AppViewX Integration with Intune for Certificate Automation

Microsoft Intune is a cloud-based Mobile device management (MDM) solution that helps organizations manage devices, including mobile devices, tablets, and laptops. In addition to standardizing endpoint configurations, it is responsible for providing configuration on how the endpoint can obtain a device/user certificate. These certificates are necessary for users and devices to prove their identity and authenticate against a remote server/application to use its services, such as WiFi authentication and enterprise VPN access.

With the advent of modern technology and changes in post-COVID working styles, end users can work anywhere, from the office to their homes, coffee shops, or any location where they need to carry out their work. This requires a sustainable request and delivery mechanism for certificates to endpoints that are widely dispersed, which can be quite challenging to set up. These challenges can affect the issuing, renewing, and delivery of certificates to the endpoints.

How AppViewX AVX ONE Helps Simplify Certificate Management

AppViewX AVX ONE is a certificate lifecycle and PKI management platform that offers native integration with Intune as well as with various certificate authority (CA) providers. It acts as a registration authority (RA) to issue certificates to endpoints. AVX ONE leverages the Simple Certificate Enrollment Protocol (SCEP), a method recommended and approved by Intune, to validate and issue certificates to requesting endpoints.

With AVX ONE, certificates can be issued by any CA, not just a specific one. If there is a need to change the issuing CA, only minimal configuration changes are required on the AppViewX side. These changes are simple and quick to execute, making the process efficient and flexible.

How the Integration Works

Step 1: The profile for the endpoints is configured in Intune, where the SCEP URL is one of the parameters. This SCEP URL includes the URL of AVX ONE. When this profile is pushed to the endpoint, Intune also provides an encrypted and signed challenge to the endpoint.

Step 2: When the endpoint needs a certificate, it sends a SCEP request to the SCEP URL (AVX ONE). This request contains the CSR (Certificate Signing Request) along with the encrypted challenge sent by Intune.

Step 3: AVX ONE authenticates with Intune and presents the CSR along with the encrypted challenge sent by the endpoint to Intune.

Step 4: Intune validates the encrypted challenge and the CSR. Upon validation, Intune informs AVX ONE to either proceed with issuing the certificate or reject it based on the validation.

Step 5: AVX ONE presents the CSR to the configured CA of choice, gets it signed, and sends the certificate back to the endpoint.

Certificate Lifecycle Management with Visibility, Control and Insights – All in One Place

How to Operationalize the Integrated Solution

With the AVX ONE SaaS platform, there are two ways the endpoint can send the certificate request:

  1. Directly to the AVX ONE SaaS Platform URL:
    • The endpoint sends the certificate request directly to the AVX ONE SaaS platform URL.
    • This method ensures a straightforward connection and reduces the dependency on any additional network components
  2. Send the Request to the AVX ONE Cloud Connector URL:
    • The endpoint sends the certificate request to the AVX ONE Cloud Connector URL.
    • The AVX ONE Cloud Connector acts as an intermediary Proxy, forwarding the request to the AVX ONE SaaS platform.
    • This method can be useful for additional security layers or if you need granular control over the connections.

Using the AVX ONE SaaS Platform URL

The endpoint sends the request to the AVX ONE SaaS URL on port 443 and, over the same channel, receives the certificate once the challenge is validated with Intune. This URL is accessible over the cloud and can be accessed from anywhere on the Internet.

  • Ensure that the AVX ONE SaaS URL is accessible over the internal corporate network, even if there are restrictions on Internet access.
  • This will allow endpoints to obtain certificates whether they are inside the corporate network or on the cloud, enabling them to roam between different network environments.

Endpoints Sending Request to AVXONE

Using the Request through the Cloud Connector

The Cloud Connector is a proxy component provided by AVX ONE which sits inside the corporate network to enable the AVX ONE SaaS platform to communicate and run certificate lifecycle management operations for devices inside the network. The AVX ONE Cloud Connector establishes a TLS tunnel on Port 443 to the AVX ONE SaaS instance through which all the communication happens to the corporate network.

The AVX ONE Cloud Connector needs to be provisioned behind a load balancer URL to which the endpoints would send the request to. The URL of the load balancer would be the one provisioned in the SCEP URL of the Intune profile, which would be sent to the endpoints

There Are Two Scenarios for Endpoints

Endpoints on the Cloud: The enterprise firewall facing the Cloud should be provisioned with a public IP. A URL should be provisioned (ex: scep.intune.publicdomain.com) for the SCEP URL, which should resolve to the firewall public IP on the global DNS. The firewall public IP should have a NAT translation rule configured to send the connection to the internal AVX ONE Cloud Connector. Intune will push this URL in the profile and when the endpoint places a certificate request, it will resolve to the global DNS and send the request to the firewall through which will hit the AVX ONE Cloud Connector inside the environment and ultimately to the AVX ONE SaaS instance.

Endpoints on the cloud

Same Endpoints when Inside the Corporate Network : The same URL (ex: scep.intune.publicdomain.com) provisioned earlier, should be provisioned on the internal DNS to resolve directly to the AVX ONE Cloud Connector. So, when the endpoint is sending a request, it first gets resolved on the internal DNS and routes directly to the AVX ONE Cloud Connector.

Endpoints inside the corporate network

By the above, you can ensure that there is mobility for the endpoint, where they can place a request for a certificate both when inside the corporate network as well as when it is on the cloud with the same URL.

In Conclusion, AVX ONE provides a turnkey solution to issue certificates for Intune endpoints, where with the direct request model you would not need to create firewall rules, network configurations or have any other dependencies to start with. There is no regular maintenance needed and any changes are very simple and easy to make. All this comes with the added advantage of a centralized certificate inventory in the AVX ONE platform where these issued certificates are maintained. This enables visibility to which endpoint the certificate belongs to while at the same time provides you the capability to monitor, report or perform any actions like reprovision, renew and revoke these certificates.

To learn more, request your AVX ONE Certificate Lifecycle Management demo today.

Tags

  • Certificate Automation
  • Certificate Inventory
  • certificate lifecycle management
  • Certificate Signing Request
  • Cloud Connector
  • Load Balancer
  • PKI
  • SCEP

About the Author

Ajay Viswanath

Manager, Design Architecture, Customer Success

Ajay manage a team of Design Architects, where we Help Our customers Solution and Implement AppViewX along with helping them in better adopting the Solution

More From the Author →

Related Articles

AppViewX AVX ONE CLM Citrix FAS Integration Streamlines Certificate Management to Enable Scalable User Authentication

| 5 Min Read

The Entrust Distrust Deadline is Closing In. Are you Prepared?

| 4 Min Read

Apple Follows Google’s Lead: Get Ready for 45-Day TLS Certificate Lifespans

| 7 Min Read