Intune - Android
Configure EAP-TLS on Foxpass
Please follow the EAP-TLS initial setup guide to create client CA, server CA and SCEP endpoint if not configured already.
Configure Intune for Initial Setup
If you are configuring SCEP certificates for Android, Windows and macOS, you only need to follow the initial setup documentation once
Please refer the Intune for Initial Setup documentation to configure Intune initially.
Create Client CA profile
In the Endpoint manager, now go to devices → configuration profiles . Create a new client CA profile for android using the Android Enterprise as the platform and Trusted certificate as the Profile type.

Create profile
Give a name to your profile and click next.

Name your profile
Upload the client CA downloaded earlier.

Upload Client CA
Assign users and groups according to your use case. Review and create your profile.

Create profile
Create Server CA profile
Now create the server CA profile and repeat the steps you did for client CA profile. Remember to upload the server CA downloaded earlier.
Create a SCEP profile
Option 1: Certificate type - Device
You need to make sure that every user has an EmailAddress set in their Azure User Profile. If not, SCEP the profiles will not install.
- Name: Foxpass SCEP
- Certificate type: User
- Subject name format: CN={{UserName}},E={{EmailAddress}}
- Subject alternative name: Add 1 attribute: Email address as {{EmailAddress}}
- Certificate Validity period: Years = 1
- Key usage: Digital Signature
- Key size: 4096
- Hash algorithm: SHA2
- Root certificate: Select Foxpass Client CA configured earlier.

Configure SCEP profile
- Extended key usage: Add both Any Purpose (2.5.29.37.0) (optional) and Client Authentication (1.3.6.1.5.5.7.3.2)
- Renewal threshold (%): 20
- SCEP server URL: Foxpass SCEP endpoint from the SCEP page.

Add users/groups per your use case. Review and create your profile.

Option 2: Certificate type - Device
To configure the Device certificate type, you have two options: either Sync devices from Azure on the Devices page, or select 'None' for the verification type when creating an SCEP endpoint on the SCEP page.
- Name: Foxpass SCEP
- Certificate type: Device
- CN={{AAD_Device_ID}}
- Subject Alternative Name: Leave it empty.
- Certificate Validity period: Years = 1
- Key storage provider: Enroll to software KSP
- Key usage: Digital Signature
- Key size: 4096
- Hash algorithm: SHA2
- Root certificate: Select cert from Foxpass Client CA from first item in this section
- Extended key usage:
- Add both
- Any Purpose (2.5.29.37.0)* (optional)
- Client Authentication (1.3.6.1.5.5.7.3.2)*
- Renewal threshold (%): 10
- SCEP server URL: Foxpass SCEP endpoint from the SCEP page
Create Wi-Fi profile
Create a Wi-Fi profile with platform as Android Enterprise and profile type as Wi-Fi.

Create Wi-Fi profile
- Wi-Fi type: Enterprise
- SSID: < Your SSID >
- EAP type: EAP-TLS
- Root certificate for server validation: Select a certificate profile > Select Server CA profile created earlier.
- Certificate: Select the SCEP profile created earlier.

Sample Wi-Fi Profile
Assign users/groups. Review and create profile.
Enroll Android device
Now enroll your android device to Intune.
- Download and install Intune company portal from play store.
- Follow the onscreen instructions. Refer to the sample screenshots below:







You will see your device registered and if everything is configured correctly then you can see a client certificate on your SCEP page and device should be connected to Wi-Fi configured in your Access Point.

Client certificate
Updated 29 days ago