diff --git a/docs/.gitbook/assets/2024-03-14 15_15_55-SCEP .png b/docs/.gitbook/assets/2024-03-14 15_15_55-SCEP .png new file mode 100644 index 0000000..c1e5303 Binary files /dev/null and b/docs/.gitbook/assets/2024-03-14 15_15_55-SCEP .png differ diff --git a/docs/.gitbook/assets/2024-03-14 15_18_35.png b/docs/.gitbook/assets/2024-03-14 15_18_35.png new file mode 100644 index 0000000..34843fd Binary files /dev/null and b/docs/.gitbook/assets/2024-03-14 15_18_35.png differ diff --git a/docs/.gitbook/assets/2024-03-14 15_39_42.png b/docs/.gitbook/assets/2024-03-14 15_39_42.png new file mode 100644 index 0000000..7a5588c Binary files /dev/null and b/docs/.gitbook/assets/2024-03-14 15_39_42.png differ diff --git a/docs/certificate-deployment/microsoft-intune/macos.md b/docs/certificate-deployment/microsoft-intune/macos.md index 7e75c21..a250e7c 100644 --- a/docs/certificate-deployment/microsoft-intune/macos.md +++ b/docs/certificate-deployment/microsoft-intune/macos.md @@ -47,19 +47,23 @@ In this section we are setting up a device certificate.
-Subject name format: CN={{DeviceId}} or CN={{AAD_Device_ID}} +Subject name format: CN={{DeviceName}} or CN={{DeviceId}} or CN={{AAD_Device_ID}} -SCEPman uses the CN field of the subject to identify the device and as a seed for the certificate serial number generation. Microsoft Entra ID (Azure AD) and Intune offer two different IDs: +If configured to `CN={{DeviceId}}` or `CN={{AAD_Device_ID}}`, SCEPman uses the CN field of the subject name to identify the device and as a seed for the certificate serial number generation. Microsoft Entra ID (Azure AD) and Intune offer two different IDs: -* \{{DeviceId\}}: This ID is generated and used by Intune **(Recommended)**\ +* `{{DeviceName}}:` **(Recommended)**, in order to have a meaningful name of the certificate on the device or by looking for a certificate. +* `{{DeviceId}}`: This ID is generated and used by Intune.\ \ (requires SCEPman 2.0 or higher and [#appconfig-intunevalidation-devicedirectory](../../scepman-configuration/optional/application-settings/intune-validation.md#appconfig-intunevalidation-devicedirectory "mention") to be set to **Intune** or **AADAndIntune**) -* \{{AAD\_Device\_ID\}}: This ID is generated and used by Microsoft Entra ID (Azure AD).\ - \ - (Note: When using Automated Device Enrollment via Apple Business Manager, this ID might change during device setup. If so, SCEPman might not be able to identify the device afterwards. The certificate would become invalid in that case.) +* `{{AAD_Device_ID}}`: This ID is generated and used by Microsoft Entra ID (Azure AD).\ + **Note:** When using Automated Device Enrollment via Apple Business Manager, this ID might change during device setup. If so, SCEPman might not be able to identify the device afterwards. The certificate would become invalid in that case. + +In case any other variable is used for the CN field (e.g. `CN={{DeviceName}}`, SCEPman will identify the device based on the Intune Device ID (`(URI)Value:` `IntuneDeviceId://{{DeviceId}}`) provided in the subject alternative name (SAN). + +**Important:** The choice of the CN field affects the [automatic revocation behavior](../manage-certificates.md#automatic-revocation) of certificates issued to your Intune-managed devices. You can add other RDNs if needed (e.g.: `CN={{DeviceId}}, O=Contoso, CN={{WiFiMacAddress}}`). Supported variables are listed in the [Microsoft docs](https://docs.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep#create-a-scep-certificate-profile). @@ -145,7 +149,7 @@ With our stated settings, we fulfill [Apples certificate requirements](https://s ### Example -![](../../.gitbook/assets/2022-04-05macOSDevice.png) +
* [ ] Now you can deploy this profile to your devices. Please choose the same group/s for assignment as for the Trusted certificate profile. diff --git a/docs/certificate-deployment/microsoft-intune/windows-10.md b/docs/certificate-deployment/microsoft-intune/windows-10.md index 0f17549..1d6fd00 100644 --- a/docs/certificate-deployment/microsoft-intune/windows-10.md +++ b/docs/certificate-deployment/microsoft-intune/windows-10.md @@ -47,13 +47,14 @@ In this case we are setting up a device certificate **Optional:** If configured to `CN={{DeviceId}}` or `CN={{AAD_Device_ID}}`, SCEPman uses the CN field of the subject name to identify the device and as a seed for the certificate serial number generation. Microsoft Entra ID (Azure AD) and Intune offer two different IDs: -* `{{DeviceId}}`: This ID is generated and used by Intune **(Recommended)**\ +* `{{DeviceId}}`: This ID is generated and used by Intune.\ \ (requires SCEPman 2.0 or higher and [#appconfig-intunevalidation-devicedirectory](../../scepman-configuration/optional/application-settings/intune-validation.md#appconfig-intunevalidation-devicedirectory "mention") to be set to **Intune** or **AADAndIntune**) * `{{AAD_Device_ID}}`: This ID is generated and used by Microsoft Entra ID (Azure AD). +* `{{DeviceName}}:`` `**`(Recommended)`**, in order to have a meaningful name of the certificate on the device or by looking for a certificate. In case any other variable is used for the CN field (e.g. `CN={{DeviceName}}`, SCEPman will identify the device based on the Intune Device ID (`(URI)Value:` `IntuneDeviceId://{{DeviceId}}`) provided in the subject alternative name (SAN). @@ -168,7 +169,7 @@ https://scepman.contoso.com/certsrv/mscep/mscep.dll ### Example -
+
* [ ] Now you can deploy this profile to your devices. Please choose the same group/s for assignment as for the Trusted certificate profile. @@ -208,6 +209,8 @@ Based on customer feedback, it appears that some VPN clients (e.g., Azure VPN Cl ### Example + +
## User Digital Signature Certificate