GITBOOK-644: Enrolling to Intune-managed Linux devices

docs/.gitbook/includes/enrollment-rest-api-app-registration.md

@@ -0,0 +1,35 @@
+---
+title: Enrollment REST API - App Registration
+---
+
+{% stepper %}
+{% step %}
+## App Registration
+
+Create a new _App Registration_ that describes your use case. You application will authenticate as this application against SCEPman.
+{% endstep %}
+
+{% step %}
+## API Permission
+
+Assign the required permissions by running the **Register-SCEPmanApiClient** cmdlet from the SCEPman PowerShell module.
+
+Example: 
+
+```powershell
+Register-SCEPmanApiClient -ServicePrincipalId 830532c6-9f7b-4bc8-8f3e-43443344ab2d
+```
+
+### ServicePrincipalId
+
+The _**Object ID**_ of the complementing _**Enterprise Application**_ of the App Registration we created in the previous step. Note that this does not refer to the Enterprise Application usually named SCEPman-api, which identifies SCEPman itself.
+
+To manually assign this permission you can navigate to _API Permissions_ and add a permission from the _permissions your organization uses_. Assign the _**CSR.Request.Db**_ permission from _**SCEPman-api**_ as an _application permission_.
+{% endstep %}
+
+{% step %}
+## Client Secret
+
+Create a client secret as a password to authenticate the application later.
+{% endstep %}
+{% endstepper %}

docs/.gitbook/includes/enrollment-rest-api-app-service-settings.md

@@ -0,0 +1,39 @@
+---
+title: Enrollment REST API - App Service Settings
+---
+
+### Configuration
+
+_Required for certificate renewal_
+
+Configure your SCEPman App Service to accept mTLS client certificates. In the Configuration blade of the Settings section, verify that the Client certificate mode in Incoming client certificates is set to _**Optional**_.
+
+<figure><img src="../assets/image (75).png" alt=""><figcaption></figcaption></figure>
+
+Do not set the Client certificate mode to Require or Allow, as that would break normal operation of SCEPman on the SCEP endpoints!
+
+
+
+### Environment Variables
+
+In order to make use of this scenario, you must set the following Environment Variables on the SCEPman app service.
+
+### [AppConfig:DbCSRValidation:Enabled](https://docs.scepman.com/advanced-configuration/application-settings/dbcsr-validation#appconfig-dbcsrvalidation-enabled)
+
+_Required for certificate enrollment and renewal_
+
+Set this variable to _**true**_ to enable the validation of certificate signing requests (CSRs).
+
+### [AppConfig:DbCSRValidation:AllowRenewals](https://docs.scepman.com/advanced-configuration/application-settings/dbcsr-validation#appconfig-dbcsrvalidation-allowrenewals)
+
+_Required for certificate renewal_
+
+Set this variable to _**true**_ to enable certificate renewals.
+
+### [AppConfig:DbCSRValidation:ReenrollmentAllowedCertificateTypes](https://docs.scepman.com/advanced-configuration/application-settings/dbcsr-validation#appconfig-dbcsrvalidation-reenrollmentallowedcertificatetypes)
+
+_Required for certificate renewal_
+
+Set this variable to a comma separated list of certificate types that you want to allow the renewal. See the linked variable documentation for a list of possible certificate types.
+
+Example: _**Static,IntuneUser,IntuneDevice**_

docs/.gitbook/includes/enrollment-rest-api-client-prerequisites.md

@@ -0,0 +1,17 @@
+---
+title: Enrollment REST API - Client Prerequisites
+---
+
+The following prerequisites must be present on the executing client/host to be able to use the Enrollment REST API.
+
+### [**Azure CLI**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) **( version 2.61 and above)**
+
+The Azure CLI is used to authenticate the enrolling user to check their eligibility and to retrieve the access token.
+
+### cURL
+
+Used to send the created CSR to the SCEPman Enrollment API Endpoint and receive certificate.
+
+### OpenSSL
+
+OpenSSL is used to generate a private key and create a CSR for enrolling or renewing a certificate.

docs/.gitbook/includes/enrollment-rest-api-self-service-enrollment.md

@@ -0,0 +1,9 @@
+---
+title: Enrollment REST API - Self Service Enrollment
+---
+
+To enroll certificates, users must be authenticated to verify their eligibility. Follow this guide for step-by-step instructions on how to set this up
+
+{% content-ref url="../../certificate-deployment/api-certificates/self-service-enrollment.md" %}
+[self-service-enrollment.md](../../certificate-deployment/api-certificates/self-service-enrollment.md)
+{% endcontent-ref %}

docs/SUMMARY.md

@@ -33,6 +33,7 @@
   * [macOS](certificate-deployment/microsoft-intune/macos.md)
   * [Android](certificate-deployment/microsoft-intune/android.md)
   * [iOS/iPadOS](certificate-deployment/microsoft-intune/ios.md)
+  * [Linux](certificate-deployment/microsoft-intune/linux.md)
 * [Jamf Pro](certificate-deployment/jamf/README.md)
   * [General Configuration](certificate-deployment/jamf/general.md)
   * [Computers](certificate-deployment/jamf/computers.md)
@@ -53,9 +54,13 @@
   * [SOTI MobiControl](certificate-deployment/static-certificates/soti-mobicontrol.md)
 * [Domain Controller Certificates](certificate-deployment/domain-controller-certificates.md)
 * [Enrollment REST API](certificate-deployment/api-certificates/README.md)
+  * [Use Cases](certificate-deployment/api-certificates/use-cases/README.md)
+    * [Intune-managed Linux Client](certificate-deployment/api-certificates/use-cases/intune-managed-linux-client.md)
+    * [Non-Intune-managed Linux Client](certificate-deployment/api-certificates/use-cases/non-intune-managed-linux-client.md)
+    * [Linux Server](certificate-deployment/api-certificates/use-cases/linux-server.md)
+    * [Windows Server](certificate-deployment/api-certificates/use-cases/windows-server.md)
   * [Self Service Enrollment](certificate-deployment/api-certificates/self-service-enrollment.md)
-  * [Renewal Script](certificate-deployment/api-certificates/renewal-script.md)
-  * [Linux Enrollment Guide](certificate-deployment/api-certificates/linux-enrollment-guide.md)
+  * [API Enrollment](certificate-deployment/api-certificates/api-enrollment.md)
 * [Manage Certificates](certificate-deployment/manage-certificates.md)
 
 ## Advanced Configuration

docs/certificate-deployment/api-certificates/README.md

@@ -1,23 +1,16 @@
 # Enrollment REST API
 
-{% hint style="info" %}
-This feature requires version **2.3.689** or above.
-{% endhint %}
-
 {% hint style="warning" %}
 SCEPman Enterprise Edition only
 {% endhint %}
 
 SCEPman features a REST API to enroll certificates. This is an alternative to the SCEP endpoints that require the SCEP-style of authentication, while the REST API uses Microsoft Identities for authentication. The protocol is also much simpler than SCEP.
 
-You need to add a service identity to the Role _CSR.Request.Db_ of the Enterprise App _scepman-api_. If this role does not exist yet but only CSR.Request, you must run the CMDlet Complete-ScepmanInstallation from the [SCEPman Powershell Module (at least version 1.8.10)](https://www.powershellgallery.com/packages/SCEPman) once again to get it. The service identity is then permitted to use the SCEPman certificate enrollment REST API. The easiest way to add a service identity to this role is to call `Register-SCEPmanApiClient -ServicePrincipalId 00000000-0000-0000-0000-000000000000 6>&1` from the [SCEPman PowerShell module](https://www.powershellgallery.com/packages/SCEPman/) version 1.10 and above, where _00000000-0000-0000-0000-000000000000_ in the example is the Object Id of your service principal (e.g. Managed Identity or Enterprise Application).
-
-In SCEPman, you must enabling the feature by setting [AppConfig:DbCSRValidation:Enabled](../../scepman-configuration/optional/application-settings/dbcsr-validation.md) to _true_.
 
-Then you can POST a PKCS#10/CMS to your SCEPman with the HTTP path _api/csr_. The HTTP Response will be the freshly issued certificate in DER encoding.
 
-SCEPman will store all issued certificates automatically in its Storage Account, so you can conveniently list and revoke them via the Certificate Master component.
+See our use cases for step-by-step guides on how to use this feature:
 
-## Examples
+{% content-ref url="../../use-cases.md" %}
+[use-cases.md](../../use-cases.md)
+{% endcontent-ref %}
 
-See our [Open Source Sample Library on GitHub](https://github.com/scepman/csr-request) to find out how to use SCEPman's REST API.

docs/certificate-deployment/api-certificates/api-enrollment.md

@@ -0,0 +1,36 @@
+# API Enrollment
+
+{% hint style="info" %}
+This feature requires version **2.3.689** or above.
+{% endhint %}
+
+{% hint style="warning" %}
+SCEPman Enterprise Edition only
+{% endhint %}
+
+SCEPman features a REST API to enroll certificates. This is an alternative to the SCEP endpoints that require the SCEP-style of authentication, while the REST API uses Microsoft Identities for authentication. The protocol is also much simpler than SCEP.
+
+## Prerequisites
+
+### 1. Service Principal
+
+{% include "../../.gitbook/includes/enrollment-rest-api-app-registration.md" %}
+
+### 2. App Service Settings
+
+{% include "../../.gitbook/includes/enrollment-rest-api-app-service-settings.md" %}
+
+
+
+## Enrolling certificates
+
+After you have prepared the prerequisites, you can POST a PKCS#10/CMS to your SCEPman with the HTTP path _api/csr_. The HTTP Response will be the freshly issued certificate in DER encoding.
+
+SCEPman will store all issued certificates automatically in its Storage Account, so you can conveniently list and revoke them via the Certificate Master component.
+
+
+
+## Examples
+
+See our [Open Source Sample Library on GitHub](https://github.com/scepman/csr-request) to find out how to use SCEPman's REST API.
+

docs/certificate-deployment/api-certificates/self-service-enrollment.md

@@ -24,6 +24,10 @@ You can create role assignments for users and groups in the SCEPman-api Enterpri
 
 A user with the self-service role can only enroll certificates with the following attributes. (These are the same as the attributes you would select when enrolling certificates via a SCEP profile in [Intune ](../microsoft-intune/)for instance). The certificate's validity will be tied to the device object in Intune or Entra Id or to the user object in Entra Id, analogously to Intune-enrolled certificates.
 
+{% hint style="info" %}
+If you are using the pre-supplied enrollment script from our [Section Use Cases](../../use-cases.md), it will automatically generate a request according to these requirements.
+{% endhint %}
+
 ### Device Certificates
 
 Either the Subject Alternative Name (SAN) must include `IntuneDeviceID://<IntuneDeviceId>` as an URI, where `<IntuneDeviceId>` without the curly braces is the Device Id of the device in Intune. Or the CN field of the Subject must be the Entra ID device ID or the Intune Device Id.
@@ -33,9 +37,3 @@ Either the Subject Alternative Name (SAN) must include `IntuneDeviceID://<Intune
 ### User Certificates
 
 <table><thead><tr><th width="221">Field</th><th>Value</th></tr></thead><tbody><tr><td>Subject</td><td><code>CN=&#x3C;DisplayName></code></td></tr><tr><td>SAN (Other Name/UPN)</td><td><code>&#x3C;UserPrincipalName></code></td></tr><tr><td>Basic Constraints</td><td><code>Subject Type=End Entity</code></td></tr><tr><td>EKUs</td><td><code>Client Authentication, 1.3.6.1.5.5.7.3.2</code></td></tr></tbody></table>
-
-## Requesting the Certificate
-
-On Linux, follow the instructions of the [Linux Enrollment Guide](linux-enrollment-guide.md).
-
-For other plattforms, follow our general instructions for using the [Enrollment REST API](./).