Fortinet black logo

Intune Deployment Guide

Home FortiClient 7.2.0 Intune Deployment Guide
7.2.0
7.2.0
7.0.0

Pushing certificates for VPN authentication to FortiClient (Android)

Pushing certificates for VPN authentication to FortiClient (Android)

You can push certificates for VPN authentication from Intune to FortiClient (Android). FortiClient (Android) 7.2.1 and later versions list these certificates in the certificate selection dialog.

Intune does not support uploading a .p12 user certificate to devices. You can push a certificate via Intune using PKCS.

To configure a certificate profile:
  1. Complete the configuration using the following Microsoft guidelines. See step 2 for configuring the Subject name format field before you complete creating the certificate profile:
  2. Intune uses the Subject name format field to request specific certificates from the certificate authority (CA). You can configure this field with dynamic or static values. Do one of the following:
    • To statically request a user's certificate, enter the desired values in the Subject name format field. For example to request a user’s certificate from the user “jp3” in an organizational unit (OU) called “Users”, enter CN=jp3,OU=Users,... in the Subject name format field.
    • To dynamically request a user's certificate, you can use the following values for common name (CN) on Android. See Configure and use PKCS certificates with Intune.
      • CN={{UserName}}
      • CN={{UserPrincipalName}}
      • CN={{AAD_Device_ID}}
      • CN={{DeviceId}}
      • CN={{OnPrem_Distinguished_Name}}
      • CN={{onPremisesSamAccountName}}

      For E, you can use E={{EmailAddress}}

      The endpoint retrieves these dynamic values from Intune once the device is enrolled.

      If the user enrolls their device with an email address of example@test.com, then E=example@test.com.

      For example, to push unique certificates for each user according to their username and email address, you can configure the following:

    On the CA, the certificate is issued to Intune. Intune then pushes the certificate to the device. When selecting a certificate to connect to VPN in FortiClient, the dialog lists the pushed certificate:

Previous
Next

Pushing certificates for VPN authentication to FortiClient (Android)

You can push certificates for VPN authentication from Intune to FortiClient (Android). FortiClient (Android) 7.2.1 and later versions list these certificates in the certificate selection dialog.

Intune does not support uploading a .p12 user certificate to devices. You can push a certificate via Intune using PKCS.

To configure a certificate profile:
  1. Complete the configuration using the following Microsoft guidelines. See step 2 for configuring the Subject name format field before you complete creating the certificate profile:
  2. Intune uses the Subject name format field to request specific certificates from the certificate authority (CA). You can configure this field with dynamic or static values. Do one of the following:
    • To statically request a user's certificate, enter the desired values in the Subject name format field. For example to request a user’s certificate from the user “jp3” in an organizational unit (OU) called “Users”, enter CN=jp3,OU=Users,... in the Subject name format field.
    • To dynamically request a user's certificate, you can use the following values for common name (CN) on Android. See Configure and use PKCS certificates with Intune.
      • CN={{UserName}}
      • CN={{UserPrincipalName}}
      • CN={{AAD_Device_ID}}
      • CN={{DeviceId}}
      • CN={{OnPrem_Distinguished_Name}}
      • CN={{onPremisesSamAccountName}}

      For E, you can use E={{EmailAddress}}

      The endpoint retrieves these dynamic values from Intune once the device is enrolled.

      If the user enrolls their device with an email address of example@test.com, then E=example@test.com.

      For example, to push unique certificates for each user according to their username and email address, you can configure the following:

    On the CA, the certificate is issued to Intune. Intune then pushes the certificate to the device. When selecting a certificate to connect to VPN in FortiClient, the dialog lists the pushed certificate:

Previous
Next