Certificates needed for using Intune and managing devices can be a very confusing topic whether in a hybrid or standalone configuration. If you are unfamiliar with the difference between hybrid and standalone, check out my previous post on this: Comparing the Two Modes of Microsoft Intune.
To start with, in reality, Intune itself requires no certificates whatsoever to perform its functions. But of course, this would be a very short and useless post if the story ended there. As usual, there are exceptions and caveats to this very black and white statement; these vary by each device OS so we’ll tackle them one by one. Also, keep in mind that these certificates are (mostly) actually required by the device OSes and as mentioned, are in no way required by Intune itself (so don’t blame the Intune team for any of this).
The story here is actually black and white with no wrinkles: no certificates are required. Anything goes (including rampant malware, data theft, and general chaos) on Android devices.
For iOS devices including all iPads and iPhones (running iOS 6+), you simply need to get an Apple Push Notification (APN) certificate. This certificate allows Intune to talk to the APN service which is required in order to communicate with any iOS device. In other words, to talk to and in this case manage an iOS device, you must go through the APN service. There is no way to talk directly to an iOS device. To do this, you need an APN certificate. Thus, enabling iOS management without an APN services cert makes no sense and the UI in both standalone and hybrid enforces having one before you can enable management of iOS devices.
An APN certificate is quite easy to acquire though. All you need is a valid Apple account; this does not have to be a developer account. Both Intune standalone and the Intune connector in ConfigMgr walk you through the process of requesting an APN certificate nicely. In total, this process should literally take you no more than five minutes to complete.
Do note however that this certificate is only valid for one year and thus must be renewed every year. If you don’t renew the certificate, none of your managed iOS devices will be managed anymore and you will have to re-enroll all of them once you get a new and valid APN certificate. Thus, make sure that the Apple account you use to generate the certificate is a generic account that you will have access to every year to renew the certificate.
Windows as a Mobile Device
Managing Windows as a mobile device is valid for all Windows RT devices as well as Windows 8.1 (for now) systems. This does not involve installing the Intune client but instead involves enrolling the device similar to the other mobile devices.
There are no certificates required to manage a Windows device as a mobile device in Intune. If you wish to side-load Windows store applications however, you will need a valid and trusted code-signing certificate to sign those applications. This certificate is never seen by Intune at all and is specific to the application(s); it is required regardless of how you side load Windows store applications and is a developer specific item. Remember, store applications are those apps formerly called “metro” apps and not the normal desktop applications we all know and love. If you install these applications from the store (using deep-linking or searching in the store), they are already signed by the developer’s certificate so you don’t have to worry about this.
Also note that an app sideloading key may also be necessary to sideload store apps on Windows. This is a distinct requirement from the code-signing certificate used to sign store applications and is discussed in the article titled Introduction to Code Signing and Sideloading for Windows 8 Applications with System Center Configuration Manager. An update to the side loading policy was made with Windows 8.1 Update as discussed in the article titled Windows 8.1 Update: Sideloading Enhancements.
Windows using the Intune Client
This method is only valid for full Windows 8.1 devices (not RT) and Intune standalone as the Intune client is mutually exclusive from/with the ConfigMgr client agent; i.e., you can only have one or the other. If you try to install one when the other is present, the installer will fail.
When you download the Intune client installation from the portal, it also downloads a certificate. This is a certificate generated by Intune and is specific to your Intune tenant. It enables the Intune client to identify which Intune tenant to communicate and associate with. It is not unique to each managed Windows client though so is not an authentication mechanism. This certificate must be present at client installation time but isn’t needed after that (at least not as a separate file).
The code-signing certificate and sideloading key notes from above in the Windows as a Mobile Device section are applicable to Windows in general and thus are also applicable when managing Windows with the Intune client.
Windows Phone 8.0
Yes, unfortunately, the story is different between Windows Phone (WP) 8.0 and WP 8.1. For WP 8.0, you must have a code-signing certificate from Verisign (which is owned by Symantec so you will actually see it referenced as a Symantec certificate in most places) to enable Intune, both hybrid and standalone, to manage WP 8.0 devices. This isn’t truly required to enable management though, it’s required so that you can sign the WP 8.0 Intune Company Portal app with this certificate and then deploy/sideload this app with Intune. Unlike the other device types, the WP 8.0 Intune Company Portal app is not available in the WP store. Thus, similar to Windows, to sideload an app in WP, it must be signed using a code-signing certificate. However, as mentioned, with WP, this must be a code-signing certificate from Symantec.
Windows Phone 8.1
It’s a bit easier with WP 8.1 as the Intune Company Portal app was actually published to the WP Marketplace where it was already signed by those wonderful folks at Microsoft. Thus, in Intune standalone, you can simply flip the switch to enable WP 8.1 devices. Unfortunately, the user interface in ConfigMgr for Intune hybrid makes no distinction between WP 8.0 and WP 8.1 and thus still requires you to provide the Symantec code signing certificate as well as a reference to the signed Intune Company Portal app in order manage WP devices. You can skirt around this though by using the Support Tool for Windows Intune Trial Management of Window Phone and then installing the Intune Company Portal from the WP Marketplace.
Confused yet? As with all things MDM, the confusion lies in the fact that we’re dealing with multiple different device OSes and multiple different vendors. Here’s a chart that summarizes the above:
|Device OS||Cert for enabling Intune management||Cert for applications|
|iOS||Yes, APN certificate||Yes1|
|Windows as a device||No||Yes2|
|Windows with Intune client||No3||Yes2|
|Windows Phone 8.0||Yes||Yes|
|Windows Phone 8.1||No for standalone, yes for hybrid4||Yes|
1 Not discussed above, but an Apple developer account and certificate are required for all iOS apps.
2 For Windows Store apps only.
3 Although as discussed above, a certificate is used when installing the Intune client to identify which tenant to report to, this isn’t really used by Intune to manage the device.
4 As discussed above though, you can side-step this.