Use this task to configure Microsoft Intune as your device manager.
Before you begin
- You must have administrative permission to complete this
task.
- Log in to the
IBM® Security Verify
administration console as an Administrator.
About this task
- Supported operating systems
-
- Windows 8.1 and later
- MacOS 10.13 and later
Note: If you are using MacOS Safari, you might encounter an issue in which you are not prompted for
the client certificates that are issued by the Intune device manager. To resolve the issue, you must
configure the MacOS Keychain identity preference.
- On your Mac system, go to Keychain Access.
- Add an Identity Preference for the client certificate.
- Set the identity preference location to tenant authentication URL +
(space) + (com.apple.Safari). For example,
https://{mtls_enabled_tenant_name}/usc.
The identity preference is now found in and the
certificate prompt works correctly.
Procedure
-
Select .
-
Select Add device manager.
- Select the Type of device manager that you want to set
up.
-
Select Next.
- On the General settings page, provide the following
information.
- The name of the device manager.
- Select the identity source from the menu.
- Select whether to enable just-in-time provisioning for user accounts.
- Specify the maximum number of certificates for each device.
- Specify how many minutes that the user and device information is kept.
-
Select Next.
- On the API credentials page, enter the API details of your
application in Azure Active Directory.
- If you already have the application, select Form only.
- Provide the application ID, secret, and the tenant name.
- Select
Unique user identifier
from a predefined list of
attributes, or select Custom Rule to specify attribute mappings. If you
select to use a custom rule, you can add custom attributes and a rule. Type the rule to compute the
attribute value. For example, requestContext.email[0].split('@')[0]
- Select Test credentials to verify your credentials.
- Select Next.
- If you are creating an application, select Show with steps and follow
the instructions.
- In the Azure portal, go to and the select
New registration.
- On the Register an application page, specify the following details.
- Name
- Enter a meaningful app name, for example IBM Security Verify.
- Supported account types
- Select Accounts in any organizational directory.
- Redirect URI
- Leave the default section of Web, and then specify the sign-on URL for
the third-party SCEP server.
- Select Register.
- From the app overview page,copy the Application (client)
ID value and paste it in the Enter app ID field.
- In the navigation page for the app, under Manage, select
Certificates & secrets and select New client
secret.
- Enter a description, select any option for Expires, then click
Add.
- Paste the client secret in the Enter app secret field.
- Copy the Tenant ID, which is the domain text after the @ sign in your account, and paste it in
the Tenant name field.
- Select or type a unique user identifier attribute.
- In the navigation page for the app, under Manage, select API
permissions, and select Add a permission.
- Select Intune and then select Application
permissions. Select the checkbox for
scep_challenge-provider.
- Select Add permissions.
- In the navigation pane for the app, under Manage, select API
permissions, and select Add a permission.
- Select Microsoft Graph, and then select Application
permissions. .
- Select the checkbox for DeviceManagementManageDevices.Read.All and
User.Read.All.
- Select Add permissions.
- Select Grant admin consent for Microsoft, and then select
Yes.
- Select Test credentials to verify your credentials.
- Select Next.
- On the User properties page, map the device manager attributes to
IBM Security Verify attributes.
Note: Attribute names are case-insensitive and duplicate attributes are not allowed.
- Select the device manager attribute,
- Optional: Select a transform from the menu.
- Required: Select the Verify attribute that you want
to map the attribute to.
- Select how you want to store the attribute in the user's profile.
- Optional: Click Add
attributes.
If you select to use a custom rule, you can add custom attributes
one at a time and a rule. Type the rule to compute the attribute value. For example,
idsuser.email[0].split('@')[0]
Click
Run test to make
sure the rule works.
-
Select Save and continue.
The device manager is saved.
- Create the root certificate profile.
Follow the instructions that
are provided.
- Download the following root and profile certificates .zip files
that are provided.
- Sign in to Microsoft Endpoint Manager and open .
-
To create a root certificate profile, select Create profile and choose
the following settings:
- Platform
- Select the appropriate platform.
- Profile
- Trusted certificate.
-
Select Create.
-
Name the root certificate profile, for example WIN10_RootCA_Cert, and select
Next.
-
Upload the root certificate profile that you downloaded in Step 1, set the destination store to
Computer certificate store - Root, and select
Next.
-
Set Assign to to the users or groups that you want to test with and
select Next.
-
Select Create.
- Repeat steps 2-8 for the intermediate certificate.
-
Select Next.
- On the SCEP certificate profile page, enter the API details of your
application in Azure Active Directory.
- If you already have a SCEP certificate profile, select Values only.
- Provide the subject and SCEP URL.
- Select Next.
- If you are creating a SCEP certificate profile, select Show with
steps and follow the instructions.
- To create a SCEP certificate profile, select Create profile and choose
the following settings:
- Platform
- Select the appropriate platform.
- Profile
- TrustedSCEP certificate.
- Select Create.
- Name the root certificate profile, for example WIN10_RootCA_Cert, and select
Next.
- Use the following configuration settings:
- Certificate Type
- User.
- Subject name format
- Custom.
- Custom
- Automatically generated CN.
- Subject alternative name
- User principal name (UPN).
- Certificate validity period
- 1 Year.
- Key storage provider (KSP)
- If available, enroll to Trusted Platform Module (TPM) KSP, otherwise
enroll to Software KSP.
- Key usage
- Key encipherment, Digital signature.
- Key size (bits)
- 2048.
- Hash algorithm
- SHA-2.
- Root certificate
- Select the root certificate profile that you created and named in step 11.
- Extended key usage
- Select Client Authentication from the Predefined
values menu.
- Renewal threshold
- 20.
- SCEP server URLs
- Automatically generated URL.
- Select Next and assign any users or group that you want to test the
connection with.
- Select Create.
- Select Next.
- Set the MDM scopes.
Follow the instructions.
- In the Microsoft Endpoint Manager admin center, choose .
- Select Microsoft Intune to configure Intune.
- Select Some from the MDM user scope to use MDM auto-enrollment
to manage enterprise data on your employees' Windows
devices.
MDM auto-enrollments are configured for AAD joined devices and bring your own
device scenarios.
-
Select .
- Select Some from the MAM Users scope to manage data on your
workforce's devices.
- Choose .
- Use the default values for the remaining configuration values.
-
Select Save.
-
Select Next.
- Test the configuration.
Follow the instructions.
-
Select Complete setup.
- Review your settings.
- Select Save changes.