You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: memdocs/intune/protect/derived-credentials.md
+35-12Lines changed: 35 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,13 +1,13 @@
1
1
---
2
2
# required metadata
3
3
4
-
title: Use derived credentials for mobile devices in Microsoft Intune
4
+
title: Use derived credentials for mobile devices with Microsoft Intune
5
5
description: Use derived credentials on mobile devices as an authentication method for Intune VPN, email, Wi-Fi profiles, applications, and S/MIME and encryption. Derived credentials are an implementation of the NIST guidelines for Special Publication 800-157.
6
6
keywords:
7
7
author: brenduns
8
8
ms.author: brenduns
9
9
manager: dougeby
10
-
ms.date: 09/08/2021
10
+
ms.date: 12/03/2021
11
11
ms.topic: how-to
12
12
ms.service: microsoft-intune
13
13
ms.subservice: protect
@@ -28,9 +28,13 @@ ms.custom: intune-azure
28
28
ms.collection: M365-identity-device-management
29
29
---
30
30
31
-
# Use derived credentials in Microsoft Intune
31
+
# Use derived credentials with Microsoft Intune
32
32
33
-
*This article applies to iOS/iPadOS, Android Enterprise fully managed devices that run version 7.0 and above, and devices that run Windows*
33
+
*This article applies to:*
34
+
35
+
-*Android Enterprise fully managed devices that run version 7.0 and above*
36
+
-*iOS/iPadOS*
37
+
-*Windows 10/11*
34
38
35
39
In an environment where smart cards are required for authentication or encryption and signing, you can use Intune to provision mobile devices with a certificate that's derived from a user's smart card. That certificate is called a *derived credential*. Intune [supports several derived credential issuers](#supported-issuers), though you can use only a single issuer per tenant at a time.
36
40
@@ -87,7 +91,7 @@ For important details about using the different issuers, review guidance for tha
87
91
88
92
### Required apps
89
93
90
-
Plan to deploy the relevant userfacing app to devices that will enroll for a derived credential. Device users use the app to start the credential enrollment process.
94
+
Plan to deploy the relevant user-facing app to devices that will enroll for a derived credential. Device users use the app to start the credential enrollment process.
91
95
92
96
- iOS devices use the Company Portal app. See [Add iOS store apps to Microsoft Intune](../apps/store-apps-ios.md).
93
97
- Android Enterprise Fully Managed and Corporate-Owned work profile devices use the Intune App. See [Add Android store apps to Microsoft Intune](../apps/store-apps-android.md).
@@ -121,7 +125,7 @@ Similarly, some derived credential request workflows require the use of the devi
121
125
122
126
### 2) Review the end-user workflow for your chosen issuer
123
127
124
-
Following are key considerations for each supported partner. Become familiar with this information so you can ensure your Intune policies and configurations don't block users and devices from successfully completing enrollment for a derived credential from that issuer.
128
+
The following are key considerations for each supported partner. Become familiar with this information so you can ensure your Intune policies and configurations don't block users and devices from successfully completing enrollment for a derived credential from that issuer.
125
129
126
130
#### DISA Purebred
127
131
@@ -134,11 +138,18 @@ Review the platform-specific user workflow for the devices you'll use with deriv
134
138
135
139
- Users need access to a computer or KIOSK where they can use their smart card to authenticate to the issuer.
136
140
- iOS and iPadOS devices that will enroll for a derived credential must install the Intune Company Portal app. Android Fully Managed and Corporate-Owned Work Profile devices must install and use the Intune app.
137
-
- Use Intune to [deploy the DISA Purebred app](#deploy-the-disa-purebred-app) to devices that will enroll for a derived credential. This app must be deployed through Intune so that it's managed, and can then work with the Intune Company Portal app or Intune App, which device users use to complete the derived credential request.
141
+
- Use Intune to [deploy the DISA Purebred app](#deploy-the-disa-purebred-app) to devices that will enroll for a derived credential. This app must be deployed through Intune so that it's managed and can then work with the Intune Company Portal app or Intune App, which device users use to complete the derived credential request.
138
142
- To retrieve a derived credential from the Purebred app, the device must have access to the on-premises network. Access might be through corporate Wi-Fi or VPN.
139
143
- Device users must work with a live agent during the enrollment process. During enrollment, time-limited one-time passcodes are provided to the user as they continue through the enrollment process.
140
144
- When changes are made to a policy that uses derived credentials, such as creation of a new Wi-Fi profile, iOS and iPadOS users are notified to open the Company Portal app.
141
145
- Users are notified to open the applicable app when they need to renew their derived credential.
146
+
147
+
The renewal process happens like this:
148
+
- The derived credential issuer needs to issue new or updated certificates before the previous certificates are 80% of the way through their validity period.
149
+
- The device checks in during the renewal period (the last 20% of the validity period).
150
+
- Microsoft Endpoint Manager notifies the user through email or an app notification to launch the Company Portal.
151
+
- The user launches the Company Portal and taps the derived credential notification, and then the derived credential certificates are copied to the device
152
+
142
153
143
154
For information getting and configuring the DISA Purebred app, see [Deploy the DISA Purebred app](#deploy-the-disa-purebred-app) later in this article.
144
155
@@ -159,6 +170,12 @@ Review the platform-specific user workflow for the devices you'll use with deriv
159
170
-**iOS and iPadOS** - Users are notified to open the Company Portal app.
160
171
-**Android Enterprise***Corporate-Owned Work Profile* or *Fully managed devices* - The Company Portal app doesn't need to open.
161
172
- Users are notified to open the applicable app when they need to renew their derived credential.
173
+
174
+
The renewal process happens like this:
175
+
- The derived credential issuer needs to issue new or updated certificates before the previous certificates are 80% of the way through their validity period.
176
+
- The device checks in during the renewal period (the last 20% of the validity period).
177
+
- Microsoft Endpoint Manager notifies the user through email or an app notification to launch the Company Portal.
178
+
- The user launches the Company Portal and taps the derived credential notification, and then the derived credential certificates are copied to the device
162
179
163
180
#### Intercede
164
181
@@ -177,6 +194,12 @@ Review the platform-specific user workflow for the devices you'll use with deriv
177
194
-**iOS and iPadOS** - Users are notified to open the Company Portal app.
178
195
-**Android Enterprise***Corporate-Owned Work Profile* or *Fully managed devices* - The Company Portal app doesn't need to open.
179
196
- Users are notified to open the applicable app when they need to renew their derived credential.
197
+
198
+
The renewal process happens like this:
199
+
- The derived credential issuer needs to issue new or updated certificates before the previous certificates are 80% of the way through their validity period.
200
+
- The device checks in during the renewal period (the last 20% of the validity period).
201
+
- Microsoft Endpoint Manager notifies the user through email or an app notification to launch the Company Portal.
202
+
- The user launches the Company Portal and taps the derived credential notification, and then the derived credential certificates are copied to the device
180
203
181
204
### 3) Deploy a trusted root certificate to devices
182
205
@@ -195,7 +218,7 @@ Create new policies or edit existing policies to use derived credentials. Derive
195
218
- App authentication
196
219
- Wi-Fi
197
220
- VPN
198
-
-email (iOS only)
221
+
-Email (iOS only)
199
222
- S/MIME signing and encryption, including Outlook (iOS only)
200
223
201
224
Avoid requiring use of a derived credential to access a process that you'll use as part of the process to get the derived credential, as that can prevent users from completing the request.
@@ -237,7 +260,7 @@ After you save the configuration, you can make changes to all fields except for
237
260
238
261
To use **DISA Purebred** as your derived credential issuer for Intune, you must get the DISA Purebred app and then use Intune to deploy the app to devices. Then users request the derived credential from DISA Purebred by using the Company Portal App on their iOS/iPadOS device, or the Intune app on their Android devices.
239
262
240
-
In addition to the deploying the DISA Purebred app with Intune, the device must have access to the on-premises network. To provide this access, consider using a VPN or corporate Wi-Fi.
263
+
In addition to deploying the DISA Purebred app with Intune, the device must have access to the on-premises network. To provide this access, consider using a VPN or corporate Wi-Fi.
241
264
242
265
**Complete the following tasks**:
243
266
@@ -311,13 +334,13 @@ For Windows, users don't work through a smartcard registration process to obtain
311
334
312
335
1.**Install the app from the Derived Credential providers on the Windows device**.
313
336
314
-
When you install the Windows app from a derived credential provider on a Windows device, the derived certificate is added to that devices Windows certificate store. After the certificate is added to the device, it becomes available for use a derived credential authentication method.
337
+
When you install the Windows app from a derived credential provider on a Windows device, the derived certificate is added to that device's Windows certificate store. After the certificate is added to the device, it becomes available for use a derived credential authentication method.
315
338
316
339
After you get the app from your chosen provider, the app can be deployed to Users, or directly installed by the user of the device.
317
340
318
341
2.**Configure Wi-Fi and VPN profiles to use derived credentials as the authentication method**.
319
342
320
-
When configuring a Windows profile for Wi-Fi or VPN, select **Derived credential** for the *Authentication Method*. With this configuration, the profile uses the certificate that installs on the device when the providers app was installed.
343
+
When configuring a Windows profile for Wi-Fi or VPN, select **Derived credential** for the *Authentication Method*. With this configuration, the profile uses the certificate that installs on the device when the provider's app was installed.
321
344
322
345
## Renew a derived credential
323
346
@@ -329,7 +352,7 @@ After a device receives a new derived credential, policies that use derived cred
329
352
330
353
## Change the derived credential issuer
331
354
332
-
At the tenant level, you can change your credential issuer, although only one issuer is supported for a tenant at a time.
355
+
At the tenant level, you can change your credential issuer, although only one issuer is supported by a tenant at a time.
333
356
334
357
After you change the issuer, users are prompted to get a new derived credential from the new issuer. They must do so before they can use a derived credential for authentication.
0 commit comments