Configuring AppViewX MS Intune Server

Prerequisites

Onprem

  • Make sure that the Intune pod is running in the cluster by using the command:
    kubectl get pods -A | grep intune
  • Make sure that <avx-platform-gateway-scep> is running in the cluster by using the command:
    kubectl get svc -A | grep scep

SaaS

HTTPS gateway must be enabled while installing the cloud connector (CC). To do this:
  1. Navigate to the installation directory of the cloud connector software.
  2. Run 
    cd deps/tools
  3. Run
    ./k3s kubectl get svc -A | grep http
    Note: It should have the avx-mid-server-gateway-http or avx-mid-server-gateway-https under namespace cc.

Enabling MS Intune Services

For Onprem
  1. Log onto the AppViewX installer node. Open the terminal window.
  2. Go to </installation_folder/appviewx_kubernetes/scripts> folder.
  3. Add the avx-vendor-cert-intune-agent and avx_platform_gateway_external in ENABLED_PLUGINS in the appviewx.conf file.
  4. Specify the datacenter (DC) where the gateway must be deployed:
    • avx_vendor_cert_intune_agent=<dc name>
    • avx_platform_gateway_external=<dc name>
  5. Run the <plugins_install.sh>
  6. Verify if Intune is enabled by running kubectl get pods -A | grep intune
  7. Verify the plugin status and port number by running:
    kubectl get svc -A | grep scep
    Make sure that the avx-platform-gateway-scep is running and the port number is 5303:30022 in avx-platform-gateway-scep.
    Note: The number 30022 must be used in the UI configuration.
  8. Identify the nodes running the SCEP services by using:
    <kubectl get pods -n external-system -o wide>
    SCEP is available on all the nodes where the external system runs.

For SaaS

HTTP/HTTPS gateway must be enabled while installing the cloud connector (CC). To do this:
  1. Navigate to the installation directory of the cloud connector software.
  2. Run:
    cd deps/tools
  3. Run:
    ./k3s kubectl get svc -A
    Note: Ensure that avx-mid-server-gateway-http is present under namespace cc.

Configuring AppViewX MS Intune Server

To conduct mobile device certificate enrollments for MS Intune managed devices using the MS Intune protocol (SCEP-based) on AppViewX, the administrator or the privileged user must initially configure the MS Intune server agent using the AppViewX portal. Once the MS Intune server agent is successfully set up through the portal, a URL will be generated. Clients can then use this URL to submit enrollment requests to AppViewX via MS Intune.
  1. Go to (Menu) > Cert+ > Administration > Auto Enrollment > MS INTUNE.
  2. Click Configure Now or +Add icon.
  3. Configure the End Point Details as follows:
    Prerequisites for entering the IP/FQDN field:
    • For SaaS
      • The Cloud Connector Name (in the Add Cloud connector page) must be the same as the FQDN name entered.
      • If the customer is using LB on top of multiple CC, then the FQDN of the LB should be used.
    • For On-Prem
      • The IP / FQDN of the machine where the external gateway is running.
      • If the customer is using LB on top of multiple CC then the FQDN of the LB should be used.
    • The given FQDN must be resolvable in the cloud connector machine and also in the company portal Application running machine
    • The CC should have the reachability to the Endpoint.
    The fields for Endpoint Details are as follows:
    Table 1. Endpoint Details - Field Description Table
    Fields Description
    *Name A unique name (alphanumeric string) to identify the agent setting.

    Name should not start with special characters. Acceptable characters: A-Z, a-z, 0-9, '.', '_', '-'

    *Intune URL Select either HTTP or HTTPS.

    Based on the selection of this field, the Intune endpoints will be configured with HTTP or HTTPS URL. The port information will be dynamically updated based on this selection.

    Using Direct Gateway: In the SaaS setup, to consume the direct AEP gateway without installing the cloud connector, use HTTPS.
    *IP/FQDN The dropdown list field contains a list of FQDN's from the stored data. Users can choose from the available values. The hostname format is <tenant>-aep.<domainname>.
    For Onprem: the list is populated with the On-Prem node details.
    • Without load balancer
      • HTTP: Must contain the hostname of the node where the external gateway is running. To get the details, run kubectl get pods -n external-system -o wide. If the external gateway is running on multiple nodes, select any one of those nodes.
      • HTTPS: Must be same as the web URL.
    • With load balancer
      • HTTP: Must be the hostname of the load balancer.
    For SaaS: the list is populated with the hostname of the Cloud Connector and AEP Gateway details.
    • Using On-premises CC
      • Without load balancer: Must be the hostname of the cloud connector where the auto-enrollment gateway is running.
      • With load balancer: Must be the hostname of the load balancer.
    • Using Direct Gateway: In the SaaS setup, to consume the direct AEP gateway without installing the cloud connector, the FQDN/IP address will be the tenant URL with "-aep" before the domain name.
    *Port The port number is auto-populated based on the selected IP/FQDN value.

    If the IP/FQDN value is entered manually, then enter the appropriate port number.
    Proxy Required Select the checkbox if required. If enabled, the communication with the Azure portal to validate the challenge password will go via the proxy details provided in the general settings.

    It is used to perform the challenge verification in Intune, via the proxy server (if there is no internet connectivity).
    *Data Center The communication with the Azure portal to validate challenge password will go via the CC in the datacenter.

    Internet connectivity for the CC is mandatory.

    In the SaaS setup, to consume the direct AEP gateway without installing the cloud connector, select cloud-dc (it is the only available value for this configuration).

    *: mandatory fields.
  4. Configure the Intune Details.
    Table 2. Intune Details - Field Description Table
    Fields Description
    *Client ID Client ID of the Intune Account - this value should have been captured during Intune App Registration.
    *Tenant ID Tenant ID is the domain name in your account ID. For example, if your account id is [email protected], then the tenant ID is test.onmicrosoft.com.
    *Client Secret Client Secret for the Intune Account - this value should have been captured during Intune App Registration.
    *Cloud Type Select any of the options:
    • Azure Public: This is the most common and traditional deployment model in which Azure's resources are owned and operated by Microsoft sharing them across multiple tenants.
    • Azure Government: This is a specialized version of Azure designed to meet the specific regulatory and compliance needs of government agencies in the US. It is isolated from the public Azure cloud and provides the highest level of security.
    *: mandatory fields.
    Health check URL for load balancer:

    Onprem

    • HTTP method: GET
    • Healthcheck API: https://<FQDN>:30022
    • FQDN: FQDN of the external gateway running nodes.
    • Expected response code: 404. As the load balancer is accessing the URL without any parameters, it will receive a 404 response.
    SaaS
    • HTTP method: GET
    • Healthcheck API: https://<FQDN>:30022 (HTTP) (or) https://<FQDN>:30020 (HTTPS)
    • FQDN: FQDN of cloud connector enabled with the HTTP/HTTPS gateway.
    • Expected response code: 404. As the load balancer is accessing the URL without any parameters, it will receive a 404 response.
  5. Configure the CA Accounts as follows:
    Table 3. CA Accounts - Field Description Table
    Fields Description
    Certificate Group Select a specific group under which certificate needs to be enrolled.
    Certificate Category Select a specific certificate type (Server / Client) to be enrolled.
    Select CA Select the required CA from the available options. The certificate will be enrolled under the selected CA.
    The CAs associated with the Default certificate group are:
    • AppViewX
    • AppViewX PKIaaS
    • AppViewX PKIaaS Native
    • Amazon Private CA
    • DigiCert
    • DigiCert One
    • EJBCA
    • Entrust
    • Entrust MPKI
    • Globalsign Atlas
    • Globalsign MSSL
    • Google
    • HydrantID
    • IDnomic
    • Microsoft Enterprise
    • Microsoft Standalone
    • Nexus
    • OpenTrust
    • Sectigo (Comodo Certificate Manager)
    • SwissSign
    Note: The Vendor Specific Details section is displayed only after the following CA Account is selected:
    • DigiCert
    • EJBCA
    • Entrust
    • Entrust MPKI
    • GlobalSign MSSL
    • Microsoft Enterprise
    • Nexus
    *: mandatory fields.
    When AppViewX is selected as CA, the fields for AppViewX CA are as follows:
    Table 4. Details for AppViewX CA - Field Description Table
    Fields Description
    *CA Account Select a specific CA Account from the selected CA to be used for certificate-creation operations.
    *Certificate Profile Type 3 or more letters of the certificate keywords after which a list of server certificates issued from the above selected CA account will be displayed, one certificate can be selected for further communications with SCEP client machine.
    *Server Certificate Select the chosen CA-issued certificate, using which the trusted inventory is validated.

    Type the exact common name or serial number.

    Note:
    1. The certificate's EKU should have both Server Authentication and Client Authentication.
    2. The certificate’s Key usage must include DigitalSignature and KeyEncipherment.
    *CA Connector Name Name of the CA connector after the certificate is being enrolled.
    *Certificate Validity Validity of the certificate to be enrolled.
    *: mandatory fields.

    When AppViewX PKIaaS Native is selected as CA. The fields for AppViewX PKIaaS Native are as follows:

    Table 5. Details for AppViewX PKIaaS Native - Field Description Table
    Fields Description
    *CA Account Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
    Template Name Select a template name from the dropdown list.
    *Issuer Name Select an issuer name to issue the certificate.
    *Server Certificate Select the chosen CA-issued certificate, using which the trusted inventory is validated.

    Type the exact common name or serial number.

    Note:
    1. The certificate's EKU should have both Server Authentication and Client Authentication.
    2. The certificate’s Key usage must include DigitalSignature and KeyEncipherment.
    *CA Connector Name Name of the CA connector after the certificate is being enrolled.
    *Certificate Validity Validity of the certificate to be enrolled.
    Note: For some CAs, the validity available in their respective CA portal is considered despite the specified certificate validity.
    *: mandatory fields.
    When AppViewX PKIaaS is selected as CA, the fields for AppViewX PKIaaS CA are as follows:
    Table 6. Details for AppViewX PKIaaS CA - Field Description Table
    Fields Description
    *CA Account Select a specific CA Account from the selected CA to be used for certificate-creation operations.
    *Certificate Profile Type 3 or more letters of the certificate keywords after which a list of server certificates issued from the above selected CA account will be displayed, one certificate can be selected for further communications with the SCEP client machine.
    *Issuer Location Select an issuer location that is associated with the CA account.
    *Issuer Name Select an issuer name to issue the certificate.
    *Server Certificate Select the chosen CA-issued certificate, using which the trusted inventory is validated.

    Type the exact common name or serial number.

    Note:
    1. The certificate's EKU should have both Server Authentication and Client Authentication.
    2. The certificate’s Key usage must include DigitalSignature and KeyEncipherment.
    *CA Certificate Type 3 or more letters of the certificate keywords after which a list of server certificates issued from the above selected CA account will be displayed, one certificate can be selected for further communications with MSIntune client machine.
    *CA Connector Name Name of the CA connector after the certificate is being enrolled.
    *Certificate Validity Validity of the certificate to be enrolled.
    *: mandatory fields.
    When Amazon Private CA is selected as CA, the fields for Amazon Private CA are as follows:
    Table 7. Details for Amazon Private CA - Field Description Table
    Fields Description
    *CA Account Select a specific CA Account from the selected CA to be used for certificate-creation operations.
    *Region Select a valid region associated with the CA account.

    The dropdown list is populated with the first available value. Select an appropriate value as required.
    *Issuer Select a valid issuer associated with the CA account.

    The dropdown list is populated with the first available value. Select an appropriate value as required.
    *Signature Algorithm Select a valid issuer associated with the CA account.

    The dropdown list is populated with the first available value from the group's associated policy. Select an appropriate value as required.
    *Server Certificate Select the chosen CA-issued certificate, using which the trusted inventory is validated.

    Type the exact common name or serial number.

    Note:
    1. The certificate's EKU should have both Server Authentication and Client Authentication.
    2. The certificate’s Key usage must include DigitalSignature and KeyEncipherment.
    *CA Connector Name Name of the CA connector after the certificate is enrolled.
    *Certificate Validity Validity of the certificate to be enrolled (in days/months/years).
    *: mandatory fields.
    When DigiCert is selected as CA, the fields for DigiCert CA are as follows:
    Table 8. Details for DigiCert CA - Field Description Table
    Fields Description
    *CA Account Select a specific CA Account from the selected CA to be used for certificate-creation operations.
    *Division Select a division associated with the CA account.

    The dropdown list is populated with the first available value. Select an appropriate value as required.
    *Certificate Type Select a valid cert type associated with the CA account.

    The dropdown list is populated with the first available value. Select an appropriate value as required.
    *Server Certificate Select the chosen CA-issued certificate, using which the trusted inventory is validated.

    Type the exact common name or serial number.

    Note:
    1. The certificate's EKU should have both Server Authentication and Client Authentication.
    2. The certificate’s Key usage must include DigitalSignature and KeyEncipherment.
    *CA Connector Name Name of the CA connector after the certificate is enrolled.
    *Order Validity Validity of the certificate to be enrolled (in days/months/years).
    *: mandatory fields.
    If the selected CA is DigiCert, a separate section Vendor Specific Details is displayed after the CA Accounts section. The fields for Vendor specific details are as follows:
    Table 9. Vendor Specific Details for DigiCert CA - Field Description Table
    Fields Description
    *Server Type Select a server type.
    *Payment Method Select a payment method. The possible options are:
    • Bill To Account Balance - Pay with account balance. Returns an error if this option is disabled for the account or if the account has insufficient fund.
    • Bill To Default Credit Card - Pay with account's default credit card. Returns an error if no default credit card is configured for the account.
    *: mandatory fields.

    When DigiCert One is selected as CA. The fields for DigiCert CA are as follows:

    Table 10. Details for DigiCert One CA - Field Description Table
    Fields Description
    *CA Account Name A unique name to identify the CA setting.
    Note: No special characters other than ‘.’, ‘-’,’_’ are allowed. Names shouldnot start with special characters.
    *Purpose/Usage Certificate Type for which CLM actions will be enabled. For example, Server or Client.
    Proxy Required Enable this field if the CA communication needs to happen via proxy. The proxy details configured in general settings will be used for communication.
    Data Center (AppViewX's CA agent) Select the data center for CA communication, with the CC node being the recommended option. The selected node will handle the communication through the chosen CC node.
    CA Configuration
    *Base URL This URL will contain the hostname of the DigiCert CA instance and used for constructing the API requests.
    *Authentication method By default, API Token is selected.
    *API Token Enter the API token to authorize the communication between AppViewX and DigiCert One.
    Allow Seat ID during enrollment Enabling this field displays a Seat ID field in the Auto enrollment settings that you can use instead of the CA settings.
    *Seat ID Unique value assigned to identify an entity in the DigiCert One account.You can provide multiple ID separated by a comma. They can be used for enrollment, renewal, and regeneration.
    Use DigiCert One to switch certificates from DigiCert MPKI Enable this field to automatically switch your DigiCert MPKI certificates to DigiCert One with auto-enrollment/auto-regenerate.
    *: mandatory fields.
    When EJBCA is selected as CA, the fields for EJBCA CA are as follows:
    Table 11. Details for EJBCA CA - Field Description Table
    Fields Description
    *CA Account Select a specific CA Account from the selected CA to be used for certificate-creation operations.
    *Server Certificate Select the chosen CA-issued certificate, using which the trusted inventory is validated.

    Type the exact common name or serial number.

    Note:
    1. The certificate's EKU should have both Server Authentication and Client Authentication.
    2. The certificate’s Key usage must include DigitalSignature and KeyEncipherment.
    *CA Connector Name Name of the CA connector after the certificate is being enrolled.
    *: mandatory fields.
    If the selected CA is EJBCA, a separate section Vendor specific details is displayed after the CA Accounts section. The fields for Vendor specific details are as follows:
    Table 12. Vendor Specific Details for EJBCA CA - Field Description Table
    Fields Description
    *End Entity Profile Name Select a profile of an end entity.
    End entity user name Enter the user name for the end entity.
    *Issuer Common Name Select a common name of an issuer.
    *Certificate Profile Name Select a profile name of certificate.
    *: mandatory fields.
    When Entrust is selected as CA. The fields for Entrust CA are as follows:
    Table 13. Details for Entrust CA - Field Description Table
    Fields Description
    *CA Account Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
    *Certificate Type Select a valid certificate type associated with the CA account.
    • If the Certificate Category radio button is selected to Server, the dropdown list is populated with the first available value. Select an appropriate value as required.
    • If the Certificate Category radio button is selected to Client, the dropdown list is populated with ‘None’ as the default value.
    *Server Certificate Select the chosen CA-issued certificate, using which the trusted inventory is validated.

    Type the exact common name or serial number.

    Note:
    1. The certificate's EKU should have both Server Authentication and Client Authentication.
    2. The certificate’s Key usage must include DigitalSignature and KeyEncipherment.
    *CA Connector Name Name of the CA connector after the certificate is enrolled.
    *Certificate Validity Validity of the certificate to be enrolled (in days/months/years).
    *: mandatory fields.
    If the selected CA is Entrust, a separate section displaying Vendor specific details and Custom Attributes is displayed after the CA Accounts section.
    Note: Based on the Entrust ECS account configuration Custom Attributes section may also be displayed.
    Table 14. Vendor Specific Details for Entrust CA - Field Description Table
    Fields Description
    Additional Emails Enter the valid email address in the field.
    Requester Name Enter the requester name.
    Requester Email Enter a valid email ID.
    Requester Phone Enter the 10-digit phone number.
    *: mandatory fields.
    When Entrust MPKI is selected as CA, the fields for Entrust MPKI CA are as follows:
    Table 15. Details for Entrust MPKI CA - Field Description Table
    Fields Description
    *CA Account Select a specific CA Account from the selected CA to be used for certificate-creation operations.
    *Server Certificate Select the chosen CA-issued certificate, using which the trusted inventory is validated.

    Type the exact common name or serial number.

    Note:
    1. The certificate's EKU should have both Server Authentication and Client Authentication.
    2. The certificate’s Key usage must include DigitalSignature and KeyEncipherment.
    *CA Connector Name Name of the CA connector after the certificate is enrolled.
    *: mandatory fields.

    If the selected CA is Entrust MPKI, a separate section Vendor specific details is displayed after the CA Accounts section.

    The fields for Vendor specific details are as follows:
    Table 16. Vendor Specific Details for Entrust MPKI CA - Field Description Table
    Fields Description
    *CA Name Select a CA name from the dropdown list.
    *Cert Profiles Select a cert profile from the dropdown list.
    *: mandatory fields.
    When GlobalSign Atlas is selected as CA, the fields for GlobalSign Atlas CA are as follows:
    Table 17. Details for GlobalSign Atlas CA - Field Description Table
    Fields Description
    *Select CA Select a specific CA Account from the selected CA to be used for certificate-creation operations.
    API Credential Friendly name Select a CA Account to communicate with during the certificate enrollment actions.
    Certificate Profile Select the certificate Profile from the dropdown list.
    *Server Certificate Select the chosen CA-issued certificate, using which the trusted inventory is validated.

    Type the exact common name or serial number.

    Note:
    1. The certificate's EKU should have both Server Authentication and Client Authentication.
    2. The certificate’s Key usage must include DigitalSignature and KeyEncipherment.
    *CA Connector Name Name of the CA connector after the certificate is enrolled.
    *Certificate Validity Validity of the certificate to be enrolled (in days/months/years).
    *: mandatory fields.

    A Generic Fields section is also displayed below the CA Accounts section. It contains the fields related to the CSR parameters based on the profile (API Credential Friendly name) selected. Only the Organization field is mandatory and is fetched from the selected profile. Rest of the fields are optional.

    When GlobalSignMSSL is selected as CA, the fields for GlobalSign MSSL CA are as follows:
    Table 18. Details for GlobalSign MSSL CA - Field Description Table
    Fields Description
    CA Account Select a specific CA Account from the selected CA to be used for certificate-creation operations.
    Product Type Select the specific Certificate Type.

    The values are fetched from the CA Settings configuration.
    *Server Certificate Select the chosen CA-issued certificate, using which the trusted inventory is validated.

    Type the exact common name or serial number.

    Note:
    1. The certificate's EKU should have both Server Authentication and Client Authentication.
    2. The certificate’s Key usage must include DigitalSignature and KeyEncipherment.
    *CA Connector Name Name of the CA connector after the certificate is enrolled.
    *Certificate Validity Validity of the certificate to be enrolled (in days/months/years).
    *: mandatory fields.
    The following field is displayed in the Vendor Specific Details section as per the selected CA:
    Table 19. Vendor Specific Details for GlobalSign MSSL CA - Field Description Table
    Fields Description
    *Profile Select the Profile based on the configurations made in the Certificate Authority setting.
    *: mandatory fields.
    The following field is displayed in the Point of Contact section as per the selected CA. The CA mandates the point of contact information for traceability. All auto-enrollment requests via this endpoint will be registered with the point of contact information entered here.
    Table 20. Point of Contact Details for GlobalSign MSSL CA - Field Description Table
    Fields Description
    *First Name Enter the first name.
    *Email Address Enter the valid email address.
    *Phone Number Enter the valid phone number.
    *: mandatory fields.
    When Google is selected as CA, the fields for Google CA are as follows:
    Table 21. Details for Google CA - Field Description Table
    Fields Description
    *CA Account Select a specific CA Account from the selected CA to be used for certificate-creation operations.
    *Certificate Profile Select the certificate profile type.
    *Issuer Location Select an issuer location that is associated with the CA account.
    *Pool Name Select a pool name to issue the certificate.
    Template Name Select an appropriate template name to issue the certificate.
    *Issuer Name Select an issuer name to issue the certificate.
    *Server Certificate Select the chosen CA-issued certificate, using which the trusted inventory is validated.

    Type the exact common name or serial number.

    Note:
    1. The certificate's EKU should have both Server Authentication and Client Authentication.
    2. The certificate’s Key usage must include DigitalSignature and KeyEncipherment.
    *CA Connector Name Name of the CA connector after the certificate is being enrolled.
    *Certificate Validity Validity of the certificate to be enrolled.
    *: mandatory fields.
    When HydrantID is selected as CA, the fields for HydrantID CA are as follows:
    Table 22. Details for HydrantID CA - Field Description Table
    Fields Description
    *CA Account Select a specific CA Account from the selected CA to be used for certificate-creation operations.
    *HydrantID Policy Select the policy associated with the CA Account to be used for certificate operations.
    *Server Certificate Select the chosen CA-issued certificate, using which the trusted inventory is validated.

    Type the exact common name or serial number.

    Note:
    1. The certificate's EKU should have both Server Authentication and Client Authentication.
    2. The certificate’s Key usage must include DigitalSignature and KeyEncipherment.
    * CA Connector Name Name of the CA connector after the certificate is being enrolled.
    *Certificate Validity Validity of the certificate to be enrolled.
    *: mandatory fields.
    When Microsoft Enterprise is selected as CA, the fields for Microsoft Enterprise CA are as follows:
    Table 23. Details for Microsoft Enterprise CA - Field Description Table
    Fields Description
    *CA Account Select a specific CA Account from the selected CA to be used for certificate-creation operations.
    *Server Certificate Select the chosen CA-issued certificate, using which the trusted inventory is validated.

    Type the exact common name or serial number.

    Note:
    1. The certificate's EKU should have both Server Authentication and Client Authentication.
    2. The certificate’s Key usage must include DigitalSignature and KeyEncipherment.
    *CA Connector Name Name of the CA connector after the certificate is enrolled.
    *: mandatory fields.

    If the selected CA is Microsoft Enterprise, a separate section Vendor specific details is displayed after the CA Accounts section with a dropdown field - Template Name - Select a template from the dropdown list.

    When IDnomic is selected as CA, the fields for IDnomic CA are as follows:
    Table 24. Details for IDnomic CA - Field Description Table
    Fields Description
    *CA Account Select a specific CA Account from the selected CA to be used for certificate-creation operations.
    *Certificate Profile Select the certificate Profile from the dropdown list.
    *Server Certificate Select the chosen CA-issued certificate, using which the trusted inventory is validated.

    Type the exact common name or serial number.

    Note:
    1. The certificate's EKU should have both Server Authentication and Client Authentication.
    2. The certificate’s Key usage must include DigitalSignature and KeyEncipherment.
    *CA Connector Name Name of the CA connector after the certificate is enrolled.
    *Certificate Validity Validity of the certificate to be enrolled (in days/months/years).
    *: mandatory fields.
    When Microsoft Standalone is selected as CA, the fields for Microsoft Standalone CA are as follows:
    Table 25. Details for Microsoft Standalone CA - Field Description Table
    Fields Description
    *CA Account Select a specific CA Account from the selected CA to be used for certificate-creation operations.
    *Server Certificate Select the chosen CA-issued certificate, using which the trusted inventory is validated.

    Type the exact common name or serial number.

    Note:
    1. The certificate's EKU should have both Server Authentication and Client Authentication.
    2. The certificate’s Key usage must include DigitalSignature and KeyEncipherment.
    *CA Connector Name Name of the CA connector after the certificate is enrolled.
    *: mandatory fields.
    The following table provides the field description for Nexus CA:
    Table 26. Details for Nexus CA - Field Description Table
    Fields Description
    *CA Account Select a specific CA Account from the selected CA to be used for certificate-creation operations.
    *Server Certificate Select the chosen CA-issued certificate, using which the trusted inventory is validated.

    Type the exact common name or serial number.

    Note:
    1. The certificate's EKU should have both Server Authentication and Client Authentication.
    2. The certificate’s Key usage must include DigitalSignature and KeyEncipherment.
    *CA Connector Name Name of the CA connector after the certificate is enrolled.
    *Certificate Validity Validity of the certificate to be enrolled (in days/months/years).
    *: mandatory fields.

    When OpenTrust is selected as CA. The fields for OpenTrust CA are as follows:

    Table 27. Details for OpenTrust CA - Field Description Table
    Fields Description
    *CA Account name Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
    *Certificate Management Profile Select the certificate issuance policy defined in OpenTrust CA.
    Zone The AppViewX configuration wrapper that maps to a CA + profile, and is used by end-users or automation to request certificates consistently.
    *Server Certificate Select the chosen CA-issued certificate, using which the trusted inventory is validated.

    Type the exact common name or serial number.

    Note:
    1. The certificate's EKU should have both Server Authentication and Client Authentication.
    2. The certificate’s Key usage must include DigitalSignature and KeyEncipherment.
    *CA Connector Name Name of the CA connector after the certificate is enrolled.
    *: mandatory fields.

    A Profile Parameters section is also displayed below the CA Accounts section. It contains the fields such as *Common Name, Organizational Unit, *Organization, *Email, *Password. or as configure in the Certificate Authority settings page.

    When Sectigo (Comodo Certificate Manager) is selected as CA. The fields for Sectigo (Comodo Certificate Manager) CA are as follows:

    Table 28. Details for Sectigo (Comodo Certificate Manager) CA - Field Description Table
    Fields Description
    *CA Account A unique name to identify the CA setting.

    Note: No special characters other than ‘.’, ‘-’,’_’ are allowed. Names should not start with special characters.
    *Certificate Type Select a value from the dropdown list.
    *Server Certificate Select the chosen CA-issued certificate, using which the trusted inventory is validated.

    Type the exact common name or serial number.

    Note:
    1. The certificate's EKU should have both Server Authentication and Client Authentication.
    2. The certificate’s Key usage must include DigitalSignature and KeyEncipherment.
    *CA Connector Name Name of the CA connector after the certificate is being enrolled.
    *Certificate Validity Validity of the certificate to be enrolled (in days/months/years).
    *: mandatory fields

    When SwissSign is selected as CA. The fields for SwissSign CA are as follows:

    Table 29. Details for SwissSign CA - Field Description Table
    Fields Description
    *CA Account Select a specific CA Account from the selected CA to be used for certificate creation operations.
    *Client Name Select the specific client.
    *Product Select the specific product.
    *Server Certificate Select the certificate issued by the selected CA using which the trusted inventory is validated. You can search for it by typing the exact common name or the serial number.
    Note:
    1. The certificate's EKU should have both Server Authentication and Client Authentication.
    2. The certificate’s Key usage must include DigitalSignature and KeyEncipherment.
    *CA Connector Name Name of the CA connector after the certificate is being enrolled.
    *Certificate Validity Validity of the certificate to be enrolled.
    *: mandatory fields.
  6. Configure the Advanced Settings.
    The fields in the Advanced Settings section are as follows:
    Table 30. Advanced Settings - Field Description Table
    Fields Description
    *Fetch Certificate Parameters Select Yes or No

    Setting the radio button to Yes, will enable the system to automatically fetch certificate parameters from a Suggestive Policy, and append them to the client CSRs.
    *Retry Count Based on this value, the EST agent will trigger the number of calls to collect the certificate from AppViewX until it is received. Values accepted between 5 - 99.
    *Retry Frequency The value specified in this field determines the duration taken between the trigger calls by the EST agent. Values accepted between 10 - 99.
    *Certificate Poll Type Select Issuer and Subject or Transaction ID.

    The client agent will use this field to poll the issued certificate from the agent to the subsystem certificate plugin.
    *High Speed Transactions Based on the selection of this field, the endpoint will be configured with or without High Performance transaction times. ACME protocol’s Revocation actions are not supported in High Performance mode. Request information pertaining to High-Performance can be viewed on the Direct Requests page.
    Note: By default, this field is set to Yes for AppViewX PKIaaS CA.
    *Return Existing Certificate If this option is enabled (Yes) then for request with AppViewX should check and return the existing valid certificate for the same CSR & public key from inventory if available otherwise it should proceed with enrollment and return the certificate.
    • If it is set to Yes, the Certificate Threshold field is displayed.
    • If it is set to No, then the AppViewX will do the default behavior of enrolling a new certificate for each request.
    Duplicate Certificate Migration Selecting this check-box will cause the previously issued certificates for the same CSR parameters to be revoked and deleted from AppViewX.
    Note: By default, this field is enabled for AppViewX PKIaaS CA.
    *Mitigate Certificates issued within This field is enabled only when the Duplicate Certificate Migration check-box is selected.
    *: mandatory fields.
  7. Click Save.

Validating MS Intune

  1. Configure the MS Intune endpoint in AppViewX GUI using the preceding steps.
  2. The agent configuration should be in valid status.
  3. If the above steps are completed, then refresh the following URL from the web browser:
    1. <intune endpoint URL from appviewx GUI>?operation=GetCACaps
    2. Expected response: In the browser window, you should see the following data:

    If you get the above response, then you can confirm that AppViewX is working fine.

Troubleshooting

This section will guide you in troubleshooting the common problems that you might encounter when configuring the MSIntune Server.
  1. PKI operation is not triggered (or) Missing expected key transfer for recipient error:
    1. The CA certificate chain does not match with the Trust certificate profile configured in the Azure portal.
    2. The RA certificate in the Intune agent settings must include Client Authentication and Server Authentication in the Extended Key Usage.
    3. The RA certificate in the Intune agent settings must include DigitalSignature and KeyEncipherment in the Key Usage.
  2. Challenge password authentication failed:
    1. Check the Client secret, Client ID and Tenant ID details in both Azure Intune portal and Appviewx Intune agent settings, whether they are same.
    2. Check the CSR parameters in Azure Intune portal, sometimes different CN like CN={{onprem_distinguishedname}} might cause a this error due to CSR decoding failure. Verify the SAN values too.
    3. Verify that the API permissions in the Azure portal are configured as shown in the image below: