Microsoft Intune Integration

Deploy WPA-Enterprise WiFi profiles and EAP-TLS certificates to managed Windows, iOS, Android, and macOS devices using Microsoft Intune with SCEP integration.

Overview

The Microsoft Intune integration enables:

• WiFi profile deployment to managed devices
• Certificate-based authentication (EAP-TLS)
• SCEP integration for automatic certificate enrollment
• Conditional access policies for WiFi

Prerequisites

• IronWifi account with WPA-Enterprise configured
• Microsoft Intune subscription
• Azure Active Directory
• Devices enrolled in Intune

Architecture Overview

Managed Device → Intune → WiFi Profile → IronWifi RADIUS
                  ↓
              SCEP/NDES → IronWifi CA → Certificate

IronWifi SCEP Setup

Step 1: Enable SCEP

1. Log in to IronWifi Console
2. Navigate to Settings > SCEP
3. Enable SCEP service
4. Note the SCEP URL: https://scep.ironwifi.com/your-org

Step 2: Configure Certificate Settings

CA Settings:

• Key Size: 2048-bit (minimum)
• Validity Period: 365 days (recommended)
• Subject Name Format: Configure as needed

Challenge Password:

• Generate or set a challenge password
• Store securely for Intune configuration

Intune Configuration

Create SCEP Profile

1. In Microsoft Intune admin center
2. Go to Devices > Configuration profiles
3. Click Create profile
4. Select platform (Windows, iOS, Android, macOS)
5. Choose SCEP certificate profile type

SCEP Profile Settings

Certificate Properties:

• Certificate type: User or Device
• Subject name format: CN={{UserName}},E={{EmailAddress}}
• Subject alternative name: UPN or Email as needed
• Certificate validity: Match IronWifi CA setting
• Key usage: Digital signature, Key encipherment
• Key size: 2048
• Hash algorithm: SHA-256

SCEP Server URLs:

https://scep.ironwifi.com/your-org/pkiclient.exe

Root Certificate:

• Upload IronWifi root CA certificate
• Required for trust chain

Create WiFi Profile

1. Go to Devices > Configuration profiles
2. Click Create profile
3. Select platform
4. Choose Wi-Fi profile type

WiFi Profile Settings

Basic Settings:

• Network name (SSID): Your secure SSID
• Connect automatically: Yes
• Hidden network: As configured
• Security type: WPA2-Enterprise

EAP Settings:

• EAP type: EAP-TLS
• Certificate server names: Your RADIUS server FQDN
• Root certificate for server validation: IronWifi root CA

Client Authentication:

• Authentication method: Certificate
• Client certificate (Identity): SCEP profile created above

Profile Assignment

Create Device Groups

1. In Azure AD, create groups for WiFi access:
   • WiFi-Managed-Devices
   • WiFi-BYOD-Devices

Assign Profiles

1. Go to each profile (SCEP and WiFi)
2. Click Assignments
3. Add appropriate groups
4. Configure any filters needed

Deployment Order

Ensure profiles deploy in correct order:

1. Root CA certificate (trust profile)
2. SCEP certificate profile
3. WiFi profile

Use Intune's applicability rules or dependencies if needed.

Conditional Access

WiFi-Based Conditional Access

Combine Intune with Azure AD Conditional Access:

1. Create Conditional Access policy
2. Require device compliance
3. Grant access only to compliant devices
4. WiFi authentication succeeds only for compliant devices

IronWifi + Azure AD

1. Enable Azure AD integration in IronWifi
2. Configure RADIUS to check Azure AD groups
3. Non-compliant devices fail authentication

Platform-Specific Notes

Windows 10/11

Profile Settings:

• Single sign-on (SSO) can be enabled
• Use machine certificate for pre-login connectivity
• Configure proxy settings if needed

iOS/iPadOS

Additional Settings:

• Trust certificate profile required
• May need to disable MAC randomization
• Per-app VPN can be combined

Android Enterprise

Work Profile:

• WiFi profile applies to work profile
• Personal apps use personal WiFi

Fully Managed:

• WiFi available device-wide

macOS

Settings:

• Similar to iOS configuration
• May require additional trust profiles
• System extension approval may be needed

Troubleshooting

Certificate Not Deploying

1. Check SCEP URL is accessible
2. Verify challenge password
3. Review Intune device sync status
4. Check certificate connector logs (if using NDES)

WiFi Not Connecting

1. Verify certificate deployed successfully
2. Check RADIUS server receives authentication
3. Review IronWifi logs for errors
4. Confirm EAP settings match

Certificate Renewal

1. Certificates auto-renew before expiration
2. Monitor renewal threshold settings
3. Check for renewal failures in Intune

Monitoring

Intune Reports

• Device configuration status
• Certificate deployment status
• Per-setting compliance

IronWifi Monitoring

• Authentication success/failure rates
• Certificate-based auth metrics
• User/device activity logs

Best Practices

1. Test in pilot group before broad deployment
2. Use device groups for targeted deployment
3. Monitor certificate expiration proactively
4. Document configuration for support team
5. Plan renewal process before certs expire

Related Topics

• SCEP Configuration
• Azure AD Integration
• EAP-TLS Client Setup