Role of MDM in Mobile Certificate Management

On iOS and Android, user apps such as FortiClient cannot freely write certificates into the system certificate/key store due to the mobile OS security restrictions. Only the device management framework (MDM) has the elevated permissions to silently install and manage client certificates in the trusted store.

Requirements and Key Facts

• Public Access to EMS: In v7.4, EMS must be accessible over ports 4001 and 4002, as its built-in SCEP server operates on these ports. EMS 7.2 uses ports 40001 and 40002.
• Security Posture Tags: Mobile devices can be assigned security posture tags, allowing administrators to enforce compliance-based policies.
• ZTNA Support on Mobile: Only the HTTPS access proxy is supported for ZTNA connections on mobile devices. Other proxy types, such as TCP forwarding, are not available. On iOS, HTTPS access proxy is only supported on Safari since other browsers don't have access to the certificate store due to security restrictions on iOS.

Topology and Flow:

The following topology demonstrates the process of connecting FortiClient on a mobile device to EMS by using Microsoft Intune as the mobile device management (MDM) platform. The goal is to deliver the required ZTNA certificate to the mobile device by leveraging an Intune SCEP profile. The configuration is based on the topology shown below, which outlines the integration between EMS and Intune

The following diagram illustrates the operational flow between EMS, Microsoft Intune, and the mobile device. It outlines the sequence of interactions required for device registration, certificate enrollment, and profile deployment, thereby ensuring secure endpoint integration. The workflow between EMS, Intune, and the mobile device is depicted below:

Configuration Steps:

The following steps describe the configuration of Entra ID, EMS, Intune, and the mobile device to enable FortiClient to connect to EMS and obtain the ZTNA certificate:

Entra ID Configuration:

1. Log in to portal.azure.com -> Microsoft Entra ID -> Add -> User > Create new user -> name it Intune -> Create. 
   
2. Go to Microsoft Entra ID -> Add -> Group -> name it grp_Intune_Enrollment -> Create. 
   
3. Create a user name Intune and make it a member of grp_Intune_Enrollment group. The Intune user will register the mobile device in Intune, and the appropriate license will be assigned to this user afterward in the Intune Configuration part. The naming of the user and group is optional.
   
   
   
4. Optional: Install the Intune Company Portal application on the phone using the licensed Intune user account specified in the previous step to register the device into Intune.
   
   
   
5. Go to portal.azure.com -> Microsoft Entra ID -> App registerations -> New registeration -> name it EMS-Intune-integration -> select Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) -> Register. 
   
   
   
6. Go to Certificates & secrets -> new client secret -> Enter a Desciption and set the Expires period -> Add -> copy the Value string and store it securely, as it cannot be retrieved later.
   
   
   
7. API permissions -> Add a permission -> Microsoft Graph -> Application permissions -> add the following permissions:

   • Application.Read.All

   •  Device.Read.All

   •  DeviceManagementConfiguration.ReadWrite.All

   •  DeviceManagementManagedDevices.Read.All

   •  Group.ReadWrite.All
     
     
     

8. Go to API permissions -> Add a permission -> Intune -> Application permissions -> type and find scep_challenge_provider -> Add permission, select Grant admin consent for Default Directory and ensure the Status is green for all added permissions.

EMS Configuration:

• In the EMS Console, navigate to: System Settings -> MDM Integration.

• Select Enable MDM Integration.

• From the Vendor drop-down menu, choose Microsoft Intune.

• Open a browser and sign in to the Azure Portal at https://portal.azure.com

• In the Azure portal, navigate to: Microsoft Entra ID -> App Registrations.

• Locate the application EMS-Intune-Integration and select Overview.

• Copy the Application (Client) ID value and paste it into the Client ID field in EMS.

• Copy the Directory (Tenant) ID value and paste it into the Tenant ID field in EMS.

• EMS: Select Test -> ensure the result is successful -> Save.

Intune Configuration

1. Navigate to intune.microsoft.com -> Users -> find the Intune user -> Licenses and ensure this user has one of the following licenses to be able to register and manage devices in Intune. Each of these licenses provides the necessary Intune capabilities to enroll and manage mobile devices effectively:
   
   • Enterprise Mobility + Security E3 or E5.
     
   • Microsoft Intune standalone license.
     
   • Microsoft 365 Business Premium.
     
   • Microsoft 365 E3 or E5.

      

     

      

2. Go to intune.microsoft.com -> Devices, select iOS/iPadOS under By platform, select Enrollment under Device onboarding, select Apple MDM Push Certificate and ensure the status is Active. If it is not, follow steps 1 to 5 under the same page to upload a valid Apple MDM push certicate.,

    

Go to intune.microsoft.com -> Apps, select iOS/iPadOS -> Create -> open App type dropbox and select iOS store app -> Search the App Store -> enter FortiClient in the search box, select FortiClient -> under the App Information tab, fields such as Name, Description, and others can be customized as required.  -> under the Assignments tab, select Add group under Required and add intune_enrollment group -> select Next -> select Create under Review + create tab.

1. Go to intune.microsoft.com -> Apps -> select iOS/iPadOS -> select Configurtion -> open Create dropbox and select Managed devices -> enter a name for the app policy such as FortiClient-app-policy in the Name box -> open Paltform dropbox and select iOS/iPads -> for Targetted app, select FortiClient application that was created in the previous step, select Next ->under the Settings tab, select Use configurator designer from the dropbox  -> Add the configuration key and value same as the table below, ensuring there are no typos or unnecessary spaces at the beginning or end of any entry. 
   
   

   Configuration key	Value type	Configuration value
   intune_device_id	String	{{aaddeviceid}}
   invitation_code	String	<EMS BULK INVITATION CODE>

Select Next -> under the Assignments tab, select Add group under Required and add intune_enrollment group, select Next -> select Create under Review + create tab.

iPhone Configuration:

1. If the device has not yet been registered with Intune, return to 'd.' in the first step and complete the Intune device enrollment process.
2. If FortiClient has not been automatically installed on the iPhone, open the Intune Company Portal app -> Install FortiClient and ensure it is connected to EMS via the Telemetry.

How to Verify if the ZTNA Client Certificate has been successfully deployed to the phone Device:

1.  EMS Verification: Go to EMS console -> Endpoints -> All Endpoints, search for the phone, select the phone, and under the Endpoint Summary tab, ensure the ZTNA Serial Number is visible, MDM Enrolled shows as Enrolled, and  MDM Deployment Status is Installed
2. Phone Verification:
   • iPhone: Open FortiClient app -> About -> MDM App Configurations, ensure the intune_device_id number displayed and matches the value in Intune -> Devices -> select iOS/iPadOS, select the newly registered phone -> Hardware -> Intune Device ID.
     
     

1. • iPhone: Go to Settings -> General -> VPN & Device Management -> Management Profile, ensure that the EMS_SCEP_Cert_..._1, signed by the EMS, is installed under SCEP DEVICE IDENTITY CERTIFICATES. The Common Name must match the ZTNA Certificate Serial Number displayed in the EMS console Endpoint Summary tab.