1. Log in to your Azure account and access Intune Endpoint Manager

๐Ÿ“˜

If you don't have Intune already set up, see our instructions here: Intune (Initial Setup)

2. Create a new Azure AD Application that can verify your Intune requests.

In your Azure Portal, go to App Registrations and create a new Registration.

You may name it Foxpass-Intune-Verification and select this option 'Accounts in this organizational directory only ( only - Single tenant)'. Now, from the list in App Registrations, click on the newly created App.

Go to the "Manifest" section, and update the "requiredResourceAccess" section to look like the below:

"requiredResourceAccess": [
        {
            "resourceAppId": "00000002-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "3afa6a7d-9b1a-42eb-948e-1650a849e176",
                    "type": "Role"
                }
            ]
        },
        {
            "resourceAppId": "c161e42e-d4df-4a3d-9b42-e7a3c31f59d4",
            "resourceAccess": [
                {
                    "id": "39d724e8-6a34-4930-9a36-364082c35716",
                    "type": "Role"
                }
            ]
        }
    ],

Now, go to the "API permissions" section and click on 'Grant admin consent' button on the top of the Permissions page and click 'Yes'.

  • Go to the 'Overview' section of your App and copy the Application (client) ID and Directory (tenant) ID.
  • Go to the 'Certificates & secrets' section of your App and under 'Client secrets', click on the 'New client secret' button. Copy the secret value - this is your client's secret.
  • Go to the Foxpass Console's SCEP page, click on the 'Intune Settings' button and fill in the values from the two steps above and click Save.
  1. Create Configuration profiles

In the Endpoint manager, now go to devices โ†’ configuration profiles

  1. Create a new profile for Windows 10 using the Trusted certificate template. Upload the Foxpass Client CA cert in the client profile. (The CA can be downloaded by clicking 'Download CA', which is located under 'Client Server Authorities' on the SCEP page )). Please refer to the image below for the Client CA download location.
Client CA

Foxpass Client CA

  1. Create a new profile for Windows 10 using the Trusted certificate template. Upload the Foxpass Server CA cert in the server profile. (The CA can be downloaded by clicking the 'Download CA' button in the active CA section, which is located under 'Server Certificate Authorities' on the SCEP page. Please refer to the image below for the Server CA download location.
Foxpass Server CA

Foxpass Server CA

  1. Create another new profile for Windows 10 using the SCEP certificate template with these settings

๐Ÿšง

You need to make sure that every user has an EmailAddress set in their Azure User Profile. If not, SCEP the profiles will not install.

  • Name: Foxpass SCEP

  • Certificate type: User

  • Subject name format: CN={{UserName}},E={{EmailAddress}}

  • Subject alternative name: Add 1 attribute:

    • Email address as {{EmailAddress}}
  • Certificate Validity period: Years = 1

  • Key storage provider: Enroll to software KSP

  • Key usage: Digital Signature

  • Key size: 2048

  • Hash algorithm: SHA2

  • Root certificate: Select cert from Foxpass Client CA from first item in this section

  • Extended key usage:

  • Add both

    • Any Purpose (2.5.29.37.0)* (optional)
    • Client Authentication (1.3.6.1.5.5.7.3.2)*
  • Renewal threshold (%): 10

  • SCEP server URL: Foxpass SCEP endpoint from the SCEP page

  1. Create a new Wi-Fi profile with these settings:
  • Name: Foxpass Wi-Fi
  • Network name: (Your SSID)
  • Connect automatically: (your choice)
  • Hidden network: Disable
  • Security Type: WPA/WPA2 Enterprise
  • Proxy settings: None
  • EAP-Type: EAP-TLS
  • Root certificates for server validation: (Choose Foxpass Server CA uploaded previously in this step)
  • Certificates: Foxpass SCEP

3. Now, test

Test by enrolling a sample Windows 10 device: Open settings โ†’ Access work or school โ†’ Enroll device MDM โ†’ Enter your company email and proceed to login to Azure. This will kick off the enrollment process that takes a little while.

If all goes well, you will now be able to see your device enrolled in Intune and the Foxpass Console's SCEP page.