Intune - Android

Configure EAP-TLS on Foxpass

Please follow the EAP-TLS initial setup guide to create client CA, server CA and SCEP endpoint if not configured already.

Configure Intune for Initial Setup

📘

If you are configuring SCEP certificates for Android, Windows and macOS, you only need to follow the initial setup documentation once

Please refer the Intune for Initial Setup documentation to configure Intune initially.


Create Client CA profile

In the Endpoint manager, now go to devices → configuration profiles . Create a new client CA profile for android using the Android Enterprise as the platform and Trusted certificate as the Profile type.

Create profile

Create profile

Give a name to your profile and click next.

Name your profile

Name your profile

Upload the client CA downloaded earlier.

Upload Client CA

Upload Client CA

Assign users and groups according to your use case. Review and create your profile.

Create profile

Create profile

Create Server CA profile

Now create the server CA profile and repeat the steps you did for client CA profile. Remember to upload the server CA downloaded earlier.

Create a SCEP profile

Option 1: Certificate type - Device

🚧

You need to make sure that every user has an EmailAddress set in their Azure User Profile. If not, SCEP the profiles will not install.

  • Name: Foxpass SCEP
  • Certificate type: User
  • Subject name format: CN={{UserName}},E={{EmailAddress}}
  • Subject alternative name: Add 1 attribute: Email address as {{EmailAddress}}
  • Certificate Validity period: Years = 1
  • Key usage: Digital Signature
  • Key size: 4096
  • Hash algorithm: SHA2
  • Root certificate: Select Foxpass Client CA configured earlier.
Configure SCEP profile

Configure SCEP profile


  • Extended key usage: Add both Any Purpose (2.5.29.37.0) (optional) and Client Authentication (1.3.6.1.5.5.7.3.2)
  • Renewal threshold (%): 20
  • SCEP server URL: Foxpass SCEP endpoint from the SCEP page.

Add users/groups per your use case. Review and create your profile.


Option 2: Certificate type - Device

To configure the Device certificate type, you have two options: either Sync devices from Azure on the Devices page, or select 'None' for the verification type when creating an SCEP endpoint on the SCEP page.

  • Name: Foxpass SCEP
  • Certificate type: Device
  • CN={{AAD_Device_ID}}
  • Subject Alternative Name: Leave it empty.
  • Certificate Validity period: Years = 1
  • Key storage provider: Enroll to software KSP
  • Key usage: Digital Signature
  • Key size: 4096
  • Hash algorithm: SHA2
  • Root certificate: Select cert from Foxpass Client CA from first item in this section
  • Extended key usage:
  • Add both
    • Any Purpose (2.5.29.37.0)* (optional)
    • Client Authentication (1.3.6.1.5.5.7.3.2)*
  • Renewal threshold (%): 10
  • SCEP server URL: Foxpass SCEP endpoint from the SCEP page

Create Wi-Fi profile

Create a Wi-Fi profile with platform as Android Enterprise and profile type as Wi-Fi.

Create Wi-Fi profile

Create Wi-Fi profile

  • Wi-Fi type: Enterprise
  • SSID: < Your SSID >
  • EAP type: EAP-TLS
  • Root certificate for server validation: Select a certificate profile > Select Server CA profile created earlier.
  • Certificate: Select the SCEP profile created earlier.
Sample Wi-Fi Profile

Sample Wi-Fi Profile

Assign users/groups. Review and create profile.


Enroll Android device

Now enroll your android device to Intune.

  • Download and install Intune company portal from play store.
  • Follow the onscreen instructions. Refer to the sample screenshots below:

You will see your device registered and if everything is configured correctly then you can see a client certificate on your SCEP page and device should be connected to Wi-Fi configured in your Access Point.

Client certificate

Client certificate