Intune-Macbook

1. Configure Intune for Initial Setup

📘

If you are configuring SCEP certificates for both Windows and macOS, you only need to follow the initial setup documentation once

Please refer the Intune for Initial Setup documentation to configure the Intune initially.

2. Upload Apple MDM Push Certificate

  • In the Endpoint manager, now go to devices → macOS enrollment.

  • Click on Apple MDM Push Certificate.

  • A dialog box will open at the right side to configure MDM Push certificate.

    Configure MDM Push Certificate

    Configure MDM Push Certificate

  • Click on Download your CSR link.

    Download your CSR

    Download your CSR

  • Click on Create your MDM push certificate./

    Create your MDM push certificate

    Create your MDM push certificate

  • Sign in to your Apple account and click Create a certificate button.

    Create a certificate

    Create a certificate

  • Upload previously downloaded CSR.

    Upload CSR

    Upload CSR


  • You will see a confirmation message of certificate created. Click on 'Download' button.

    Download certificate

    Download certificate


  • Upload the downloaded certificate in Intune.

    Upload push certificate

    Upload push certificate

3. Create Configuration Profiles

Click 'Create'

Click 'Create'

Create a Client CA Profile

  • Create a new Client CA profile for macOS using the Trusted certificate template. Upload the Foxpass Client CA cert in the client profile. (The CA can be downloaded by clicking 'Download CA', which is located under 'Client Server Authorities' on the EAP-TLS)). Please refer to the image below for the Client CA download location. Follow the steps in Intune portal to create the profile.
Client CA

Foxpass Client CA

Review and Click Create profile

Review and Click Create profile

Create a Server CA profile

  • Create a new profile for macOS using the Trusted certificate template. Upload the Foxpass Server CA cert in the server profile. (The CA can be downloaded by clicking the 'Download CA' button in the active CA section, which is located under 'Server Certificate Authorities' on the EAP-TLS. Please refer to the image below for the Server CA download location.
Foxpass Server CA

Foxpass Server CA

Foxpass Server CA Profile

Foxpass Server CA Profile

Create a SCEP profile

  • Create another new profile for macOS using the SCEP certificate template with these settings:

🚧

You need to make sure that every user has an EmailAddress set in their Azure User Profile. If not, SCEP the profiles will not install.

  • Name: Foxpass SCEP

  • Certificate type: User

  • Subject name format: CN={{UserName}},E={{EmailAddress}}

  • Subject alternative name: Add 1 attribute:

    • Email address as {{EmailAddress}}
  • Certificate Validity period: Years: 1

  • Key usage: Digital Signature

  • Key size: 4096

  • Hash algorithm: SHA2

  • Root certificate: Select cert from Foxpass Client CA from first item in this section

  • Extended key usage: Add both

    • Any Purpose (2.5.29.37.0)* (optional)
    • Client Authentication (1.3.6.1.5.5.7.3.2)*
  • Renewal threshold (%): 10

  • SCEP server URL: Foxpass SCEP endpoint from the SCEP page

Sample SCEP Profile

Sample SCEP Profile

Create a Wi-Fi Profile

  • Go to Configuration Profiles of macOS devices > Create New Policy > Profile Type > Templates > Choose WiFi as the template name.
  • Name: Foxpass Wi-Fi
  • Wi-Fi Type - Enterprise
  • SSID -
  • Connect automatically: (your choice)
  • Hidden network: Disable
  • Security Type: WPA/WPA2 Enterprise
  • Proxy settings: None
  • EAP-Type: EAP-TLS
  • Root certificates for server validation: (Choose Foxpass Server CA uploaded previously in this step)
  • Client Authentication - Certificates: Foxpass SCEP
Review Wi-Fi profile

Review Wi-Fi profile

3. Now, setup your Macbook

  • Download and install Intune Company Portal from the App Store.
Install Company Portal

Install Company Portal

  • Open the Company Portal app and sign in. Click 'Begin' > Continue.
Click Begin

Click Begin

  • Click on the Download Profile.
  • Go to System settings > Profile > Management Profile
  • Install the management profile.
Install the management profile

Install the management profile

If all goes well, you will now be able to see your device enrolled in Intune and the Foxpass Console's EAP-TLS.

macoS device enrolled in Intune

macoS device enrolled in Intune

Foxpass SCEP - Intune

Client Certificate - Foxpass

You can see Foxpass Client CA, Server CA and Client Certificate in Keychain Access on your Macbook.

Certificate and CA's in Keychain Access

Certificate and CA's in Keychain Access

You can also see successful/unsuccessful logs on the RADIUS logs page.

RADIUS logs page

RADIUS logs page

Still having problems?

See https://github.com/MicrosoftDocs/SupportArticles-docs/blob/main/support/mem/intune/device-configuration/troubleshoot-wi-fi-profiles.md