Sectigo.com
Shop Enterprise Partners Resources

Configuring Intune Exporter

The SCM integration with Intune Exporter enables you to automatically export client certificates and private keys from the SCM Sectigo Key Vault to Intune for use with mobile device management.

The Intune Exporter integration is only available if enabled for your account. For more information, contact your Sectigo account manager.

The process of configuring Azure and SCM for Intune Exporter involves the following:

  1. Verify you have satisfied the prerequisites.

  2. Register an application in Azure.

  3. Configure Intune to use imported certificates.

  4. Add an Azure account in SCM connected to the registered application.

  5. Create Intune Exporter configurations in SCM.

  6. Connect your organization(s) or department(s) to the Intune Exporter configuration.

Prerequisites

SCM integration with Azure Intune Exporter requires the following:

  • An active Azure subscription.

  • Azure Global Administrator permissions.

  • Ensure SCM persons can be mapped to the corresponding Azure users by satisfying one of the following conditions:

    • (Suggested) The Principal Name (UPN) for the person account (client certificate) in SCM must be the same as the user name in Azure.

    • The Email for the person account (client certificate) in SCM must be the same as the mail attribute in Azure.

  • SCM Key Vault enabled for your account.

  • Access granted for the following Sectigo Certificate Manager public IP ranges:

    • 91.199.212.0/24

    • 91.209.196.0/24

    • 91.212.12.0/24

Register an application in Azure

  1. Log in to Microsoft Azure.

  2. Create an application to connect to SCM.

    1. Navigate to the App registrations page, and click New registration.

    2. Enter a name for the application.

    3. Select Accounts in this organizational directory only.

    4. Click Register.

      Save the Application (client) ID and Directory (tenant) ID for use when creating an Azure account in SCM.

  3. Create a client secret.

    1. Under the application, navigate to the Certificates & secrets page.

    2. On the Client secrets tab, click New client secret.

    3. Provide a description and expiration period for the client secret, and click Add.

      Save the Value for use when creating an Azure account in SCM.

  4. Set API permissions for the application.

    1. Under the application, navigate to the API permissions page.

    2. Click Add a permission, select Microsoft Graph  Application permissions, select Application.Read.All, Directory.Read.All, User.Read.All, and click Add permissions.

    3. Click Add a permission, select Microsoft Graph  Delegated permissions, select User.Read, and click Add permissions.

    4. Click Grant admin consent for <YourCompanyName>.

Now that the application is registered in Azure, you can create an Azure account in SCM. For more information, see Understanding Azure accounts.

Configure Intune to use imported certificates

To configure your Intune infrastructure for using imported .pem certificates, do the following:

  1. Download, install, and configure the Certificate Connector for Microsoft Intune.

  2. Build 'PFXImport PowerShell Project' cmdlets.

    This step is not required if the file has already been provided to you by your Sectigo account manager.

  3. Create the encryption public key.

    You must export the key in a .pem format using the following command:

    Export-IntunePublicKey -ProviderName “Microsoft Software Key Storage Provider” -KeyName “<KeyName>” -FILEFORMAT “PEM” -FilePath “<File path\Filename.PEM>”

  4. Create a PKCS imported certificate profile.

  5. Record your Key name and Public Key for use when configuring an Intune Exporter task in SCM.