082: Review security, compliance, resource access requirements (Certs/Wi-Fi/VPN)
Overview
When planning to deploy certificates, Wi-Fi, and VPN profiles to Android devices in Intune, there are several important considerations to keep in mind:
1. Enrollment Method
- Choose the Right Enrollment Type: Decide between Android Enterprise options (like Work Profile, Fully Managed, or Dedicated devices) based on your organization's needs. Each method has different capabilities and management levels.
2. Certificate Management
- SCEP and PKCS Certificates: Ensure you have a clear strategy for deploying certificates. SCEP (Simple Certificate Enrollment Protocol) is commonly used for automated certificate provisioning. Make sure your devices are configured to accept these certificates for Wi-Fi and VPN authentication¹(https://learn.microsoft.com/en-us/mem/intune/configuration/wi-fi-settings-android).
- Trusted Root Certificates: Deploy trusted root certificates to establish a secure connection. Ensure that these certificates are correctly configured and distributed to devices²(https://learn.microsoft.com/en-us/mem/intune/protect/certificates-trusted-root).
3. Wi-Fi Configuration
- Profile Settings: When creating Wi-Fi profiles, specify the SSID, security type (e.g., WPA2), and authentication methods (like EAP-TLS or PEAP). Ensure that the settings align with your organization's network requirements¹(https://learn.microsoft.com/en-us/mem/intune/configuration/wi-fi-settings-android).
- Hidden Networks: Decide whether to hide the SSID from users. If you choose to hide it, ensure users know how to connect to the network.
4. VPN Configuration
- VPN Type: Choose the appropriate VPN type (e.g., IKEv2, L2TP) based on your security needs and compatibility with your infrastructure.
- Conditional Access: Implement conditional access policies to ensure that only compliant devices can connect to the VPN. This adds an extra layer of security.
5. User Experience
- Ease of Use: Consider the user experience when deploying these profiles. Ensure that the enrollment process is straightforward and that users receive clear instructions on how to connect to Wi-Fi and VPN.
- Support and Training: Provide adequate support and training for users to help them understand how to use the deployed profiles effectively.