Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure SCEP Certificate-Based VPN Authentication for iOS Devices

  1. Last updated
  2. Save as PDF

This topic helps you configure certificate-based VPN authentication for iOS devices using SCEP with Skyhigh Security Cloud and Microsoft Intune. It enables devices to automatically enroll for certificates and establish secure IKEv2 VPN connections without manual certificate distribution. This configuration strengthens device identity validation and ensures that only trusted, managed devices access corporate resources.

This configuration includes:

Prerequisites

Ensure that:

  • You have administrator access to the Skyhigh tenant.
  • You have administrator access to Microsoft Intune.
  • iOS/iPadOS devices are enrolled in Intune.
  • Enterprise Microsoft Intune subscription with Cloud PKI add-on licenses enabled (non-trial)
Create a Root Certificate Authority (Root CA)

The Root CA establishes the trust anchor for certificate issuance.

  1. Log in to the Microsoft Intune admin center. 
  2. Go to Tenant Administration > Cloud PKI.
  3. Click Create.

    clipboard_ef2d773fef10bd44d4854e1826f6a3818.png
    Create certification authority window opens. 
     
  4. Under the Basics tab, enter Name and Description​​​​.

    clipboard_ef760d0375a9bc4b8816f8251f7a7b405.png
     
  5. Click Next
  6. Under the Configuration settings tab:
    1. CA type. Select Root CA.
    2. Validity Period. Select 5 Years.

      clipboard_e94f45505a9e3fae18d20ac9b722ad036.png
       
    3. Extended Key Usage. Select the required values.

      clipboard_e6b30086e26e025dda35fac4a60c7b8f8.png

      clipboard_e3dc73de15d0ddb42a7ea15e02032ede0.png
       
    4. Configure Subject Attributes as per your organization's standards.

      clipboard_e8ebbb660b72f8e741eb71b8e198dd937.png
       
    5. Under the Encryption section, Set:
      1. Key Size. RSA 2048
      2. Algorithm. SHA 256

        clipboard_ee4f88958d6e98e5c267d50aa81c30292.png
         
  7. Click Next.
  8. Under the Scope tags tab, keep the scope setting as the default and click Next.
  9. Under the Review tab, review the configuration and click Create.

    clipboard_e884de27bc91d111394e26d25806a2b23.png
     
  10. Open the newly created Root CA and click Download.

    clipboard_e932ce6a3245e27a16066039d97ee501d.png

    clipboard_e89c14be18f3365c92b0625cda2105c7c.png
Upload Root CA to Mobile Cloud Security
  1. Go to Infrastructure > Web Gateway Setup > Skyhigh Mobile Cloud Security
  2. Click Configure.
  3. Under the Upload CA certificates to identify mobile devices section: 
    1. Upload the downloaded Root CA certificate.
    2. Select the user as CN.
  4. Click Save.

    clipboard_ecf8e04d496c2f4d1b0f20df9cadaa6b1.png
     
  5. Publish the policy.
Create an Issuing Certificate Authority (Issuing CA)

The Issuing CA signs and issues device certificates.

  1. Log in to the Microsoft Intune admin center. 
  2. Go to Tenant Administration > Cloud PKI.
  3. Click Create.

    clipboard_ef2d773fef10bd44d4854e1826f6a3818.png
    Create certification authority window opens.
     
  4. Under the Basics tab, enter Name and Description​​.

    clipboard_e92d238497ab4b1627621a6877a352ebb.png
     
  5. Under the Configuration settings tab:
    1. CA Type. Issuing CA
    2. Root CA Source. Intune
    3. Root CA. Select the Root CA created in the above step. 

      clipboard_e848838fe930ed8409069c8643a010a25.png
       
    4. Validity Period. Select 2 Years.
    5. Extended Key Usage. Select Client Auth

      clipboard_e7ae3cf41c7655b6c68ceeaeeab6f3cf6.png
       
  6. Configure Subject Attributes as per your organization's standards.

    clipboard_e5f1cc130459e76ece0b5f1051822cd1a.png
     
  7. Review and click Create.

    clipboard_eaf40b5f1a44bc06770169f246e8b535e.png
     
  8. Open the Issuing CA.
  9. Click Properties.

    clipboard_e43a77808cdbd0a8561ce96b91ecb3467.png
     
  10. Copy the SCEP URI.
  11. Download the Issuing CA certificate.

    clipboard_e5736b2d1819e651cd1fd9aa5cf572b46.png
Deploy Root CA as a Trusted Certificate in Intune

This ensures devices trust the Root CA.

  1. Go to Devices > iOS/iPadOS > Configuration > Create > New Policy 

    clipboard_ede4c8016cd159f4c3f8d8c7ce304b271.png
    Create a profile window opens. 
     
  2. Under the Create a profile window: 
    1. Platform. iOS/iPadOS
    2. Profile Type. Templates
    3. Template. Trusted Certificate
  3. Click Create.

    clipboard_e48faad90b3a64aa0430e01e3a899064a.png
    Trusted certificate window opens. 
     
  4. Under the Basics tab, enter Name and Description​​​.

    clipboard_e3e53e1709ff96030f2739a3d0fdccce5.png
     
  5. Under the Configuration settings tab, browse and upload the downloaded Root CA certificate. 
  6. Click Next

    clipboard_eb82fda8d2c3385ad71d9069ae56c4add.png
     
  7. Under the Scope tags tab, keep the scope setting as the default and click Next.
  8. Under the Assignments tab, assign the profile to the designated group and click Next.
  9. Under the Review + create tab, review the certificate configuration settings and click Create.

    clipboard_ef5e40612b40d6fe1505db8a54bb8647d.png
Deploy Issuing CA as Trusted Certificate in Intune

This ensures devices trust the issuing CA.

  1. Go to Devices > iOS/iPadOS > Configuration > Create > New Policy 

    clipboard_e8da050c0fb5388707f01cfd03c2635be.png
    Create a profile     window opens. 
     
  2. Under the Create a profile window: 
    1. Platform. iOS/iPadOS
    2. Profile Type. Templates
    3. Template. Trusted Certificate
  3. Click Create.

    clipboard_e9fe218486c7b6a97b6be0a75885e3829.png
    Trusted certificate window opens. 
     
  4. Under the Basics tab, enter Name and Description​​​​.

    clipboard_e5e3b3948f83fbcbdaeb4a0e3e075ca47.png
     
  5. Under the Configuration settings tab, browse and upload the downloaded Issuing CA certificate
  6. Click Next

    clipboard_e705936417d418666601da8c66a327a60.png
     
  7. Under the Scope tags tab, keep the scope setting as the default and click Next.
  8. Under the Assignments tab, assign the profile to the designated group and click Next.
  9. Under the Review + create tab, review the certificate configuration settings and click Create.

    clipboard_e1e576125b249f7b559592ba24d12a676.png
Deploy Customer Tenant CA from Skyhigh as Trusted Certificate in Intune
  1. Go to Devices > iOS/iPadOS > Configuration > Create > New Policy 

    clipboard_e8da050c0fb5388707f01cfd03c2635be.png
    Create a profile     window opens. 
     
  2. Under the Create a profile window: 
    1. Platform. iOS/iPadOS
    2. Profile Type. Templates
    3. Template. Trusted Certificate
  3. Click Create.

    clipboard_e9fe218486c7b6a97b6be0a75885e3829.png
    Trusted certificate window opens. 
     
  4. Under the Basics tab, enter Name and Description​​​​​ and click Next.

    clipboard_e0f83b662f8442efac44fafdb0a4b85b8.png
  5. Under the Configuration settings tab, browse and upload the downloaded Customer CA certificate
  6. Click Next

    clipboard_e8ef212ed33be1c7f2c90c1e4c8c3d4f4.png
     
  7. Under the Scope tags tab, keep the scope setting as the default and click Next.
  8. Under the Assignments tab, assign the profile to the designated group and click Next.
  9. Under the Review + create tab, review the certificate configuration settings and click Create.

    clipboard_ebbe5f6d0f4619ffeb32408f080e4d6fc.png
Create an SCEP Certificate Profile

This profile enables automatic certificate enrollment on iOS devices.

  1. Go to Devices > iOS/iPadOS > Configuration > Create > New Policy.

    clipboard_e31a2e061d36950608691cb4e98809961.png
    Create a profile     window opens. 
     
  2. Under the Create a profile window: 
    1. Platform. iOS/iPadOS
    2. Profile Type. Templates
    3. Template. SCEP Certificate
  3. Click Create.

    clipboard_ef7d8e980e0d73ee15425a3cc5b54e416.png
    SCEP certificate window opens. 
     
  4. Under the Basics tab, enter Name and Description​​​​.

    clipboard_e5b6cd544ac901fd40854d4f0bfe478f2.png
  5. Under the Configuration settings tab:
    1. Certificate type. User
    2. Subject name format. CN={{UserName}}
    3. Subject alternative nameDNS = {{UserName}}
    4. Key usage.  Digital signature and Key encipherment
    5. Key Size. Set to 2048

      clipboard_e3e6bdb505b37684d7605f8ec9724af6a.png
       
  6. Upload the Root CA certificate.
  7. Enter Client Authentication as Extended Key Usage.

    clipboard_e271e2868c73cf10533574950ea7e2cf4.png
     
  8. Paste the SCEP URI copied from Create an Issuing Certificate Authority (Issuing CA) section. 

    clipboard_e45a87df65594935f05b553f0d88dd46f.png
     
  9. Under the Scope tags tab, keep the scope setting as the default and click Next.
  10. Under the Assignments tab, assign the profile to the designated group and click Next.
  11. Under the Review + create tab, review the certificate configuration settings and click Create.

    clipboard_e5958edb18a8969b89caf61149759ddf7.png
Create an IKEv2 VPN Profile Using Certificate Authentication

This profile establishes secure VPN connectivity using the issued certificate.

  1. Go to Devices > iOS/iPadOS > Configuration > Create > New Policy.

    clipboard_e31a2e061d36950608691cb4e98809961.png
    Create a profile windows opens. 
     
  2. Under the Create a profile window: 
    1. Platform. iOS/iPadOS
    2. Profile Type. Templates
    3. Template. VPN
  3. Click Create.

    clipboard_edefc4c7f2555eb0fda9397cfc5094803.png
    VPN window opens. 
     
  4. Under the Basics tab, enter Name and Description and click Next​​​.

    clipboard_e9b8274cfca2e6451a36c12232ef6129f.png
     
  5. Under the Configuration settings tab
    1. Basic VPN section: 
      1. Connection Type. IKEv2
      2. Connection Name. Enter name
      3. Server Address. mobile.skyhigh.cloud or pa-mobile.skyhigh.cloud(for pa-mobile.skyhigh.cloud ensure always on VPN is disabled)


        clipboard_e8bffae4456c50f6e32136a24bd9186f2.png
    2. IKEv2 settings: 
      1. Enable Always On VPN.

        NOTE: Enable Always-On VPN if required. This setting is optional. Always-On VPN works only on supervised devices.

        clipboard_e99ba1294c8ed07d9f27872504b5c87b7.png
      2. Configure Identifiers:
        1. Remote Identifier: mobile.skyhigh.cloud
        2. Local Identifier: Subject Common Name

          clipboard_e99468112f03eb29afb81134006c59073.png
      3. Configure Authentication:
        1. Client Authentication Type: User
        2. Authentication Method: Certificates
        3. Select the SCEP certificate profile created in the Create an SCEP Certificate Profile section. 

          clipboard_e7b2da94703379d68e31a331465224c53.png
           
      4. Configure Security Settings:
        1. TLS Minimum Version: 1.2
        2. TLS Maximum Version: 1.2

          clipboard_eef27540d5e13419322f02d52f7766ae5.png
           
        3. Diffie-Hellman Group: 14

          clipboard_e6b4e2828b291899f616def7ca07fe5ac.png
           
  6. Under the Scope tags tab, keep the scope setting as the default and click Next.
  7. Under the Assignments tab, assign the profile to the designated group and click Next.
  8. Under the Review + create tab, review the certificate configuration settings and click Create.

    clipboard_efcbf6d78f5100c2c50c97d21a80da6c6.png

 

After you deploy the policies, devices automatically enroll for certificates using SCEP and receive the trusted root and issuing CA certificates. The VPN profile authenticates users with certificate-based authentication and establishes secure connectivity to mobile.skyhigh.cloud. This configuration ensures that only trusted and enrolled devices establish VPN tunnels and access corporate resources.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-to
  2. Tags
    This page has no tags.