Add SCEP with Microsoft Intune to Mobile Apps for Authenticating Secure Connections

SCEP (Simple Certificate Enrollment Protocol) is used to automatically generate and assign unique client-side certificates to devices. SCEP certificates can be used by mobile apps integrated with Microsoft Intune and a secure access client to authenticate connections from the mobile app to a proxy, reverse proxy, SSL VPN, or industry-standard VPN to access protected resources.

This Knowledge Base article provides detailed information about how to automatically add client-side certificates from Intune and secure access client to a mobile app so it can connect and authenticate to an SSL gateway, proxy / reverse proxy, or industry-standard VPN.

Add SCEP with Microsoft Intune to Mobile Apps to Authenticate Connections to Network Gateways

Appdome is a mobile integration platform as a service (iPaaS) that allows users to add a wide variety of features, SDKs and APIs to Android and iOS apps. Using a simple ‘click to add’ user interface, Appdome allows anyone to easily integrate Intune Client-Side Certificates using Microsoft SCEP to any mobile app – instantly, no code or coding required.

Mobile apps integrated with Appdome MicroVPN use certificate-based authentication to establish a secure connection to a  network gateway (SSL gateway, proxy / reverse proxy, or industry-standard VPN. ) Appdome MicroVPN eliminates the need for mobile device level VPNs or per-app VPNs, allowing each mobile apps to connect directly to the enterprise infrastructure.

Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins to implement. Likewise, there are no required infrastructure changes and no dependency on SCEP, Intune, client-side certificates or any other authentication standard inside the app. The Appdome technology adds SCEP distributed client-side certificates and relevant standards, frameworks and more to the app automatically, with no manual development work at all. Using Appdome, mobile apps will use SCEP distributed client-side certificates to identify and authenticate users as if SCEP distributed client-side certificates was natively coded to the app.

Prerequisites to Enable SCEP for Microsoft Authentication with MicroVPN

In order to use Appdome’s no code implementation of MicroVPN on Appdome, you’ll need:

  • Appdome account
  • Mobile App (.ipa for iOS, or .apk or .aab for Android)
  • Enterprise-grade SSL gateway, proxy, reverse proxy, or industry-standard VPN that is the authentication or termination endpoint for the MicroVPN
  • List of internal domains the mobile app is trying to reach
  • NDES (Network Device Enrollment Service), which is Microsoft’s implementation of SCEP, connected to the organization CA
    • In order for Appdome to be able to reach your NDES server, it needs to be configured not to require one time passwords. On the NDES server, in Registry Editor, set the following key to 0 (zero):
      HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP > EnforcePassword > EnforcePassword
  • Microsoft Intune server
  • Signing Credentials (e.g., signing certificates and provisioning profile)

Operation of Appdome MicroVPN with Mobile Apps

With Appdome, each mobile app can receive one or more SCEP profiles and does not use a device profile as required by some EMM or VPN solution.  Apps are placed into a security group that is unique to Appdome, and each app utilizes the URI and certificates specified in the SCEP server for authentication and authorization. That means that rather than having the whole device managed with one policy, there can be separate security policies for each app, even on BYOD devices.  Appdome supports multiple SCEP configurations for each app. If the Built app accesses more then one server, each server (or group of servers) gets its own certificate and this policy. This allows for a high-level of customization and policy granularity.

Note: built apps extract their user id from the Microsoft Intune SDK and send a client-side certificate with that user ID to the NDES server for signing. This enables built apps to authenticate using unique client-side certificates for each user to the Enterprise Gateway.

How to Add Intune Client-Side Certificates to Any Mobile App for Authentication

Follow these step-by-step instructions to add Intune Client-Side Certificates for Authentication to Any Mobile App:

Upload a Mobile App to Your Account

Please follow these steps to add a mobile app to your Appdome account.
If you don’t have an Appdome account, click here to create an account.

From the “Build” tab, Add Intune SDK and MicroVPN

Select the Build TabNote: a blue underline will appear showing the step is active

The Intune SDK resides in the Management tab and the MicroVPN by Appdome resides in the Access tab.

Detailed instructions for using Appdome to integrating an app with MicroVPN and the Intune SDK are available in the article on Integrating Apps with the Microsoft Intune SDK and MicroVPN without coding.For setting up certificates to use with the MicroVPN connection, Appdome offers two options. Static Certificates, which are added to your app during Fusion, and Dynamic Certificates, which are distributed via your SCEP server and are personalized, meaning they contain the user’s Microsoft Intune unique identifier. These certificates, besides providing security for your connection, provide means of user identification based on user identifier supplied by Intune.

If selecting both, Appdome will, when hardening a connection, first try to pin a personal Dynamic Certificate. If it is not available, for example, SCEP server took time to answer or was not reachable, it will use a static certificate. If neither is available, the connection will be prevented from leaving the mobile device.

To set up a Static Certificate (1), turn ON  “Static Client Pinning” checkbox and upload your .pem and .key files.

To set up Dynamic Certificates (2), turn ON  “Dynamic Client Pinning”, and enter your SCEP server URL.

Congratulations! You now have a mobile app fully integrated with MicroVPN and Intune Client-Side Certificates.

After Adding Intune Client-Side Certificates to  Any Mobile App for Authentication

After you have added Dynamic Client Pinning using Microsoft Intune and SCEP server, to any Mobile App on Appdome, there are a few additional steps needed to complete your mobile integration project.

Please view the article here on How to Complete My Mobile Integration Project After I Build My App.

That is it – Enjoy Appdome for Microsoft ADAL SSO in your application!

How Do I Learn More?

Check out No-Code Microsoft Authentication for Mobile Apps, check out this blog or request a demo at any time.

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to make mobile integration easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.  

Kai Kenan

Have a question?

Ask an expert

PaulMaking your security project a success!