This repository of PowerShell sample scripts show how to access Intune service resources. They demonstrate this by making HTTPS RESTful API requests to the Microsoft Graph API from PowerShell.
MIT License
1.33k
stars
653
forks
source link
How to authenticate DEVICE using "Microsoft Intune MDM Device CA" certificate? #258
Hi. I'm evaluating feasibility of using the Microsoft Graph APIs to develop an alternative to the "Company Portal" app with custom UI. One sub-problem to then tackle is device authentication.
InTune appear to be automatically create a Microsoft Intune MDM Device CA certificate for client authentication when enrolling:
I'm assuming that "InTune Management Extension" and "Company Portal" already uses this InTune certificate to authenticate the device, so that they can afterwards query for available SW packages specific for just that particular machine. I am seeking advise on how to implement the same functionality myself.
It's possible to semi-solve the problem by creating an Azure app as described on How to use Azure AD to access the Intune APIs in Microsoft Graph. Then, one can upload the public key for the InTune certificate for all relevant machines to the Azure app. However, that approach suffer from several shortcomings:
It's cumbersome to upload the InTune certificate to the Azure app. This is especially the case if managing a fleet of >1000 machines with different SW entitlements. The InTune certificate if furthermore refreshed every year, which triggers the need for new uploads.
Certificate authentication through an Azure app appears to authenticate the app, and not the device. I suspect that it's therefore difficult to limit API access to just the SW packages available to the authenticated device.
Any advise on how to authenticate the DEVICE using the InTune certificate, without having to upload the public key to an Azure app?
Hi. I'm evaluating feasibility of using the Microsoft Graph APIs to develop an alternative to the "Company Portal" app with custom UI. One sub-problem to then tackle is device authentication.
InTune appear to be automatically create a
Microsoft Intune MDM Device CAcertificate for client authentication when enrolling:I'm assuming that "InTune Management Extension" and "Company Portal" already uses this InTune certificate to authenticate the device, so that they can afterwards query for available SW packages specific for just that particular machine. I am seeking advise on how to implement the same functionality myself.
It's possible to semi-solve the problem by creating an Azure app as described on How to use Azure AD to access the Intune APIs in Microsoft Graph. Then, one can upload the public key for the InTune certificate for all relevant machines to the Azure app. However, that approach suffer from several shortcomings:
Any advise on how to authenticate the DEVICE using the InTune certificate, without having to upload the public key to an Azure app?