Adding an Intune device manager

Edit online

Configure Microsoft™ Intune as your device manager.

Before you begin

  • You must have administrative permission to complete this task.
  • Log in to the IBM® Verify administration console as an Administrator.
Note: Each tenant that requires mTLS authentication must have
  • A vanity host name configured. See Obtaining a vanity hostname.
  • The tenant's root and intermediate CA certificates uploaded to the edge infrastructure (Akamai) for the vanity hostname.
Devices authenticate directly to the tenant's vanity hostname by using their client certificates. The following endpoints are used.
  • Authentication: https://{vanity-hostname}/v1.0/mdm/mtls
  • SCEP operations: https://{vanity-hostname}/v1.0/mdm/scep

About this task

Supported operating systems
  • Windows 8.1 and later
  • MacOS 10.13 and later
Trust model
Verify acts as a SCEP Certificate Authority (CA) and issues client certificates to enrolled devices. The root certificate, intermediate certificate, and SCEP certificate profiles you configure enable this certificate issuance process.

For mutual TLS authentication (mTLS), when a device attempts to authenticate, it presents its client certificate to Verify. The certificate is validated against the Verify CA to establish cryptographic trust and verify device identity.

After successful certificate validation, Verify uses the configured permissions to query the Microsoft Graph API to retrieve real-time device posture and compliance information from Intune. This core compliance information includes:
  • Device compliance state (compliant/non-compliant/unknown). When a device becomes non-compliant in Intune, the certificate itself is not automatically revoked. After each cache timeout expiration for user and device information, IBM Verify queries Microsoft Graph API to retrieve the current device compliance state from Intune. If the tenant uses policy-based access control, the complianceState attribute (and other device attributes) are evaluated against access policies configured in IBM Verify. These policies determine whether to
    • Allow access (if policy permits non-compliant devices).
    • Require additional authentication (step-up authentication).
    • Deny access (if policy requires compliant devices only).
    Applications can be configured with access policies that define compliance requirements. Device attributes including complianceState are retrieved by Verify and stored after successful enrolment. The device attributes are cached for a limited time that is specified by the cache timeout and are retrieved again from Intune after the cache expires.
    Note: If a non-compliant device must be permanently blocked, delete it from IBM Verify, which also revokes its certificate. It does not automatically remove the revoked certificate from the managed client device.
  • Device management status (managed/unmanage) The following device attributes are available for access policy evaluation.
    • New device
    • Device platform
    • Device compliance
All of these attributes are made available for use in access policy decisions. See Managing access policies .
Note: If a device is compromised, delete the device from IBM Verify, which immediately triggers the certificate revocation process. All certificates that are associated with the device are immediately revoked. The device can no longer authenticate, even if it still possesses the certificate file.
SCEP Server Requirements

No external SCEP infrastructure is required. The SCEP server functionality is built into the mdm-broker service and handles all standard SCEP operations:

  • GetCACaps - Returns CA capabilities
  • GetCACert - Returns CA certificate chain
  • PKIOperation - Processes certificate enrollment and renewal requests

IBM Verify provides an integrated SCEP server and Certificate Authority (CA). Managed Devices present Certificate Signing Requests (CSRs) to the Verify SCEP endpoints via the standard SCEP protocol (PKIOperation). Verify acts as both the SCEP server and the signing CA, processing these requests and issuing signed client certificates according to the configured SCEP profile.

The entire SCEP certificate lifecycle—including generation, signing, storage, and renewal—is handled internally by Verify.

Note: If you are using MacOS Safari, you might encounter an issue in which you are not prompted for the client certificates that are issued by the Intune device manager. To resolve the issue, you must configure the MacOS Keychain identity preference.
  1. On your Mac system, go to Keychain Access.
  2. Add an Identity Preference for the client certificate.
  3. Set the identity preference location to tenant authentication URL + (space) + (com.apple.Safari). For example, https://{tenant_vanity_hostname}/usc.
The identity preference is now found in Keychain Access > login > All items and the certificate prompt works correctly.

Procedure

  1. Select Authentication > Device managers.
  2. Select Add device manager.
  3. Select the Type of device manager that you want to set up.
  4. Select Next.
  5. On the General settings page, provide the following information.
    • Enter the Device manager name in the provided field.
    • Select the Identity provider from the menu.
    • Select the Trust type from the menu. For Device trust selection, the users need to login with their configured first factor authentication mechanism. Device trust provides managed device attributes to an existing authentication session..
      Note: The Separating device and user authentication feature CI-114829 can be enabled upon request. To request this feature, contact your IBM Sales representative or IBM contact and indicate your interest in enabling this capability. Create a support ticket if you have permission. IBM Verify trial subscriptions cannot create support tickets.
    • Select whether to enable just-in-time provisioning for user accounts.
      Note: The Just-in-Time (JIT) provisioning for user accounts is only applicable in case of User and device trust selection.
    • Select the Client certificate validity period. A device manager can be configured to issue certificates for 90, 180, 365 days, or 3 years. By default, the selection is 3 years. Organizations can select the validity period that aligns with their security policies and compliance requirements. Shorter validity periods reduce the window of exposure if a certificate is compromised, while longer periods reduce the frequency of renewal operations.
    • Specify the maximum number of certificates for each device. Certificate renewal is handled automatically by the device when a certificate's remaining lifetime drops below the Renewal threshold that is configured in the SCEP profile. The device automatically initiates a renewal request. The renewal process is transparent to the end user and requires no manual intervention. After a successful renewal, the old certificate is automatically revoked.
      Verify implements comprehensive certificate revocation across multiple scenarios.
      • Certificate renewal
      • Device deletion from Verify
      • User deletion from Verify
      • Certificate expiration
    • Specify how many minutes that the user and device information is kept.
  6. Select Next.
  7. On the API credentials page, enter the API details of your application in Azure Active Directory.
    • If you already have the application, select Form only.
      1. Provide the application ID, secret, and the tenant name.
      2. Select Unique user identifier from a predefined list of attributes, or select Custom Rule to specify attribute mappings. If you select to use a custom rule, you can add custom attributes and a rule. Type the rule to compute the attribute value. For example, 
        requestContext.email[0].split('@')[0]
        Note: The custom rule selection is not applicable to Device trust. However, you can enter the appropriate attribute in the provided field.
      3. Select Test credentials to verify your credentials.
      4. Select Next.
    • If you are creating an application, select Show with steps and follow the instructions.
      1. In the Azure portal, go to Azure Active Directory > App Registrations and the select New registration.
      2. On the Register an application page, specify the following details.
        Name
        Enter a meaningful app name, for example IBM Verify.
        Supported account types
        Select Accounts in any organizational directory.
        Redirect URI
        Note: Redirect URI during app App Registration configuration can be left blank.
      3. Select Register.
      4. From the app overview page,copy the Application (client) ID value and paste it in the Enter app ID field.
      5. In the navigation page for the app, under Manage, select Certificates & secrets and select New client secret.
      6. Enter a description, select any option for Expires, then click Add.
      7. Paste the client secret in the Enter app secret field.
      8. For the Tenant name, enter your Microsoft Entra ID tenant name.
      9. Select or type a unique user identifier attribute.
      10. In the navigation page for the app, under Manage, select API permissions, and select Add a permission.
      11. Select Intune and then select Application permissions. Select the checkbox for scep_challenge-provider.
      12. Select Add permissions.
      13. In the navigation pane for the app, under Manage, select API permissions, and select Add a permission.
      14. Select Microsoft Graph, and then select Application permissions .
      15. Select the checkbox for DeviceManagementManagedDevices.Read.All, User.Read.All, and Application.Read.All.
      16. Select Add permissions.
      17. Select Grant admin consent for Microsoft, and then select Yes.
      18. Select Test credentials to verify your credentials.
        The "Test credentials" button validates that
        • Credentials are correctly formatted.
        • Client ID and Client Secret are valid.
        • Microsoft Entra ID can be reached.
        • An OAuth access token can be obtained from Microsoft.
        It does not test:
        • API permissions (for example, DeviceManagementManagedDevices.Read.All)
        • Ability to read user/device information from Microsoft Graph
        • Network connectivity to Microsoft Graph API endpoints
        • Tenant configuration completeness
        Test Passes:
        • OAuth access token successfully obtained by from https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token.
        Note: A successful credential test does NOT guarantee the integration works. The test only validates authentication, not API permissions or data access. Full validation requires actual device enrollment testing.
        Test Fails:
        • HTTP 400 response is returned with the error: Connection to MicrosoftIntune failed.
        • Common causes are Invalid Client ID or Secret, incorrect tenant name, network issues, or expired credentials.
        Troubleshooting
        • Review HTTP Response: Success returns SCEP URLs; failure returns error message.
        • Verify Azure Configuration: Check Client ID, Secret, and tenant name in Azure Portal.
        • Confirm API Permissions: Ensure required Microsoft Graph permissions are granted with admin consent.
        • Test End-to-End: Attempt actual device enrollment to validate full integration.
      19. Select Next.
  8. On the User properties page (opens in case of User and device trust selection) or Device properties (opens in case of Device trust selection), map the device manager attributes to IBM Verify attributes.
    Note: Attribute names are case-insensitive and duplicate attributes are not allowed.
    1. Select the device manager attribute.
      The Intune device manager attributes that are available for mapping are those returned from the Microsoft Graph API endpoints:
      • /deviceManagement/managedDevices
      • /users/{userId}
      • Intune user attributes are documented by microsoft at user resource type. Select Properties from the In this article menu.
      • Intune device attributes are documented by microsoft at managedDevice resouce type. Select Properties from the In this article menu.
      Note: To map a device attribute to Verify, it needs to be prefixed with the string mdmDevice:: . For example, if you wanted to map the device attribute complianceState to Verify you'd need to write it as 
      mdmDevice::complianceState

      User attributes do not require a prefix.

      Device attributes like mdmDevice::complianceState map from a single enrolled device. In multi-device scenarios, this value might be inconsistent. Only map device attributes into Verify when users are expected to be restricted to a single device.

    2. Optional: Select a transform from the menu.
    3. Required: Select the Verify attribute that you want to map the attribute to.
    4. Select how you want to store the attribute in the user's profile.
  9. Optional: Click Add attributes.
    If you select to use a custom rule, you can add custom attributes one at a time and a rule. Type the rule to compute the attribute value. For example, 
    idsuser.email[0].split('@')[0]
    Click Run test to make sure the rule works.
  10. Select Save and continue.
    The device manager is saved.
  11. Create the root certificate profile.
    Follow the instructions that are provided.
    1. Download the following root and profile certificates .zip files that are provided.
    2. Sign in to Microsoft Endpoint Manager and open Devices > Configuration profiles.
    3. To create a root certificate profile, select Create profile and choose the following settings:
      Platform
      Select the appropriate platform.
      Profile
      Trusted certificate.
    4. Select Create.
    5. Name the root certificate profile, for example WIN10_RootCA_Cert, and select Next.
    6. Upload the root certificate profile that you downloaded in Step 1, set the destination store to Computer certificate store - Root, and select Next.
    7. Set Assign to to the users or groups that you want to test with and select Next.
    8. Select Create.
    9. Repeat steps 2-8 for the intermediate certificate.
  12. Select Next.
  13. On the SCEP certificate profile page, enter the API details of your application in Azure Active Directory.

    • If you already have a SCEP certificate profile, select Values only.
      1. Provide the subject and SCEP URL.
      2. Select Next.
    • If you are creating a SCEP certificate profile, select Show with steps and follow the instructions.
      1. To create a SCEP certificate profile, select Create profile and choose the following settings:
        Platform
        Select the appropriate platform.
        Profile
        TrustedSCEP certificate.
      2. Select Create.
      3. Name the root certificate profile, for example WIN10_RootCA_Cert, and select Next.
      4. Use the following configuration settings:
        Certificate Type
        User.
        Subject name format
        Custom.
        Custom
        Automatically generated CN.
        Subject alternative name
        User principal name (UPN).
        Certificate validity period
        1 Year.
        Key storage provider (KSP)
        If available, enroll to Trusted Platform Module (TPM) KSP, otherwise enroll to Software KSP.
        Key usage
        Key encipherment, Digital signature.
        Key size (bits)
        2048.
        Hash algorithm
        SHA-2.
        Root certificate
        Select the root certificate profile that you created and named in step 11.
        Extended key usage
        Select Client Authentication from the Predefined values menu.
        Renewal threshold
        20.
        SCEP server URLs
        Automatically generated URL.
      5. Select Next and assign any users or group that you want to test the connection with.
      6. Select Create.
      7. Select Next.
  14. Set the MDM scopes.
    Follow the instructions.
    1. In the Microsoft Endpoint Manager admin center, choose All services > M365 Azure Active Directory > Azure Active Directory > Mobility (MDM and MAM).
    2. Select Microsoft Intune to configure Intune.
    3. Select Some from the MDM user scope to use MDM auto-enrollment to manage enterprise data on your employees' Windows™ devices.
      MDM auto-enrollments are configured for AAD joined devices and bring your own device scenarios.
    4. Select Select groups > Selected groups/Users > Select as the assigned group.
    5. Select Some from the MAM Users scope to manage data on your workforce's devices.
    6. Choose Select groups > Select groups/Users > Select as the assigned group.
    7. Use the default values for the remaining configuration values.
    8. Select Save.
  15. Select Next.
  16. Test the configuration.
    Follow the instructions.
  17. Select Complete setup.
    1. Review your settings.
    2. Select Save changes.