We have just published a new whitepaper that describes best practices for securing and hardening the Network Device Enrollment Service (NDES) server role for use with Microsoft Intune and System Center Configuration Manager.
Deploying certificates via the Simple Certificate Enrollment Protocol (SCEP) ensures that unique private keys are kept on mobile devices and are not accessible by other systems, services, or personnel. These keys can be further protected by using Trusted Platform Modules (TPMs) on Windows or Windows Phone, and by detecting and blocking jailbroken iOS devices or rooted Android devices to ensure the keys are not being exported.
Microsoft’s policy module technology ensures that the SCEP protocol can be used securely for distributing certificates to Internet-facing mobile devices. This whitepaper details how the policy module secures certificate deployment through NDES as well as best practices for how to secure NDES behind a reverse proxy such as Windows Server 2012 R2 Web Application Proxy or Azure Active Directory Application Proxy.
You can also find additional resources here:
- Find TechNet documentation about certificate management in Microsoft Intune
- Find TechNet documentation about certificate management in System Center Configuration Manager
- Sign up for a free 30-day trial of Microsoft Intune
– Chris Green, Senior Program Manager