**Device** certificates can only contain device attributes in the subject and SAN of the certificate. Use Device for scenarios such as user-less devices, like kiosks or other shared devices.
This selection affects the Subject name format.
For macOS, if this profile is configured to use the device deployment channel, you can select **User** or **Device**. If the profile is configured to use the user deployment channel, you can select only **User**. |
+ |**Subject name format** |All |For details on how to configure the subject name format, see [Subject name format](#subject-name-format) later in this article.
For the following platforms, the Subject name format is determined by the certificate type: - Android Enterprise (*Work Profile*)
- iOS
- macOS
- Windows 10/11
|
+ |**Subject alternative name** |All |For *Attribute*, select **User principal name (UPN)** unless otherwise required, configure a corresponding *Value*, and then select **Add**.
You can use variables or static text for the SAN of both certificate types. Use of a variable isn't required.
For more information, see [Subject name format](#subject-name-format) later in this article.|
|**Extended key usage** |
- Android device administrator
- Android Enterprise (*Device Owner*, *Corporate-Owned and Personally-Owned Work Profile*)
- Windows 10/11 |Certificates usually require *Client Authentication* so that the user or device can authenticate to a server. |
- |**Allow all apps access to private key** |
- macOS |Set to **Enable** to give apps that are configured for the associated mac device access to the PKCS certificate's private key.
For more information on this setting, see *AllowAllAppsAccess* the Certificate Payload section of [Configuration Profile Reference](https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf) in the Apple developer documentation. |
+ |**Allow all apps access to private key** |macOS |Set to **Enable** to give apps that are configured for the associated mac device access to the PKCS certificate's private key.
For more information on this setting, see *AllowAllAppsAccess* the Certificate Payload section of [Configuration Profile Reference](https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf) in the Apple developer documentation. |
|**Root Certificate** |- Android device administrator
- Android Enterprise (*Device Owner*, *Corporate-Owned and Personally-Owned Work Profile*) |Select a root CA certificate profile that was previously assigned. |
8. This step applies only to **Android Enterprise** devices profiles for **Fully Managed, Dedicated, and Corporate-Owned work Profile**.
@@ -416,10 +417,7 @@ Platforms:
>
> - When you specify a variable, enclose the variable name in curly brackets { } as seen in the example, to avoid an error.
> - Device properties used in the *subject* or *SAN* of a device certificate, like **IMEI**, **SerialNumber**, and **FullyQualifiedDomainName**, are properties that could be spoofed by a person with access to the device.
- > - A device must support all variables specified in a certificate profile for that profile to install on that device. For example, if **{{IMEI}}** is used in the subject name of a SCEP profile and is assigned to a device that doesn't have an IMEI number, the profile fails to install.
-
-## Verify deployment channel
-We recommend that you check the deployment channel in existing PKCS profiles when your linked authentication certificates are up for renewal. Always select the user channel in profiles when you're deploying user-targeted authentication certificates. And always select the device channel when you're deploying device-targeted authentication certificates. Certificates in profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. For the latest information about the deployment channel setting, see [What's New in Microsoft Intune](../fundamentals/whats-new.md).
+ > - A device must support all variables specified in a certificate profile for that profile to install on that device. For example, if **{{IMEI}}** is used in the subject name of a SCEP profile and is assigned to a device that doesn't have an IMEI number, the profile fails to install.
## Next steps
diff --git a/memdocs/intune/protect/certificates-profile-scep.md b/memdocs/intune/protect/certificates-profile-scep.md
index b6e4acf123a..21ed1993773 100644
--- a/memdocs/intune/protect/certificates-profile-scep.md
+++ b/memdocs/intune/protect/certificates-profile-scep.md
@@ -124,6 +124,11 @@ For more information about the KDC's requirements and enforcement date for stron
7. In **Configuration settings**, complete the following configurations:
+ - **Deployment channel**: Select how you want to deploy the profile. This setting also determines the keychain where the linked certificates are stored, so it's important to select the proper channel.
+
+ Always select the user deployment channel in profiles with user certificates. The user channel stores certificates in the user keychain. Always select the device deployment channel in profiles with device certificates. The device channel stores certificates in the system keychain.
+
+ It's not possible to edit the deployment channel after you deploy the profile. You must create a new profile to select a different channel.
- **Certificate type**:
*(Applies to: Android, Android Enterprise, Android (AOSP), iOS/iPadOS, macOS, Windows 8.1, and Windows 10/11)*
@@ -134,11 +139,13 @@ For more information about the KDC's requirements and enforcement date for stron
- **Device**: *Device* certificates can only contain device attributes in the subject and SAN of the certificate.
- Use **Device** for scenarios such as user-less devices, like kiosks, or for Windows devices. On Windows devices, the certificate is placed in the Local Computer certificate store.
+ Use **Device** for scenarios such as user-less devices, like kiosks, or for Windows devices. On Windows devices, the certificate is placed in the Local Computer certificate store.
+
+ For macOS, if this profile is configured to use the device deployment channel, you can select **User** or **Device**. If the profile is configured to use the user deployment channel, you can select only **User**.
> [!NOTE]
> Storage of certificates provisioned by SCEP:
- > - *macOS* - Certificates you provision with SCEP are always placed in the system keychain (also called *system store* or *device keychain*) of the device.
+ > - *macOS* - Certificates you provision with SCEP are always placed in the system keychain (also called *system store* or *device keychain*) of the device, unless you select the user deployment channel.
>
> - *Android* - Devices have both a *VPN and apps* certificate store, and a *WIFI* certificate store. Intune always stores SCEP certificates in the VPN and apps store on a device. Use of the VPN and apps store makes the certificate available for use by any other app.
>
@@ -461,9 +468,6 @@ Consider the following before you continue:
> - Certificates delivered by SCEP are each unique. Certificates delivered by PKCS are the same certificate, but appear different as each profile instance is represented by a separate line in the management profile.
> - On iOS 13 and macOS 10.15, there are [additional security requirements that are documented by Apple](https://support.apple.com/HT210176) to take into consideration.
-## Verify deployment channel
-We recommend checking the deployment channel in existing SCEP profiles when they're up for renewal to ensure that any authentication certificates you're using are stored in the proper keychain. Always select the user channel in profiles when you're deploying user-targeted authentication certificates. And always select the device channel when you're deploying device-targeted authentication certificates. Certificates in profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. For the latest information about the deployment channel setting, see [What's New in Microsoft Intune](../fundamentals/whats-new.md).
-
## Next steps
[Assign profiles](../configuration/device-profile-assign.md)
From 7793f4b60669952ed90baac277c41e3748b3f288 Mon Sep 17 00:00:00 2001
From: Laura Newsad
Date: Tue, 19 Nov 2024 14:36:29 -0500
Subject: [PATCH 33/33] Format fix
---
memdocs/intune/configuration/vpn-settings-macos.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/memdocs/intune/configuration/vpn-settings-macos.md b/memdocs/intune/configuration/vpn-settings-macos.md
index db7c7ce0c15..1a3f03b3dbc 100644
--- a/memdocs/intune/configuration/vpn-settings-macos.md
+++ b/memdocs/intune/configuration/vpn-settings-macos.md
@@ -56,7 +56,8 @@ This feature applies to:
You have two options:
- **User channel**: Always select the user deployment channel in profiles with user certificates. This option stores certificates in the user keychain.
- **Device channel**: Always select the device deployment channel in profiles with device certificates. This option stores certificates in the system keychain.
-**Connection name**: Enter a name for this connection. End users see this name when they browse their device for the list of available VPN connections.
+
+- **Connection name**: Enter a name for this connection. End users see this name when they browse their device for the list of available VPN connections.
- **VPN server address**: Enter the IP address or fully qualified domain name of the VPN server that devices connect to. For example, enter `192.168.1.1` or `vpn.contoso.com`.
- **Authentication method**: Choose how devices authenticate to the VPN server. Your options: