Back to resources

October 29, 2020

Tech updateCorporate PKIEJBCA CloudEJBCA EnterpriseEJBCA Hardware ApplianceEJBCA SaaSEnterprise

Microsoft Intune and PrimeKey EJBCA

Android signing schemes, compliance and crypto agility

Scalable, efficient and compliant PKI and certificate management for Intune installations

Microsoft Intune is a cloud-based service for Mobile Device Management (MDM) and Mobile Application Management (MAM) that provides unified endpoint management of corporate and Bring Your Own Device (BYOD). Via a web console, you manage your devices by configuring device policies; enrollment experiences, certificate issuance, reporting, and device wiping. Mobile devices store and transfer an incredible amount of corporate and personal data and more and more devices are entering enterprise networks every day. The IT department is responsible for making sure these devices are always secure. Intune is an MDM enterprise solution that can manage devices and enable compliance with corporate security requirements. Using Certificates and PKI to enable strong authentication for mobile devices towards applications or networks is typically one of the fundamental security requirements and this is supported by Intune together with PrimeKey EJBCA.

Using PrimeKey EJBCA Enterprise with Intune

The mobile device is registered with Intune, and a policy is created that enrolls the device for a certificate. Another policy is also required to push the CA chain to the device. Upon device registration, a SCEP package is sent to the device and the enrollment begins.  In the SCEP enrollment, a challenge is configured in Azure which is provided by the device. When EJBCA receives the enrollment (PKCS10) the challenge is checked with Azure. If the challenge is vetted, EJBCA issues a certificate. PrimeKey EJBCA Enterprise supports multiple SCEP aliases which allow an organization the flexibility to easily configure different certificate profiles for Intune SCEP enrollment and it integrates directly into Azure Active Directory. EJBCA can be deployed on-premises as a software or hardware appliance, or in the Azure or AWS cloud. EJBCA has full support for Azure Key Vault and Cloud HSM for protection of CA keys.

For a complete guide providing instructions for enrollment and validation of Microsoft Intune device certificates using EJBCA on AWS, see the EJBCA integration guide Microsoft Intune Device Certificate Enrollment

To get started you must have your organization registered in Microsoft Azure and EJBCA Enterprise. Why not use the MS ADCS? Specifically for cloud deployments, MS ADCS is not very cloud-friendly and does not integrate with Azure Active Directory. More management overhead, MSCA does not support using KeyVault to protect the CA keys.

More about Microsoft Intune Device Certificate Enrollment

Related blog and news

Tech-Update-Prepare-PKI-for-Quantum-Computing
2022-04-28
Tech update
Cryptography Solution

How to prepare your PKI for quantum computing

Tech-Update-Bouncy-Castle-Kotlin-API
2022-04-12
Tech update
Cryptography Solution

Keeping it simple – private key encryption with the Bouncy Castle Kotlin API

This website uses cookies

Cookies consist of small text files. They contain data that is stored on your device. To enable us to place certain types of cookies we need to obtain your consent. At PrimeKey AB, corp. ID no. 556628-3064, we use the following kinds of cookies. To read more about which cookies we use and storage times, click here to access our cookies policy.

Manage your cookie-settings

Necessary cookies

Necessary cookies are cookies that must be placed for basic functions to work on the website. Basic functions are, for example, cookies which are needed so that you can use menus on the website and navigate on the site.

Functional cookies

Functional cookies need to be placed on the website in order for it to perform as you would expect. For example, so that it recognizes which language you prefer, whether or not you are logged in, to keep the website secure, remember login details or to be able to sort products on the website according to your preferences.

Cookies for statistics

For us to measure your interactions with the website, we place cookies in order to keep statistics. These cookies anonymize personal data.

Cookies for ad-tracking

To enable us to offer better service and experience, we place cookies so that we can provide relevant advertising. Another aim of this processing is to enable us to promote products or services, provide customized offers or provide recommendations based on what you have purchased in the past.
Confirm choices Accept all