Have the right to self request recover. Set by default at false.
Triggers
Intune PKCS profiles support the use of third-party triggers in the form of callbacks on specific events happening on the profile, giving a way to synchronize the third party repositories and Horizon.
-
Enrollment (select):
Select the third party trigger(s) to call whenever a certificate is enrolled on this profile. -
Revocation (select):
Select the third party trigger(s) to call whenever a certificate gets revoked on this profile. -
Expire (select):
Select the third party trigger(s) to call whenever a certificate expires on this profile.
You can further configure the profile using the Common configuration profile and Notification tabs.
5. Click on the save button.
You can update or delete the Intune PKCS Profile.
|
You won’t be able to delete an Intune PKCS Profile if it is referenced in any other configuration element. |
Intune PKCS Scheduled Tasks
This section details how to schedule tasks that will run periodically on your Intune PKCS profiles.
How to configure Intune PKCS Scheduled Tasks
1. Log in to Horizon Administration Interface.
2. Access Intune PKCS Scheduled Tasks from the drawer or card: Third Parties > Intune PKCS > Scheduled Tasks.
3. Click on .
4. Fill the mandatory fields.
-
Enabled (boolean):
Tells whether the Scheduled task should be enabled. Set by default at true. -
Intune PKCS Profile* (select):
Select an Intune PKCS profile previously created. -
Target Connector* (select):
Select an Intune PKCS connector previously created. -
Cron scheduling (cron expression):
By default set at every 5 hours. -
Enroll? (boolean):
If enabled, will enroll all certificate from the third party repository. Set to false by default. -
Revoke? (boolean):
If enabled, will revoke all certificate whose container was deleted from the third party repository. Set to false by default. -
Renew? (boolean):
If enabled, will renew all certificate who are about to expire. Set to false by default. -
Dry run (boolean):
If enabled, enroll, revocation and renewal actions will not be performed. Instead, a message will be logged, explaining what would have been done.
5. Click on the save button.
You can run 
or update or delete the Schedules Tasks.
Intune PKCS Trigger
this section details how to configure the Triggers that will run automatically on your Intune PKCS connectors.
How to configure Intune PKCS Trigger
1. Log in to Horizon Administration Interface.
2. Access Intune PKCS Triggers from the drawer or card: Third Parties > Intune PKCS > Triggers.
3. Click on .
4. Fill the mandatory fields.
-
Name* (string input):
Enter a meaningful trigger name. It must be unique for each trigger. Horizon uses the name to identify the trigger. -
Intune PKCS Connector* (select):
Select an Intune PKCS connector previously created. -
Retries in case of error (int):
Number of times to retry to push the change on the Intune PKCS repository in case of error. Must be an integer between 1 and 15.
5. Click on the save button.
You can update or delete the Intune PKCS Trigger.
|
You won’t be able to delete an Intune PKCS Trigger if it is referenced in any other configuration element. |