How To Create Intune Profiles for MacOS Devices

In this page we will guide you on how to create an Intune profile to issue X509 certificates either for devices or users using SCEP for MacOS.

Prerequisites

  1. Register Intune Application in Azure Tenant
  2. Create and Download your SCEP CA Certificate

Create Trusted Certificate Profile in Intune

The first step on getting your certificates distributed to your devices, is trusting the issuing CA certificate chain. The following steps will guide you on how to do that for your MacOS devices.

  1. Go to https://aka.ms/intuneportal
  2. Select: Devices -> macOS -> Configuration profiles.
  3. Click the “Create profile” button.
  4. Select “Templates” as the profile type.
  5. Select the “Trusted Certificate” template. How to Create MacOS Trusted Certificate in Intune
  6. Click create.
  7. Enter the name for this Intune certificate profile. Create MacOS Trusted Certificate in Intune
  8. Upload the CA Certificate you downloaded from EZCA.
  9. Select your Assignment rules.
  10. Create the configuration profile. Now all the devices in scope will trust certificates issued by this CA.
  11. Repeat these steps for all the CA certificates on the chain (Your Root CA, and Issuing CA), if you only created a Root issuing CA, continue to create the scep profiles for your devices.

How to Create Intune SCEP Profile For Device Certificates

If you are looking for user certificates skip to the next section

  1. Once you have created your trusted certificate profile, go back to the MacOS configuration profiles page and click the “Create profile” button.
  2. Select “Templates” as the profile type.
  3. Select the “SCEP Certificate” template. Create MacOS SCEP Certificate in Intune
  4. Click create.
  5. Enter the name for this Intune SCEP profile.
  6. In configuration settings, we are going to select Device as the certificate type.
  7. For Subject name we will enter CN={{AAD_Device_ID}} or CN={{DeviceId}}
  8. In the Subject Alternate Name we will select the URI Attribute and enter IntuneDeviceId://{{DeviceId}} as the value.
  9. For Certificate Validity period enter the period you entered in EZCA.
  10. For Key Storage Provider (KSP) We recommend “Enroll to Trusted Platform Module (TPM) KSP, otherwise fail” however, if you want to support PCs without TPM and are ok with the risk of software based keys, feel free to use one of the other options.
  11. For Key Usage select bot “Digital Signature” and “Key Encipherment”
  12. Key Size select “4096”.
  13. Hash Algorithm “SHA-2”
  14. In the root certificate field click the “+ Root Certificate” link and select the CA we created in the “Create Trusted Certificate Profile” section.

    While it says Root Certificate, If you created a Subordinate/Issuing CA, you must select the Issuing CA profile not the root CA.

  15. For Extended key Usage select “Client Authentication (1.3.6.1.5.5.7.3.2)”
  16. Feel free to leave the renewal percentage at 20% or increase it to a value you feel comfortable with.
  17. Now your Setup should look something like this: Create Mac SCEP Device Certificate Profile in Intune
  18. The Last step is to get the SCEP Server URLs from EZCA. For this we will go back to your EZCA Portal, Click on Certificate Authorities and Select the “View Requirements” button on your Intune CA. EZCA View All CAs
  19. Copy the SCEP URL. Get the Intune CA SCEP URL from EZCA
  20. Go back to your Intune Portal tab, and paste the URL in the “SCEP Server URLs” section. Add SCEP Server URL to Intune Mac Device
  21. Click Next.
  22. Select the devices or groups you want to apply this profile to, Once the assignments are added, review and create the policy.

How to Create Intune SCEP Profile For User Certificates

  1. Once you have created your trusted certificate profile, go back to the Windows configuration profiles page and click the “Create profile” button.
  2. Select “Templates” as the profile type.
  3. Select the “SCEP Certificate” template. Create MacOS SCEP Certificate in Intune
  4. Click create.
  5. Enter the name for this Intune SCEP profile.
  6. In configuration settings, we are going to select User as the certificate type.
  7. For Subject name we will leave CN={{UserName}},E={{EmailAddress}}
  8. In the Subject Alternate Name we will select the “User Principal Name (UPN)” Attribute and enter {{UserPrincipalName}} as the value.
  9. For Certificate Validity period enter the period you entered in EZCA.
  10. For Key Storage Provider (KSP) We recommend either “Enroll to Trusted Platform Module (TPM) KSP, otherwise fail” or “Enroll to Windows Hello For Business, otherwise fail” depending on how you want to use this certificate. However, if you want to support PCs without TPM and are ok with the risk of software based keys, feel free to use one of the other options.
  11. For Key Usage select bot “Digital Signature” and “Key Encipherment”
  12. Key Size select “4096”.
  13. Hash Algorithm “SHA-2”
  14. In the root certificate field click the “+ Root Certificate” link and select the CA we created in the “Create Trusted Certificate Profile” section.

    While it says Root Certificate, If you created a Subordinate/Issuing CA, you must select the Issuing CA profile not the root CA.

  15. For Extended key Usage select “Client Authentication (1.3.6.1.5.5.7.3.2)”
  16. Feel free to leave the renewal percentage at 20% or increase it to a value you feel comfortable with.
  17. Now your Setup should look something like this: Create Mac SCEP User Certificate Profile in Intune
  18. The Last step is to get the SCEP Server URLs from EZCA. For this we will go back to your EZCA Portal, Click on Certificate Authorities and Select the “View Requirements” button on your Intune CA. EZCA View All CAs
  19. Copy the SCEP URL. Get the Intune CA SCEP URL from EZCA
  20. Go back to your Intune Portal tab, and paste the URL in the “SCEP Server URLs” section. Add SCEP Server URL to Intune Mac Device
  21. Click Next.
  22. Select the devices or groups you want to apply this profile to, Once the assignments are added, review and create the policy.