Introduction
In our previous posts on certificate-based authentication, we delved into setting up the Cloud PKI and implementing certificate-based authentication in Entra ID using authentication strength and conditional access policies. We even explored some unique cases, such as cross-tenant authentication. All these experiences were documented for Windows environments.
However, I don’t want our Mac users to feel left out. That’s why I finally took the step I should have taken long ago—I ordered a Mac Mini. This allows me to properly document the user experience for Mac users as well.
In this blog, we’ll cover the Intune configuration for deploying root and SCEP certificates on macOS. Additionally, we’ll discuss how these settings impact the user experience.
Intune Configuration
Trusted Certificate Deployment
Prerequisites
- Access to Microsoft Intune with the necessary permissions.
- Trusted certificate authority (CA) certificate in .cer or .pem format.
- Mac devices enrolled in Intune.
Steps
- Log into Microsoft Endpoint Manager Admin Center:
- Go to Microsoft Endpoint Manager Admin Center.
- Sign in with your admin credentials.
- Navigate to Devices:
- Select Devices from the left-hand menu.
- Configure Profile:
- Select macOS under the By platform section.
- Click on Configuration profiles.
- Create a New Profile:
- Click + Create profile.
- Choose macOS for the Platform.
- Select Trusted certificate for the Profile type.
- Click Create.
- Name and Description:
- Provide a Name and Description for the certificate profile.
- Upload the Certificate:
- Click on Settings.
- Select Trusted certificate.
- Click Add and browse to the trusted CA certificate file (.cer or .pem).
- Upload the certificate.
- Assign the Profile:
- Click Next.
- In the Assignments section, select the groups to receive this certificate.
- Click Next.
- Review and Create:
- Review your settings.
- Click Create.
- Sync the Device:
- On the Mac, open the Company Portal app.
- Go to Devices, select the device, and click Check status to sync.
- Check the Certificate Installation:
- Open Keychain Access on the Mac.
- In the System keychain, verify that the trusted certificate has been installed.
Deploy SCEP Certificate
Prerequisites
- Access to Microsoft Intune with the necessary permissions.
- SCEP server URL and necessary credentials.
- Mac devices enrolled in Intune.
Steps
- Log into Microsoft Endpoint Manager Admin Center:
- Go to Microsoft Endpoint Manager Admin Center.
- Sign in with your admin credentials.
- Navigate to Devices:
- Select Devices from the left-hand menu.
- Configure Profile:
- Select macOS under the By platform section.
- Click on Configuration profiles.
- Create a New Profile:
- Click + Create profile.
- Choose macOS for the Platform.
- Select SCEP certificate for the Profile type.
- Click Create.
- Name and Description:
- Provide a Name and Description for the certificate profile.
- Configure SCEP Settings:
- Click on Settings.
- Select SCEP certificate.
- Fill in the following fields:
- Name: Enter a name for the SCEP certificate.
- Certificate type: Choose User .
- Subject name format: Define the format for the certificate subject name (e.g., CN={{UserPrincipalName}}).
- Subject alternative name: Specify any subject alternative names if needed.
- Attribute : User principal name (UPN)
- Value : CN={{UserName}}
- SCEP server URL: Enter the URL of your SCEP server.
- Key usage
- In the Key usage section, select the following options:
- Digital signature: To enable the certificate to sign data, which is crucial for authentication.
- Key encipherment: To allow the certificate to encrypt keys, which is essential for secure communications.
- In the Key usage section, select the following options:
- Key size: Choose the key size (e.g., 2048).
- Allow all apps access to private key : Not Configured (More Information Below)
- Assign the Profile:
- Click Next.
- In the Assignments section, select the groups to receive this certificate.
- Click Next.
- Review and Create:
- Review your settings.
- Click Create.
- Sync the Device:
- On the Mac, open the Company Portal app.
- Go to Devices, select the device, and click Check status to sync.
- Check the Certificate Installation:
- Open Keychain Access on the Mac.
- In the System keychain, verify that the SCEP certificate has been installed
User experience
Allow all apps access to private key
When considering user experience, particularly regarding the prompt to log in with a local account every time a certificate is needed, there are a few factors and strategies to balance security and convenience with the “Allow all apps access to private key” setting in the SCEP (Simple Certificate Enrollment Protocol) certificate configuration for macOS.
User Authentication Prompts
Default Behavior
- Authentication Requirement: When access to the private key is restricted, macOS prompts the user to authenticate (via a local account password or Touch ID) each time an application needs the certificate. This ensures deliberate and authorized usage.
- Impact on User Experience: Frequent prompts can be disruptive, especially in environments where certificates are used often, such as signing emails, accessing VPNs, or authenticating to secure websites.
Allowing All Apps Access Setting
Security Trade-off: This increases the risk of unauthorized access to the private key, potentially compromising security.
Convenience: Enabling the “Allow all apps access to private key” setting eliminates repeated prompts, providing a smoother user experience.
Allow all apps access to private key -> Not configured
In some cases during my testing, I had to enter the local username and password multiple times before successfully logging in.
Allow all apps access to private key -> Enable
Before we can test the second user experience option, we need to modify the existing SCEP deployment policy. Change the setting “Allow All Apps Access to Private Key” to “Enabled.” This will prevent the user from needing to authenticate with their local account before signing in with the certificate.
Conclusion
Now that you know how to set up and manage certificate-based authentication on macOS, and how the user experience plays out, you’re well-prepared to implement this on Mac devices. For further details on setting up certificate-based authentication and Cloud PKI, refer to Part 1 and Part 2 of our series. Additionally, check out Part 4 to learn how to adapt Conditional Access policies for enrolling devices while enforcing certificate-based authentication.
In the next installment of our Certificate-Based Authentication series, we will focus on iOS and Android devices. Don’t worry, this is just the beginning for macOS stay tuned for more blog posts covering macOS topics in the future!
One Comment