082: Review security, compliance, resource access requirements (Certs/Wi-Fi/VPN)

Overview

When planning to deploy certificates, Wi-Fi, and VPN profiles to Android devices in Intune, there are several important considerations to keep in mind:

1. Enrollment Method

• Choose the Right Enrollment Type: Decide between Android Enterprise options (like Work Profile, Fully Managed, or Dedicated devices) based on your organization's needs. Each method has different capabilities and management levels.

2. Certificate Management

• SCEP and PKCS Certificates: Ensure you have a clear strategy for deploying certificates. SCEP (Simple Certificate Enrollment Protocol) is commonly used for automated certificate provisioning. Make sure your devices are configured to accept these certificates for Wi-Fi and VPN authentication¹(https://learn.microsoft.com/en-us/mem/intune/configuration/wi-fi-settings-android).
• Trusted Root Certificates: Deploy trusted root certificates to establish a secure connection. Ensure that these certificates are correctly configured and distributed to devices²(https://learn.microsoft.com/en-us/mem/intune/protect/certificates-trusted-root).

3. Wi-Fi Configuration

• Profile Settings: When creating Wi-Fi profiles, specify the SSID, security type (e.g., WPA2), and authentication methods (like EAP-TLS or PEAP). Ensure that the settings align with your organization's network requirements¹(https://learn.microsoft.com/en-us/mem/intune/configuration/wi-fi-settings-android).
• Hidden Networks: Decide whether to hide the SSID from users. If you choose to hide it, ensure users know how to connect to the network.

4. VPN Configuration

• VPN Type: Choose the appropriate VPN type (e.g., IKEv2, L2TP) based on your security needs and compatibility with your infrastructure.
• Conditional Access: Implement Conditional Access policies to ensure that only compliant devices can connect to the VPN. This adds an extra layer of security.

5. User Experience

• Ease of Use: Consider the user experience when deploying these profiles. Ensure that the enrollment process is straightforward and that users receive clear instructions on how to connect to Wi-Fi and VPN.
• Support and Training: Provide adequate support and training for users to help them understand how to use the deployed profiles effectively.

6. Testing and Validation

• Pilot Testing: Before a full rollout, conduct pilot testing with a small group of users to identify any issues with the deployment of certificates, Wi-Fi, and VPN profiles.
• Monitoring and Feedback: After deployment, monitor the performance and gather user feedback to make necessary adjustments.

7. Security Policies

• Compliance and Security: Ensure that all profiles comply with your organization’s security policies. Regularly review and update these policies to address any emerging threats or changes in technology.

Reference

• (1) Configure Wi-Fi settings for Android devices in Microsoft Intune. https://learn.microsoft.com/en-us/mem/intune/configuration/wi-fi-settings-android.
• (2) Create trusted certificate profiles in Microsoft Intune. https://learn.microsoft.com/en-us/mem/intune/protect/certificates-trusted-root.
• (3) Configure security, email, VPN, and Wi-Fi device configuration profiles .... https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-plan-configuration-profile.
• (4) Support for SCEP certificates in Android Enterprise dedicated devices. https://techcommunity.microsoft.com/t5/intune-customer-success/support-for-scep-certificates-in-android-enterprise-dedicated/ba-p/928147.