Intune PKCS Connector

This section details how to configure the Intune PKCS Connector.

Required By

Intune PKCS Profile

How to configure Intune PKCS Connector

Configuring the Microsoft Certificate Connector

The first step of the Intune PKCS connector is to actually understand the workflow that it bears, explained in introduction. Working with IntunePKCS requires the Microsoft Certificate Connector MSI to be uploaded to any Windows machine connected to the Internet. This connector is available on the Microsoft Documentation.

1. Run the certificate connector MSI on the machine and click on "Configure now". Configure the connector to fit your infrastructure, just remember to only check the PKCS imported box whenver prompted. This step should end with a connection to Azure;

2. Retrieve the Horizon Key Manager from Horizon and upload it to the same machine where the Microsoft Certificate Connector was installed;

3. Open a command-line prompt as Administrator;

4. Generate an import key through the command-line tool:

$ PKCSImport.exe generate [KeyName]

Replace [KeyName] with what you want to name your key as. The next steps of the documentation will assume that the name is set to "PKCSImportKey".

5. Use the tool to export the generated key:

$ PKCSImport.exe export PKCSImportKey PKCSImportKey.pub

This will export the public key part of the PKCS Import Key to the PKCSImportKey.pub file as base64 format.

Configuring the IntunePKCS Connector in Horizon

This step assumes that the previous one has been thoroughly followed. The only extra pre-requisite for this step is to retrieve the Azure resource ID of the group that will be using the escrowed certificates. Note that the app registration for Horizon must have the "DeviceManagementConfiguration.ReadWrite.All" permission granted as tenant admin. Read more about that in the Microsoft documentation

1. Log in to Horizon Administration Interface.

2. Access Intune PKCS Connectors from the drawer or card: Third Parties  Intune PKCS  Connectors.

3. Click on Add Connector.

4. Fill the mandatory fields.

General

  • Name* (string input):
    Enter a meaningful connector name. It must be unique for each connector. Horizon uses the name to identify the connector.

  • Azure Tenant* (string input):
    Value must be set to the Azure tenant.

  • App Registration Credentials*(select):
    Select Login credentials containing your app registration ID and secret key. The app registration must have the "_DeviceManagementConfiguration.ReadWrite.All" permission granted as tenant admin.

  • Proxy (string select):
    The HTTP/HTTPS proxy to use.

  • Timeout (finite duration):
    Set by default at 10 seconds. Must be a valid finite duration.

  • Search Filter (string input):
    This value must be set to : groups/{Azure AD group object ID}/members This will apply the PKCS Import policy to all the members of the referenced Azure AD group object ID (the one that was retrieved at the beginning of the step).

  • Max stored certificates per holder (int):
    When specified, define the maximum number of certificates stored in the third party for a given holder. As an example, when set to 2, Intune will store the current certificate as well as the previous one (whether expired or revoked), so that it can still be used to decrypt resources. When a third one is going to be enrolled, the older one will be flushed out of Intune.

Assets identification and management

  • Key Name (string input):
    Enter the key name that was specified in the Horizon Key Manager (PKCSImportKey in the example).

  • Key Type (select):
    Select one key type from the list. If the Horizon Key Manager was used, select RSA-2048.

  • Provider Name (string input):
    Enter provider name. If the Horizon Key Manager was used, leave it blank.

  • Public Key (string input):
    Paste the base64 exported public key generated at step 5 of the previous part.

  • Intended Purpose (select):
    Select one intended certificate usage from the list. As an example, if you want to use the escrowed certificates through this connector to encrypt email, select S/MIME.

Actors and renewal management

These configuration elements mainly define the number of authorized interactions with the remote service on a defined period. For example, one needs to ensure that the remote service will not be contacted more than 5 times per 3 seconds. Throttle parallelism defines the number of times and Throttle duration the period of time. Therefore, on the above example, throttle parallelism would be set to 5 and throttle duration would be set to 3 seconds.

  • Throttle duration* (finite duration):
    Set by default at 3 seconds. Must be a valid finite duration.

  • Throttle parallelism* (int):
    Set by default at 3.

  • Renewal period (finite duration):
    Must be a valid finite duration.

5. Click on the save button.

You can update Edit Connector or delete Delete Connector the Intune PKCS Connector.

You won’t be able to delete an Intune PKCS Connector if it is referenced in any other configuration element.