IKEv2 + SCEP Cert VPN configurations via Intune to Android #2208
Replies: 2 comments 3 replies
-
Currently, the managed profile is intended to provide the user certificate/key, which is automatically installed on the system. That assignment can't be changed later by the user.
What do you mean? What name? What JSON config?
Since passwords can be changed in the GUI, we could perhaps consider allowing users to select a different client certificate (or one at all if none was installed with the profile). But not sure how difficult that would be to implement considering that the certificates are currently fully managed. |
Beta Was this translation helpful? Give feedback.
-
@tobiasbrunner no, no EMM can deploy individualized configs which include the cert. The device/user certs are requested by the device using SCEP or some other mechanism. The EMM should never be able to see certificate/key of the device/user cert. This is also not specific only to Microsoft Intune |
Beta Was this translation helpful? Give feedback.
-
Now that Android configs can be pushed via Intune, I was wondering if it was possible to create a profile which either:
a) Auto chooses the user cert
b) Allows the user to pick the user cert.
We have implemented SCEPMAN which pushes certs out to the Android devices fine. Each user's cert has a different name (the first part of their email address). This works well if a user creates a VPN from scratch and puts in all the connection details and chooses their cert.
My problem is
a) that each cert has a different name so I'm not sure what to put in the JSON config for this
b) Allow users to pick a cert. Currently they get the message 'This VPN profile is managed by your administrator and can't be modified'.
Any help would be greatly appreciated.
Beta Was this translation helpful? Give feedback.
All reactions