Introduction

The Keyfactor implementation of the Simple Certificate Enrollment Protocol (SCEP) can be used wherever a SCEP server is required. Keyfactor’s SCEP server implementation follows the SCEP protocol as outlined in draft-nourse-scep-23 (see https://tools.ietf.org/id/draft-nourse-scep-23.txt), with an additional Intune-gated mode. In Intune-gated mode, the Keyfactor SCEP server validates every incoming enrollment request against the customer’s Intune instance, utilizing a Microsoft-proprietary API and protocol. Microsoft Intune is a cloud-based service that manages policies to control applications and ensure security and productivity in both corporate and bring-your-own-device (BYOD) scenarios. Keyfactor customers commonly integrate Keyfactor SCEP with Microsoft Intune for mobile device management (MDM).

More information about Intune, including a brief overview in Microsoft’s architectural document, is available on the Microsoft documentation site at:

The SCEP protocol allows devices to enroll for a certificate by using a URL and a shared secret to communicate with a PKI. The role runs under Microsoft IIS and requires at least one Microsoft CA on the back end. Although the Keyfactor SCEP implementation and the Microsoft implementation of SCEP (NDES) can be collocated on the same server, there is no need to install NDES to support the Keyfactor SCEP install. The Keyfactor SCEP server has no dependence on Microsoft's NDES.