Introduction
In our previous posts on certificate-based authentication, we explored setting up Cloud PKI and implementing certificate-based authentication in Entra ID using authentication strength and conditional access policies. We also covered unique scenarios like cross-tenant authentication, primarily focusing on Windows environments.
Recently, I shared a post on deploying root and SCEP certificates on macOS. Now, it’s time to shift our focus to Android. In this blog, we’ll specifically cover the Intune configuration for deploying root and SCEP certificates on Android BYOD devices with a company profile and explore how these settings impact the user experience.
Intune Config
Trusted Certificate Deployment for Android Enterprise
Prerequisites:
- Access to Microsoft Intune with the necessary permissions.
- Trusted certificate authority (CA) certificate in
.cer
or.pem
format. - Android Enterprise devices enrolled in Intune.
Steps:
- Log into Microsoft Endpoint Manager Admin Center:
- Go to the Microsoft Endpoint Manager Admin Center.
- Sign in with your admin credentials.
- Navigate to Devices:
- From the left-hand menu, select Devices.
- Configure Profile:
- Under the By platform section, select Android.
- Click on Configuration profiles.
- Create a New Profile:
- Click + Create profile.
- For the platform, choose Android Enterprise.
- Select Trusted certificate for the profile type.
- Click Create.
- Name and Description:
- Provide a Name and Description for the certificate profile.
- Upload the Certificate:
- Click on Settings.
- Select Trusted certificate.
- Click Add and browse for the trusted CA certificate file (
.cer
or.pem
). - Upload the certificate.
- Assign the Profile:
- Click Next.
- In the Assignments section, select the groups of Android devices that will receive this certificate.
- Click Next.
- Review and Create:
- Review your configuration settings.
- Click Create to finalize the deployment.
- Sync the Device:
- On the Android device, open the Company Portal app.
- Navigate to Devices, select the device, and click Check status to initiate a sync.
- Check the Certificate Installation:
- On the Android device, go to Settings > Security > Trusted credentials.
- Verify that the trusted certificate has been installed under User or System credentials.
This process will deploy a trusted certificate to Android Enterprise devices using Microsoft Intune.
Deploy SCEP Certificate for Android Enterprise
Prerequisites:
- Access to Microsoft Intune with the necessary permissions.
- SCEP server URL and necessary credentials.
- Android Enterprise devices enrolled in Intune.
Steps:
- Log into Microsoft Endpoint Manager Admin Center:
- Go to the Microsoft Endpoint Manager Admin Center.
- Sign in with your admin credentials.
- Navigate to Devices:
- From the left-hand menu, select Devices.
- Configure Profile:
- Under the By platform section, select Android.
- Click on Configuration profiles.
- Create a New Profile:
- Click + Create profile.
- For the platform, choose Android Enterprise.
- Select SCEP certificate for the profile type.
- Click Create.
- Name and Description:
- Provide a Name and Description for the certificate profile
- Configure SCEP Settings:
- Click on Settings.
- Select SCEP certificate.
- Fill in the following fields:
- Name: Enter a name for the SCEP certificate.
- Certificate type: Choose User.
- Subject name format: Define the format for the certificate subject name (e.g., CN={{UserPrincipalName}}).
- Subject alternative name: Specify any subject alternative names if needed.
- Attribute: User principal name (UPN).
- Value: CN={{UserName}}.
- SCEP server URL: Enter the URL of your SCEP server.
- Key Usage:
- In the Key usage section, select the following options:
- Digital signature: To enable the certificate to sign data, which is crucial for authentication.
- Key encipherment: To allow the certificate to encrypt keys, which is essential for secure communications.
- Key size: Choose the key size (e.g., 2048).
- In the Key usage section, select the following options:
- Assign the Profile:
- Click Next.
- In the Assignments section, select the groups of Android devices that will receive this certificate.
- Click Next.
- Review and Create:
- Review your configuration settings.
- Click Create to finalize the deployment.
- Sync the Device:
- On the Android device, open the Company Portal app.
- Navigate to Devices, select the device, and click Check status to initiate a sync.
- Check the Certificate Installation:
- You wont be able to find the certificate in the GUI
By following these steps, you can successfully deploy a SCEP certificate to Android Enterprise devices using Microsoft Intune.
User Experience
To thoroughly test the user experience, I enrolled the device as a BYOD (Bring Your Own Device) with a company-managed profile. This setup allowed me to explore how users would interact with both private and work profiles on the same device. Once the device was successfully enrolled, I installed the Microsoft Edge browser twice—once through the Google Play Store and once through Intune.
The Edge browser installed via the Google Play Store runs exclusively under the private profile, allowing access to personal data and apps. Meanwhile, the version of Edge installed through Intune is restricted to the company profile, where it follows corporate policies and provides access to work-related resources.
This dual installation allowed me to experience firsthand the separation between personal and company environments on a BYOD device. Below, you will see how the user interacts with each profile and how the experience varies depending on which version of Edge they are using.
If you’re interested in seeing how the experience differs on a corporately owned device, let me know!
Private Profile
As you can see in the private profile, you won’t be able to select the certificate because it is not accessible. The SCEP certificate is only available under the work profile, which means when you try to authenticate in the private profile, you can’t access or use the certificate for that purpose, and the authentication will fail, as shown in the video below.
Work Profile
When we perform the same action under the work profile, you will have the option to select the certificate, which was not available under the private profile. Once the certificate is selected, you can see that the authentication is successful
Conclusion
Now that you’ve seen how to set up and manage certificate-based authentication on Android, and experienced how it functions across different profiles, you’re well-prepared to implement this on Android devices. If you haven’t already, I recommend checking out my previous post on macOS, where I covered certificate-based authentication for Apple devices in detail. For more information on setting up certificate-based authentication and Cloud PKI, don’t forget to review Part 1 and Part 2 of our series. Also, take a look at Part 4 to learn how to adapt Conditional Access policies for enrolling devices while enforcing certificate-based authentication.
In the next installment of our Certificate-Based Authentication series, we’ll dive into the iOS experience. Stay tuned for more content on Certificate-Based Authentication. I’ve also been considering documenting 802.1x authentication with Microsoft Intune Cloud PKI, so feel free to let me know if that’s something you’d be interested in!