Part of ZeroTek's Okta Device Trust Setup guide
ROLE REQUIRED
Intune Administrator (minimum)
This procedure creates the trusted certificate profile and SCEP certificate profile in Intune required to deploy the Okta device trust certificate to macOS devices.
BEFORE YOU BEGIN
As part of ZeroTek's Okta Device Trust Setup guide, this procedure assumes you have completed Configure Okta as a certificate authority, including downloading the x.509 certificate. Only complete this procedure if the environment includes Windows devices.
Create a trusted certificate profile
In the Microsoft Intune admin center, click Devices.
Under By platform, click Windows.
Click Configuration profiles.
On the Policies tab, click Create > New Policy.
Under Platform, select Windows 10 and later.
Under Profile type, select Templates.
Click Trusted certificate and click Create.
Type a name for the certificate β our example uses Trusted Cert for Windows Intune in Okta β and click Next.
Under Configuration settings, click the browse folder icon.
Browse to and upload the x.509 certificate you downloaded from Okta, then click Open.
From the Destination store dropdown, select Computer certificate store - Intermediate, then click Next.
Add the user group in scope and click Next.
In the Applicability Rules tab, click Next (no changes required).
Click Create and confirm the new configuration profile appears in the list.
Create a SCEP profile in Intune
In the Microsoft Intune admin center, navigate to Devices > Windows and click Create > New Policy.
Under Platform, select Windows 10 and later.
Create a profile: Under Profile type, select Templates.
Click SCEP certificate and click Create.
Type a name for the policy such as "Windows SCEP profile" and click Next.
In the Configuration settings tab, specify the following:
Certificate type: User
Subject name format: CN={{UserName}} ManagementAttestation{{AAD_Device_ID}}
Set the following values, then click Root Certificate:
Key storage provider: Enroll to Trusted Platform Module (TPM) KSP if present, otherwise...
Key usage: Digital signature
Key size: 2048
Hash algorithm: SHA-2
Select the trusted certificate profile created earlier in this procedure and click OK.
Under Predefined values, select Client Authentication.
Paste the SCEP Server URL generated from Okta, then click Next.
Add the same user group you added in Step 12, click Next, then on the final screen click Review + create.
NEXT STEPS
If the environment includes macOS devices, proceed to Create a trusted certificate profile in Intune for Mac.
If you have created the required trusted certificate profiles in Intune, it's time to Activate endpoint integration for Windows devices in Okta.
Need help? Contact ZeroTek Support at support@zerotek.com.