GITBOOK-502: Update Device Cert. recommendations

scepman · Mar 14, 2024 · c63c79d · c63c79d
1 parent 89425e1
commit c63c79d
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 9 deletions.
diff --git a/docs/.gitbook/assets/2024-03-14 15_15_55-SCEP .png b/docs/.gitbook/assets/2024-03-14 15_15_55-SCEP .png
diff --git a/docs/.gitbook/assets/2024-03-14 15_18_35.png b/docs/.gitbook/assets/2024-03-14 15_18_35.png
diff --git a/docs/.gitbook/assets/2024-03-14 15_39_42.png b/docs/.gitbook/assets/2024-03-14 15_39_42.png
diff --git a/docs/certificate-deployment/microsoft-intune/macos.md b/docs/certificate-deployment/microsoft-intune/macos.md
@@ -47,19 +47,23 @@ In this section we are setting up a device certificate.
 
 <details>
 
-<summary>Subject name format: <code>CN={{DeviceId}}</code> or <code>CN={{AAD_Device_ID}}</code></summary>
+<summary>Subject name format: <code>CN={{DeviceName}}</code> or <code>CN={{DeviceId}}</code> or <code>CN={{AAD_Device_ID}}</code></summary>
 
-SCEPman uses the CN field of the subject to identify the device and as a seed for the certificate serial number generation. Microsoft Entra ID (Azure AD) and Intune offer two different IDs:
+If configured to `CN={{DeviceId}}` or `CN={{AAD_Device_ID}}`,  SCEPman uses the CN field of the subject name to identify the device and as a seed for the certificate serial number generation. Microsoft Entra ID (Azure AD) and Intune offer two different IDs:
 
-* \{{DeviceId\}}: This ID is generated and used by Intune **(Recommended)**\
+* `{{DeviceName}}:` **(Recommended)**, in order to have a meaningful name of the certificate on the device or by looking for a certificate.
+* `{{DeviceId}}`: This ID is generated and used by Intune.\
   \
   (requires SCEPman 2.0 or higher and [#appconfig-intunevalidation-devicedirectory](../../scepman-configuration/optional/application-settings/intune-validation.md#appconfig-intunevalidation-devicedirectory "mention") to be set to **Intune** or **AADAndIntune**)
 
 <!---->
 
-* \{{AAD\_Device\_ID\}}: This ID is generated and used by Microsoft Entra ID (Azure AD).\
-  \
-  (Note: When using Automated Device Enrollment via Apple Business Manager, this ID might change during device setup. If so, SCEPman might not be able to identify the device afterwards. The certificate would become invalid in that case.)
+* `{{AAD_Device_ID}}`: This ID is generated and used by Microsoft Entra ID (Azure AD).\
+  **Note:** When using Automated Device Enrollment via Apple Business Manager, this ID might change during device setup. If so, SCEPman might not be able to identify the device afterwards. The certificate would become invalid in that case.
+
+In case any other variable is used for the CN field (e.g. `CN={{DeviceName}}`, SCEPman will identify the device based on the Intune Device ID (`(URI)Value:`   `IntuneDeviceId://{{DeviceId}}`) provided in the subject alternative name (SAN).
+
+**Important:** The choice of the CN field affects the [automatic revocation behavior](../manage-certificates.md#automatic-revocation) of certificates issued to your Intune-managed devices.
 
 You can add other RDNs if needed (e.g.: `CN={{DeviceId}}, O=Contoso, CN={{WiFiMacAddress}}`). Supported variables are listed in the [Microsoft docs](https://docs.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep#create-a-scep-certificate-profile).
 
@@ -145,7 +149,7 @@ With our stated settings, we fulfill [Apples certificate requirements](https://s
 
 ### Example
 
-![](../../.gitbook/assets/2022-04-05macOSDevice.png)
+<figure><img src="../../.gitbook/assets/2024-03-14 15_39_42.png" alt=""><figcaption></figcaption></figure>
 
 * [ ] Now you can deploy this profile to your devices. Please choose the same group/s for assignment as for the Trusted certificate profile.
 

diff --git a/docs/certificate-deployment/microsoft-intune/windows-10.md b/docs/certificate-deployment/microsoft-intune/windows-10.md
@@ -47,13 +47,14 @@ In this case we are setting up a device certificate
 
 **Optional:** If configured to `CN={{DeviceId}}` or `CN={{AAD_Device_ID}}`,  SCEPman uses the CN field of the subject name to identify the device and as a seed for the certificate serial number generation. Microsoft Entra ID (Azure AD) and Intune offer two different IDs:
 
-* `{{DeviceId}}`: This ID is generated and used by Intune **(Recommended)**\
+* `{{DeviceId}}`: This ID is generated and used by Intune.\
   \
   (requires SCEPman 2.0 or higher and [#appconfig-intunevalidation-devicedirectory](../../scepman-configuration/optional/application-settings/intune-validation.md#appconfig-intunevalidation-devicedirectory "mention") to be set to **Intune** or **AADAndIntune**)
 
 <!---->
 
 * `{{AAD_Device_ID}}`: This ID is generated and used by Microsoft Entra ID (Azure AD).
+* `{{DeviceName}}:`` `**`(Recommended)`**, in order to have a meaningful name of the certificate on the device or by looking for a certificate.
 
 In case any other variable is used for the CN field (e.g. `CN={{DeviceName}}`, SCEPman will identify the device based on the Intune Device ID (`(URI)Value:`   `IntuneDeviceId://{{DeviceId}}`) provided in the subject alternative name (SAN).
 
@@ -168,7 +169,7 @@ https://scepman.contoso.com/certsrv/mscep/mscep.dll
 
 ### Example
 
-<figure><img src="../../.gitbook/assets/Screenshot 2022-09-13 at 19.05.15 1.png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/2024-03-14 15_18_35.png" alt=""><figcaption></figcaption></figure>
 
 * [ ] Now you can deploy this profile to your devices. Please choose the same group/s for assignment as for the Trusted certificate profile.
 
@@ -208,6 +209,8 @@ Based on customer feedback, it appears that some VPN clients (e.g., Azure VPN Cl
 
 ### Example
 
+
+
 <figure><img src="../../.gitbook/assets/Screenshot 2022-09-14 at 09.55.05.png" alt=""><figcaption></figcaption></figure>
 
 ## User Digital Signature Certificate