Configuring AppViewX MS Intune Client

You can configure the AppViewX MS Intune client with the steps detailed in this section.

Testing on Windows v10.0 Device

AppViewX MS Intune integration can be tested by enrolling in a Windows v10.0 device. To enroll in other devices, follow the same procedure. To enroll, the Windows v10.0 device must be installed with a Company Portal application from the Microsoft Store.

Configuring Windows Accounts Setting

  1. Log in to the system that has Windows v10.0 operating system.
  2. Open Settings.
  3. Click Accounts > Access work or school.
  4. Click Connect and confirm your work or school account.
  5. Click Next to proceed further by providing Azure subscription credentials.
  6. Once the account is set, the successful message window is displayed.
  7. Click Done.

Configuring Company Portal

  1. Open the Company Portal application and proceed with the device setup by providing the Azure subscription.
  2. Click Connect and confirm your work or school account.
  3. Provide a valid e-mail address and click Next to proceed further to complete the set up.
  4. Click Done.

Verifying Enrollment Result

  1. Once configuration is completed, the device invokes the GetCACaps, GetCACerts, and PKIRequest (enrollment request) APIs to SCEP server.
  2. Monitor the SCEP agent logs in AppViewX and verify that the message ‘AppviewxScepServicePostAction:49 - Response sent successfully for operation: PKIOperation’ occurs in the logs.
  3. In the AppViewX application, the newly generated certificate must be shown in the inventory.
  4. If the certificate is requested, the device certificate newly generated certificate will be available in the Server tab in the certificate inventory.
  5. If the certificate is a requested user certificate, the new certificate will be available under the Client tab in the certificate inventory.
  6. In the Windows device, open the cert store (Windows key+R -> certlm.msc) and make sure that the serial number of the certificate available in the personal cert store matches with the serial number of the certificate that is newly created in AppViewX.

Best Practices

  • For auto-enrollment, create a separate certificate group and CA policy in AppViewX.
  • During policy creation, select only the required bit-length (minimum 2048-bit).

Troubleshooting

# Error Message Description Troubleshooting
1 Challenge Password Authentication Failed The issue is either with
  1. Not enough API permissions available for the tenant in the Azure portal.
  2. Tenant details (Tenant ID, client ID and secret) provided during Intune endpoint configuration in AppViewX GUI might be incorrect.
 Check the following:
  1. Tenant needs three API permissions under App registrations in the Azure portal. See the following attached image:
  2. Verify the tenant details provided in the Intune endpoint configuration.
2 Given organization must match with organization defined in group policy. The policy mapped for the MS Intune endpoint configured group is set as strict and organization is configured in the policy.

The CSR sent from the client does not contain the exact organization name.

 Set the policy as suggestive

OR

Provided a proper value for Organization in the SCEP profile in MS Intune portal.
3 Failed to submit the certificate to CA Certificate enrollment has failed from the CA side due to the issue with the submitted CSR. Check the respective VW request or direct request to find more about the error details and remediate the same.
4 Either CSR parameters,CA details or certificate algorithm values are not compliant with the policy name - <Policy Name> CSR parameters from the client are not matching with parameters configured in the AppViewX policy. Check if the policy is set as strict.
  • Provide a proper value for Organization in the SCEP profile in MS Intune portal.
  • Change the policy type to Suggestive.