Creating Intune profiles for Android in Azure

Create the following profiles for enrolling Android devices with Intune.

  • A root CA profile

  • An issuing CA profile

  • A SCEP profile

To create an Android profile for Intune

  1. Log into endpoint.microsoft.com as a user with administrative privileges.

  2. Go to Devices > Android.

    images/download/attachments/194850573/image-2024-8-29_13-42-45-version-1-modificationdate-1724931765997-api-v2.png
  3. Select Manage devices > Configuration and click Create.

    images/download/attachments/194850573/image-2024-8-29_13-43-55-version-1-modificationdate-1724931835585-api-v2.png
  4. In the Create a profile dialog, configure the settings described in the following sections.

Create a profile

In the Create a profile dialog, select the following fields for each Android profile.

Setting

Root CA profile

Issuing CA profile

SCEP profile

​Platform

Android Enterprise

Android Enterprise

Android Enterprise

Profile type

Trusted certificate

Trusted certificate

SCEP certificate

Basics

In the Name field of the Basics page, type the name of the profile – for example:

  • ABC Root

  • ABC Issuing

  • ABC Digital Signature SCEP Cert

Optionally, add a description of the profile purpose.

images/download/attachments/194850541/MSEndpoint_Trusted_certificate-version-1-modificationdate-1677664690895-api-v2.png

Configuration settings

When creating root or issuing CA profiles, configure the following settings on the Configuration settings page.

Setting

Root CA profile

Issuing CA profile

​Certificate file

The root Certification Authority certificate

The issuing Certification Authority certificate

See Downloading a CA certificate to download CA certificates.

When creating a SCEP profile for Android, configure the following settings on the Configuration settings page.

Setting

Value

Certificate type

Select User.

Subject name format

The syntax of the certificate subject names. This field supports the variables described in https://learn.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep

Subject alternative name

The value of each attribute in the certificate subject alternative name. Optional.

Certificate validity period

The validity period of the certificates.

Key usage

The key usage of the enrolled certificates.

Key size (bits)

Select 2048 or 4096 (Entrust PKIaaS does not support key sizes below 2048).

Hash algorithm

Select SHA-2.

Root certificate

Select the root CA profile

Extended key usage

Select Client Authentication.

SCEP Server URLs

Paste one of the URLs obtained when Getting the Intune Service URL.

Assignments

On the Assignments page, select the user group of the Intune-enrolled devices.
images/download/attachments/194850530/image-2023-2-28_15-48-48-version-1-modificationdate-1677664690524-api-v2.png

Review and create

On the Review + create page, check the settings of the new profile and click Create to confirm the profile creation.