Android

The following article describes how to deploy a device certificate or a user certificate for Android. Android certificate deployment is very similar to Windows 10, macOS and iOS certificate deployments.

Deploying Device Certificate

Android offers two different solution sets for using an Android device. A work profile solution set and a fully managed device solution set.

Certificate Deployment for Android Work Profiles

First, we need to trust the public root certificate from SCEPman. Therefore, you have to download the CA certificate (from SCEPman) and deploy it via a trusted certificate profile in Microsoft Intune:

Download the CA certificate:

Then, create a profile in Microsoft Intune:

  1. Download the CA Certificate

  2. Then, create a profile in Microsoft Intune

  3. Select Android Enterprise as Platform

  4. As Profile type select Trusted certificate (under Work Profile Only)

  5. Click Settings and **select A valid .cer file**

  6. Then click OK

  7. Finally click Create

When you are finished with it, you can deploy this profile to your devices.

Now, you have to create a SCEP certificate profile to deploy the device certificates. Make note of the SCEP server URL. This URL can be found in the Overview submenu of the app service of SCEPman

Append the following to your URL: /certsrv/mscep/mscep.dll. Note this URL: https://scepman-xxx.azurewebsites.net/certsrv/mscep/mscep.dll ('xxx' is a placeholder)

Next, to finally deploy the device certificates, you have to create a SCEP certificate profile in Intune:

  1. Navigate to Microsoft Intune

  2. Click Device Configuration

  3. Choose Profile and click Create profile

  4. Then, enter a Name

  5. Select Android Enterprise as Platform

  6. Select SCEP certificate, under Work Profile Only, as Profile type

  7. Click Settings

  1. Configure the SCEP Certificate

You can not configure all SCEP Certificate settings. This is because some settings are mandatory set by SCEPman, the yellow rectangle is automatically set by SCEPman (for better visibility I recommend to set the settings in the yellow rectangle to the SCEPman mandatory settings like shown below). Hereby is the Key usage set to Digital signature and Key encipherment. The validity period is set to a fixed 6 month currently. The red rectangle is a setting that is free to modify. Long term, all settings will be supported for configuration. There is a dependency on the {{AAD_Device_ID} in the subject name, which is used as a seed for the certificate serial number generation. Therefore, the subject name must include.

  1. Scroll down and enter the URL you have noted

  2. Then, click Add

  3. Next, click OK and finally click Create

When all is finished, you have the following two certificate configurations:

  • SCEPman - SCEP Android device certificate

  • SCEPman - Trusted root Android certificate

Certificate Deployment for Fully Managed Devices

First, we need to trust the public root certificate from SCEPman. Therefore, you have to download the CA certificate (from SCEPman) and deploy it via a trusted certificate profile in Microsoft Intune:

Download the CA certificate:

Then, create a profile in Microsoft Intune:

  1. Download the CA Certificate

  2. Then, create a profile in Microsoft Intune

  3. Select Android Enterprise as Platform

  4. As Profile type select Trusted certificate (under Device Owner Only)

  5. Click Settings and select A valid .cer file

  6. Then click OK

  7. Finally click Create

When you are finished with it, you can deploy this profile to your devices.

Now, you have to create a SCEP certificate profile to deploy the device certificates. Make note of the SCEP server URL. This URL can be found in the Overview submenu of the app service of SCEPman

Append the following to your URL: /certsrv/mscep/mscep.dll. Note this URL: https://scepman-xxx.azurewebsites.net/certsrv/mscep/mscep.dll ('xxx' is a placeholder)

Next, to finally deploy the device certificates, you have to create a SCEP certificate profile in Intune:

  1. Navigate to Microsoft Intune

  2. Click Device Configuration

  3. Choose Profile and click Create profile

  4. Then, enter a Name

  5. Select Android Enterprise as Platform

  6. As Profile type select SCEP certificate (under Device Owner Only)

  7. Click Settings

  1. Configure the SCEP Certificate

You can not configure all SCEP Certificate settings. This is because some settings are mandatory set by SCEPman, the yellow rectangle is automatically set by SCEPman (for better visibility I recommend to set the settings in the yellow rectangle to the SCEPman mandatory settings like shown below). Hereby is the Key usage set to Digital signature and Key encipherment. The validity period is set to a fixed 6 month currently. The red rectangle is a setting that is free to modify. Long term, all settings will be supported for configuration. There is a dependency on the {{AAD_Device_ID} in the subject name, which is used as a seed for the certificate serial number generation. Therefore, the subject name must include.

  1. Scroll down and enter the URL you have noted

  2. Then, click Add

  3. Next, click OK and finally click Create

When all is finished, you have the following two certificate configurations:

  • SCEPman - SCEP Android device certificate

  • SCEPman - Trusted root Android certificate

Subject Alternative Name

A Subject alternative name (SAN) is important for the whole android device login process into a Wi-Fi profile. It can be divided into three phases:

  1. During the enrollment phase, you have to login to your company portal with a company domain (like [email protected])

  2. When the synchronization starts the device gets a certificate and a Wi-Fi.

  3. The Wi-Fi profile will be deployed. In detail, the following steps working in background:

    • SAN verification (RFC 2818)

    • Search for certifications and profiles, based on your company domain

    • Deploy Wi-Fi profile on your device

It is much important to enter a Subject alternative name into the SCEP Certificate. Without a SAN you have no access to your company WLAN.

My Certificates

To check if your certificate runs well on your Android device you can use My Certificates from Google Play.

Deploying User Certificate

Android offers two different solution sets for using an Android device. A work profile solution set and a fully managed device solution set.

Certificate Deployment for Android Work Profiles

First, we need to trust the public root certificate from SCEPman. Therefore, you have to download the CA certificate (from SCEPman) and deploy it via a trusted certificate profile in Microsoft Intune:

Download the CA certificate:

Then, create a profile in Microsoft Intune:

  1. Download the CA Certificate

  2. Then, create a profile in Microsoft Intune

  3. Select Android Enterprise as Platform

  4. As Profile type select Trusted certificate (under Work Profile Only)

  5. Click Settings, select A valid .cer file

  6. Then, click OK

  7. Finally, click Create

When you are done with it, you can deploy this profile to your devices.

Now, you have to create a SCEP certificate profile to deploy the device certificates. Important for this step is the SCEP Server URL. This URL can be found in the Overview submenu of the app service of SCEPman:

Append the following to your URL: /certsrv/mscep/mscep.dll. Note this URL: https://scepman-xxx.azurewebsites.net/certsrv/mscep/mscep.dll ('xxx' is a placeholder)

Next, to finally deploy the device certificates you have to create a SCEP certificate profile in Intune:

  1. Navigate to Microsoft Intune

  2. Click Device Configuration

  3. Choose Profile and click Create profile

  4. Then, enter a Name

  5. Select Android Enterprise as Platform

  6. As Profile type select SCEP certificate (under Device Owner Only)

  7. Click Settings

  1. Configure the SCEP Certificate

You can not configure all SCEP Certificate settings. This is because some settings are mandatory set by SCEPman, the yellow rectangle is automatically set by SCEPman (for better visibility I recommend to set the settings in the yellow rectangle to the SCEPman mandatory settings like shown below). Hereby is the Key usage set to Digital signature and Key encipherment. The validity period is set to a fixed 6 month currently. The red rectangle is a setting that is free to modify. Long term, all settings will be supported for configuration. The setting for 'Subject name format' is freely selectable. For Subject alternative name we recommend to set 'User principial name (UPN)'.

  1. Scroll down and enter the URL you have noted

  2. Then, click Add

  3. Next click OK and finally click Create

When all its done, you have the following two certificate configurations:

  • SCEPman - SCEP Android user certificate

  • SCEPman - Trusted root Android certificate

Certificate Deployment for Fully Managed Devices

First, we need to trust the public root certificate from SCEPman. Therefore, you have to download the CA certificate (from SCEPman) and deploy it via a trusted certificate profile in Microsoft Intune:

Download the CA certificate:

Then, create a profile in Microsoft Intune:

  1. Download the CA Certificate

  2. Then, create a profile in Microsoft Intune

  3. Select Android Enterprise as Platform

  4. As Profile type select Trusted certificate (under Device Owner Only)

  5. Click Settings and select A valid .cer file

  6. Then click OK

  7. Finally click Create

When you are done with it, you can deploy this profile to your devices.

Now, you have to create a SCEP certificate profile to deploy the device certificates. Important for this step is the SCEP Server URL. This URL can be found in the Overview submenu of the app service of SCEPman:

Append the following to your URL: /certsrv/mscep/mscep.dll. Note this URL: https://scepman-xxx.azurewebsites.net/certsrv/mscep/mscep.dll ('xxx' is a placeholder)

Next, to finally deploy the device certificates you have to create a SCEP certificate profile in Intune:

  1. Navigate to Microsoft Intune

  2. Click Device Configuration

  3. Choose Profile and click Create profile

  4. Then, enter a Name

  5. Select Android Enterprise as Platform

  6. As Profile type select SCEP certificate (under Device Owner Only)

  7. Click Settings

  1. Configure the SCEP Certificate

You can not configure all SCEP Certificate settings. This is because some settings are mandatory set by SCEPman, the yellow rectangle is automatically set by SCEPman (for better visibility I recommend to set the settings in the yellow rectangle to the SCEPman mandatory settings like shown below). Hereby is the Key usage set to Digital signature and Key encipherment. The validity period is set to a fixed 6 month currently. The red rectangle is a setting that is free to modify. Long term, all settings will be supported for configuration. The setting for 'Subject name format' is freely selectable. For Subject alternative name we recommend to set 'User principial name (UPN)'.

  1. Scroll down and enter the URL you have noted

  2. Then, click Add

  3. Next click OK and finally click Create

When all its done, you have the following two certificate configurations:

  • SCEPman - SCEP Android user certificate

  • SCEPman - Trusted root Android certificate

Subject Alternative Name

A Subject alternative name (SAN) is important for the whole android device login process into a Wi-Fi profile. It can be divided into three phases:

  1. During the enrollment phase, you have to login to your company portal with a company domain (like [email protected])

  2. When the synchronization starts the device gets a certificate and a Wi-Fi.

  3. The Wi-Fi profile will be deployed. In detail, the following steps working in background:

    • SAN verification (RFC 2818)

    • Search for certifications and profiles, based on your company domain

    • Deploy Wi-Fi profile on your device

It is much important to enter a Subject alternative name into the SCEP Certificate. Without a SAN you have no access to your company WLAN.

My Certificates

To check if your certificate runs well on your Android device you can use My Certificates from Google Play.