SCEP (Simple Certificate Enrollment Protocol) is used to automatically generate and assign unique client-side certificates to devices. SCEP certificates can be used by mobile apps integrated with Microsoft Intune and a secure access client to authenticate connections from the mobile app to a proxy, reverse proxy, SSL VPN, or industry-standard VPN to access protected resources.
This Knowledge Base article provides detailed information about how to automatically add client-side certificates from Intune and secure access client to a mobile app so it can connect and authenticate to an SSL gateway, proxy / reverse proxy, or industry-standard VPN.
Appdome is a mobile integration platform as a service (iPaaS) that allows users to add a wide variety of features, SDKs and APIs to Android and iOS apps. Using a simple ‘click to add’ user interface, Appdome allows anyone to easily integrate Intune Client-Side Certificates using Microsoft SCEP to any mobile app – instantly, no code or coding required.
Mobile apps integrated with Appdome MicroVPN use certificate-based authentication to establish a secure connection to a network gateway (SSL gateway, proxy / reverse proxy, or industry-standard VPN. ) Appdome MicroVPN eliminates the need for mobile device level VPNs or per-app VPNs, allowing each mobile apps to connect directly to the enterprise infrastructure.
Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins to implement. Likewise, there are no required infrastructure changes and no dependency on SCEP, Intune, client-side certificates or any other authentication standard inside the app. The Appdome technology adds SCEP distributed client-side certificates and relevant standards, frameworks and more to the app automatically, with no manual development work at all. Using Appdome, mobile apps will use SCEP distributed client-side certificates to identify and authenticate users as if SCEP distributed client-side certificates was natively coded to the app.
In order to use Appdome’s no code implementation of MicroVPN on Appdome, you’ll need:
With Appdome, each mobile app can receive one or more SCEP profiles and does not use a device profile as required by some EMM or VPN solution. Apps are placed into a security group that is unique to Appdome, and each app utilizes the URI and certificates specified in the SCEP server for authentication and authorization. That means that rather than having the whole device managed with one policy, there can be separate security policies for each app, even on BYOD devices. Appdome supports multiple SCEP configurations for each app. If the Built app accesses more then one server, each server (or group of servers) gets its own certificate and this policy. This allows for a high-level of customization and policy granularity.
Note: built apps extract their user id from the Microsoft Intune SDK and send a client-side certificate with that user ID to the NDES server for signing. This enables built apps to authenticate using unique client-side certificates for each user to the Enterprise Gateway.
Follow these step-by-step instructions to add Intune Client-Side Certificates for Authentication to Any Mobile App:
Select the Build Tab. Note: a blue underline will appear showing the step is active
The Intune SDK resides in the Management tab and the MicroVPN by Appdome resides in the Access tab.
Detailed instructions for using Appdome to integrating an app with MicroVPN and the Intune SDK are available in the article on Integrating Apps with the Microsoft Intune SDK and MicroVPN without coding.For setting up certificates to use with the MicroVPN connection, Appdome offers two options. Static Certificates, which are added to your app during Fusion, and Dynamic Certificates, which are distributed via your SCEP server and are personalized, meaning they contain the user’s Microsoft Intune unique identifier. These certificates, besides providing security for your connection, provide means of user identification based on user identifier supplied by Intune.
If selecting both, Appdome will, when hardening a connection, first try to pin a personal Dynamic Certificate. If it is not available, for example, SCEP server took time to answer or was not reachable, it will use a static certificate. If neither is available, the connection will be prevented from leaving the mobile device.
To set up a Static Certificate (1), turn ON “Static Client Pinning” checkbox and upload your .pem and .key files.
To set up Dynamic Certificates (2), turn ON “Dynamic Client Pinning”, and enter your SCEP server URL.
Congratulations! You now have a mobile app fully integrated with MicroVPN and Intune Client-Side Certificates.
After you have added Dynamic Client Pinning using Microsoft Intune and SCEP server, to any Mobile App on Appdome, there are a few additional steps needed to complete your mobile integration project.
Please view the article here on How to Complete My Mobile Integration Project After I Build My App.
That is it – Enjoy Appdome for Microsoft ADAL SSO in your application!
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.