Pushing certificates for VPN authentication to FortiClient (iOS)
According to Microsoft Intune documentation, you can push a certificate using PKCS and SCEP certificate profiles. PKCS-imported certificates do not support authentication. Although this document provides examples using PKCS, due to scalability limitations, using SCEP is generally recommended.
To configure a certificate profile:
- Do one of the following. See step 2 for configuring the Subject name format field before you complete creating the certificate profile:
- To configure an SCEP certificate profile, do the following:
- Configure your infrastructure following the Microsoft guidelines. See Configure infrastructure to support SCEP with Intune.
- Create the SCEP certificate profiles. See Create and assign SCEP certificate profiles in Intune.
- To configure a PKCS certificate profile, complete the configuration using the following Microsoft guidelines:
- To configure an SCEP certificate profile, do the following:
- For both certificate profile types, Intune uses the Subject name format field to request specific certificates from the certificate authority (CA). You can configure this field with dynamic or static values. Do one of the following:
- To statically request a user’s certificate, enter the desired values in the Subject name format field. The example statically requests a user's certificate from the user “jp4” in an organizational unit (OU) called “Users”. From the Certificate type dropdown list, select User. In the Subject name format field, enter CN=jp4,OU=Users,.... The following shows an example for an SCEP certificate profile:
The following shows an example for a PKCS certificate profile:
- To dynamically request a user's certificate, you can use the following values for common name (CN) on iOS. See Subject name format.
- CN={{UserName}}
- CN={{UserPrincipalName}}
- CN={{AAD_Device_ID}}
- CN={{DeviceId}}
CN={{SERIALNUMBER}}
CN={{IMEINumber}}
- CN={{OnPrem_Distinguished_Name}}
- CN={{onPremisesSamAccountName}}
For E, you can use E={{EmailAddress}}.
The endpoint retrieves these dynamic values from Intune once the device is enrolled.
If the user enrolls their device with an email address of example@test.com, then E=example@test.com.
The following examples shows how to configure pushing a unique certificate for each user who belongs to the Users OU according to their username and email address. The following shows an example for an SCEP certificate profile:
The following shows an example for a PKCS certificate profile:
- To statically request a user’s certificate, enter the desired values in the Subject name format field. The example statically requests a user's certificate from the user “jp4” in an organizational unit (OU) called “Users”. From the Certificate type dropdown list, select User. In the Subject name format field, enter CN=jp4,OU=Users,.... The following shows an example for an SCEP certificate profile:
-
To confirm Intune successfully pushed the profile to the iOS device, go to device Settings > General > VPN & Device Management > Your management profile > More Details. The “jp4” certificate has been installed onto the device.
To create a VPN profile with the certificate assigned:
For FortiClient to use the certificate for VPN authentication, you must create a VPN profile on Intune with the certificate assigned.
- In Intune, go to Devices > iOS/iPadOS > Configuration profiles > Create > New Policy.
- From the Platform dropdown list, select iOS/iPadOS.
- From the Profile type dropdown list, select Templates.
- Under Template name, select VPN.
- From the Connection type dropdown list, select Custom VPN.
- From the Authentication method dropdown list, select Certificates.
- Under Authentication certificate, select the PKCS or SCEP certificate.
- Configure other fields as desired.
You must format the VPN server address as "https:<IP address>//:<port>, with the port value being mandatory. Failing to follow this format causes FortiClient errors. If FortiClient parses the profile correctly, the VPN profile appears in the iOS and FortiClient VPN lists. If the profile does not appear in FortiClient, FortiClient failed to parse the VPN configuration. This can happen if the server address is missing the port number.
Intune requires key-value pairs. The key-value pairs available for iOS are as follows:
- SingleSignOn = True/False
- ShowSavePassword = True/False
Once Intune pushes the profile, FortiClient (iOS) lists the profile as a VPN tunnel.
If you look at the VPN tunnel details, the certificate file name is changed to MDM Managed to indicate that FortiClient received the certificate from a mobile device management (MDM) platform.
You can also access the VPN profile from iOS settings by going to Settings > General > VPN & Device Management > VPN. You can view and enable the existing VPN profile. Enabling the VPN profile in Settings causes iOS to launch the SSL VPN tunnel using FortiClient.