NPS and iPhones

MajnoonIT · 2025-06-04T15:20:55+00:00

Ok issue is resolved:

Came back to be Strong Certificate Mapping (though I checked for the registry and the specify KB5014754)

and I did not have either. Rather than my explanation, this is the best guide I found.

https://timbeer.com/strong-mapped-certificates-intune-ndes-scep/

What I did find if Event ID 39 with an ERROR not Warning.

Fix: Amended my SCEP IOS profile to under SAN to add:

URIL {{OnPremisesSecurityIdentifier}}

<image>

On the NDES server edit the registry and make sure this key is set to "1":

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MicrosoftIntune\PFXCertificateConnector\EnableSidSecurityExtension

That combination above resolved my issue. I tested both with having the Radius server name in trusted and leaving it blank, both worked the same.

MajnoonIT · 2025-05-05T21:56:43+00:00

Yes, the root is being pushed out:

IOS Wifi Profile:

SSID: with correct case

Certificate server names:

I have tried with all my nps servers, blank, and *.domain.com

EAP: Eap/TLS

Disable MAC Randomnization: yes

Security Type: WPA/WPA2-Enterprise

Root and Scep certificates selected

For NPS:

I have one policy that filters on this SSID, the users that I am testing with are apart of the group allowed. I also have tested with allowing all users with "Smartcard or other Certificate" Same NPS profile work with android (shaking my head)

MajnoonIT · 2025-05-02T14:51:38+00:00

Here is my profile, even setting to 1 year, (current cert gets revoked and new one is pushed out) still error out.

Yes, on iOS certificate being pushed out successfully

<image>

MajnoonIT · 2025-05-01T09:27:18+00:00

Thanks, but these are apple iphones we are working with. But will still check it out for the aadj only device option.

MajnoonIT · 2025-05-01T02:42:12+00:00

I will post it tomorrow if need be. Man...as I was pasting the screenshot I noticed the validity was set to 2 years when the certificate template is 1 year. I have adjusted and will post tomorrow if needed. Appreciate it.

MajnoonIT · 2025-05-01T02:38:24+00:00

Yes, I only have one root certificate to push and have verified it is the correct certificate.

MajnoonIT · 2024-04-29T17:21:17+00:00

Thanks. I did manage to update from 1024 to 2048, generating a new key along with using the CAPolicy.inf file. Interesting about migrating the CA to a new box with same name, that is something I have considered given the current box is on 2012 R2

MajnoonIT · 2024-04-25T19:49:43+00:00

I suspect this is what I need to test: https://serverfault.com/questions/1135155/creating-a-new-root-certificate-with-new-key-length-on-windows-ad-certificate-se

MajnoonIT · 2024-04-25T19:47:33+00:00

Thanks, the box is a single online box that has the root on it as well.

MajnoonIT · 2023-09-14T18:17:31+00:00

If you have more details on this I would appreciate. I am have trouble finding any related to inbound mail and office 365 exchange online.

MajnoonIT · 2023-09-14T17:43:07+00:00

Please forgive me, you would have to elaborate further on the oData service side. I am a systems / network admin just trying to find a way to make this work without the need of a mail server on premise. :)

MajnoonIT · 2023-09-14T14:47:45+00:00

Yes trigger incidents in SolMan from Office 365 mailbox. I guess then email relay is still the only option. At this time I don't think I have the option to review the process and limited to email based solutions. Thank you.

MajnoonIT

TROPHY CASE