1. Log in to your Azure account.

2. Add Intune

Go to Azure active directory → Mobility (MDM and MAM) → Add Application (both Microsoft Intune and Microsoft Intune Enrollment).
You will have to buy Premium license and Intune licenses.

Once the Applications are added, click on 'Microsoft Intune' → MDM user scope - select All, MAM user scope - select None and click Save.
Now click on 'Microsoft Intune Enrollment' →MDM user scope - select None and click Save.

3. Update DNS

In order for the MDM discovery URL to be automatically detected from the email address of your users, add the following CNAME entries in your company domain's DNS.

  • CNAME EnterpriseEnrollment.(your_company_domain).com pointing to EnterpriseEnrollment-s.manage.microsoft.com with a TTL of 1 hour
  • CNAME EnterpriseRegistration.(your_company_domain).com pointing to EnterpriseRegistration.windows.net with a TTL of 1 hour

4. Configure Endpoint Manager

Go to Microsoft's endpoint manager admin center.

  • Go to User → (Your user) → Groups → Assign user to appropriate groups
  • Go to User → (Your user) → Licenses → Assign all relevant licenses

5. Create Configuration profiles

In the Endpoint manager, now go to devices → configuration profiles

  • Create a new profile for Windows 10 using the Trusted certificate template. Upload the Foxpass Client CA cert here (the one you downloaded from the Foxpass console's SCEP page).
  • Create a new profile for Windows 10 using the Trusted certificate template. Upload the Foxpass Server CA cert here (the one you got from us while onboarding).
  • Create another new profile for Windows 10 using the SCEP certificate template with these settings

Certificate type: User
Subject name format: CN={{UserName}},E={{EmailAddress}}

Subject alternative name: Add 1 attribute
Email address as {{EmailAddress}}
Certificate Validity period: Years = 1
Key storage provider: Enroll to software KSP
Key size: 2048
Hash algorithm: SHA2
Root certificate: Select cert from Foxpass Client CA from first item in this section
Extended key usage:
Add both

  • Any Purpose (2.5.29.37.0)
  • Client Authentication (1.3.6.1.5.5.7.3.2)

Renewal threshold (%): 10
SCEP server URL: Foxpass SCEP endpoint from the SCEP page

6. Create a new Azure AD Application that can verify your Intune requests.

In your Azure Portal, go to App Registrations and create a new Registration.

You may name it Foxpass-Intune-Verification and select this option 'Accounts in this organizational directory only (Foxpass only - Single tenant)'. Now, from the list in App Registrations, click on the newly created App.

Go to the "Manifest" section, and update the "requiredResourceAccess" section to look like the below:

"requiredResourceAccess": [
        {
            "resourceAppId": "00000002-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "3afa6a7d-9b1a-42eb-948e-1650a849e176",
                    "type": "Role"
                }
            ]
        },
        {
            "resourceAppId": "c161e42e-d4df-4a3d-9b42-e7a3c31f59d4",
            "resourceAccess": [
                {
                    "id": "39d724e8-6a34-4930-9a36-364082c35716",
                    "type": "Role"
                }
            ]
        }
    ],

Now, go to the "API permissions" section and click on 'Grant admin consent' button on the top of the Permissions page and click 'Yes'.

  • Go to the 'Overview' section of your App and copy the Application (client) ID and Directory (tenant) ID.
  • Go to the 'Certificates & secrets' section of your App and under 'Client secrets', click on the 'New client secret' button. Copy the secret value - this is your client's secret.
  • Go to the Foxpass Console's SCEP page, click on the 'Intune Settings' button and fill in the values from the two steps above and click Save.

7. Now, test

Test by enrolling a sample Windows 10 device: Open settings → Access work or school → Enroll device MDM → Enter your company email and proceed to login to Azure. This will kick off the enrollment process that takes a little while.

If all goes well, you will now be able to see your device enrolled in Intune and the Foxpass Console's SCEP page.

8. Create a Wireless Profile

Next step is to create a wireless profile that links the correct certificates with the correct SSID. Below is a sample screenshot (this one is for iOS devices, but Windows and Android will be similar)