IKEv2 + SCEP Cert VPN configurations via Intune to Android

[Stuart-McGuire]

Now that Android configs can be pushed via Intune, I was wondering if it was possible to create a profile which either:
a) Auto chooses the user cert
b) Allows the user to pick the user cert.

We have implemented SCEPMAN which pushes certs out to the Android devices fine. Each user's cert has a different name (the first part of their email address). This works well if a user creates a VPN from scratch and puts in all the connection details and chooses their cert.

My problem is
a) that each cert has a different name so I'm not sure what to put in the JSON config for this
b) Allow users to pick a cert. Currently they get the message 'This VPN profile is managed by your administrator and can't be modified'.

Any help would be greatly appreciated.

[tobiasbrunner]

Currently, the managed profile is intended to provide the user certificate/key, which is automatically installed on the system. That assignment can't be changed later by the user.

a) that each cert has a different name so I'm not sure what to put in the JSON config for this

What do you mean? What name? What JSON config?

b) Allow users to pick a cert. Currently they get the message 'This VPN profile is managed by your administrator and can't be modified'.

Since passwords can be changed in the GUI, we could perhaps consider allowing users to select a different client certificate (or one at all if none was installed with the profile). But not sure how difficult that would be to implement considering that the certificates are currently fully managed.

[Stuart-McGuire]

Thank you for taking the time to reply.

Currently, the managed profile is intended to provide the user certificate/key, which is automatically installed on the system. That assignment can't be changed later by the user.

Ah, ok - I thought the managed profile linked to the cert which was already one the device, rather than provided it. I guess this means everyone shares the same cert?

What do you mean? What name? What JSON config?

The JSON config that is edited in the App Configuration Policy within Intune ( I assume this IS the managed profile then).

Since passwords can be changed in the GUI, we could perhaps consider allowing users to select a different client certificate (or one at all if none was installed with the profile). But not sure how difficult that would be to implement considering that the certificates are currently fully managed.

Ok - one to keep an eye out for then. :)

[tobiasbrunner]

Ah, ok - I thought the managed profile linked to the cert which was already one the device, rather than provided it. I guess this means everyone shares the same cert?

Why? Can't your management tool distribute individualized configs for each user?

The JSON config that is edited in the App Configuration Policy within Intune ( I assume this IS the managed profile then).

Ah, no idea how Intune works, so can't help you with that.

[maluueu]

@tobiasbrunner no, no EMM can deploy individualized configs which include the cert. The device/user certs are requested by the device using SCEP or some other mechanism. The EMM should never be able to see certificate/key of the device/user cert.
The only thing the EMM can include in the config is a reference to the on-device trust-store to let you know which certificate should be used. If this is not possible to do atm, the EMM integration seems to be broken/or at least missing support for EMM deployed device/user certs.

This is also not specific only to Microsoft Intune

[tobiasbrunner]

no, no EMM can deploy individualized configs which include the cert.

I don't think that's true. The company that provided the original patches clearly is able to do that in their EMM solution (they ship the PKCS#12 containers and the corresponding passwords via managed configuration, which allow the app to import the key/certificate into the KeyChain).

The only thing the EMM can include in the config is a reference to the on-device trust-store to let you know which certificate should be used.

That might be something to add in the future (i.e. allow configuring just an alias for the KeyChain).