Netskope Help

Create Certificate Profiles for Intune

To configure Intune, you need to create a trusted certificate profile, a SCEP certificate profile, and a trusted Netskope certificate profile.

Create a Trusted Certificate Profile

Create a Trusted Certificate profile before creating the SCEP or .PFX certificate profile. 

You will need your SCEP server certificate to complete these steps.

To create a trusted certificate profile:

  1. Log in to the Microsoft Azure portal (https://portal.azure.com) using an admin account.

  2. In the Azure admin console, go to Intune > Device Configuration

    DeviceConfiguration1.png
  3. You need to create a Trusted certificate profile before you can create a SCEP or Netskope certificate profile.

    To create a trusted certificate profile, click Profiles > Create Profile.

  4. Enter and select these parameters: 

    • Name: Enter a unique name.

    • Platform: iOS.

    • Profile type: Trusted certificate.

    CreateTrustedCertProfile.png

    The Trusted Certificate panel opens. Upload the SCEP server root certificate, and then click OK.

  5. Click Create.

Create a SCEP Certificate Profile

After creating a Trusted CA certificate profile, create a SCEP certificate profile. When you create a SCEP certificate profile, you must specify a Trusted certificate profile for it. This associates the two profiles, but you must still deploy each profile separately.

You need to copy the Tenant OU and Organization Name values from the Netskope UI. To get the values, go to  Settings > Security Cloud Platform > Netskope Client > MDM Distribution. You also need to know your SCEP server URL to complete these steps.

To create a SCEP certificate profile:

  1. Click Profile > Create Profile.

    CreateSCEPprofile.png
  2. Enter and select these parameters:

    • Name: Enter a unique name.

    • Platform: iOS.

    • Profile type: SCEP certificate.

  3. In the SCEP Certificate panel, enter and select these parameters:

    SCEPprofileCert.png
    • Certificate Type: User

    • Subject Name Format: Custom and then enter this in the Custom text field: CN={{EmailAddress}},E={{EmailAddress}},OU= <Tenant OU from Netskope UI>,O= <CompanyName>

    • Subject Alternate Name: Select both Email Address and User Principal Name (UPN).

    • Certificate Validity Period: Select how long to keep the certificate valid.

    • Key Usage: Select both Digital Signature and Key Encipherment.

    • Key Size: 2048.

    • Root Certificate: Click Select a Certificate and then in the Root Certificate panel, select the Trusted Certificate profile created previously. When finished, click OK.

    • Extended Key Usage: Select Client Authentication from the Predefined Values dropdown list which will populate the Name and Object Identifier fields. 

    • Renewal Threshold: Leave the default value (recommended) or enter a new one.

    • SCEP Server URLs: Enter the URL for your SCEP server.

  4. When finished, click OK .

  5. Click Create.

Create a Trusted Netskope Root Certificate Profile

After creating a SCEP certificate profile, create a Trusted Root certificate profile for Netskope.

You need to download the Netskope Root certificate from the Netskope UI to complete these steps. To get the certificate, go to Settings > Security Cloud Platform > Netskope Client > MDM Distribution .

Important

The Netskope Root certificate is in .pem format. You will need to convert it to .cer or .crt format before importing it.

To create a trusted Netskope certificate profile:

  1. Click Profile > Create Profile.

    CreateNetskopeTrustedCertProfile.png
  2. Enter and select these parameters: 

    • Name: Enter a unique name.

    • Platform: iOS.

    • Profile type: Trusted certificate.

    Upload the Netskope Root certificate, and then click OK.

  3. Click Create.

Upload Certificates to Netskope

The Root CA and any intermediate CA certificates used for certificates have to be uploaded to Netskope so the Netskope VPN infrastructure can validate certificates from devices.

Retrieve root and intermediate CA certificates from the SCEP server and upload them in the Netskope UI in PEM format. Copy the intermediate certificate first, and the root certificate last, into one file.

To upload your complete certificate chain used to validate mobile devices:

  1. Go to Settings > Security Cloud Platform > Netskope Client > MDM Distribution, and then scroll down the page until you see the Upload Certificate to Netskope section.

  2. Click Upload/Replace Certificate, and then click Select Certificate to locate and select your certificate file.

  3. When finished, click Upload.

  4. When the Preview message box opens, click Save.