Skip navigation
Documentation

Trusted Endpoints - Microsoft Intune Managed Endpoint Device Deployment

Last Updated: October 9th, 2020

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from managed and unmanaged devices, and optionally block access from devices not managed by your organization.

Before enabling the Trusted Endpoints policy on your applications, you'll need to deploy the Duo device certificate or REST API access for Duo to your managed mobile devices. This guide walks you through Intune configuration for Android and iOS mobile devices.

Prerequisites

Create the Intune Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints Configuration.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Select Management Tools Integration" page, locate Intune in the listed integrations and click the Select this integration link to the right.

The new Intune integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser while you access the Azure portal in a new window or tab. You'll need to return to the Intune management integration page to complete the configuration steps.

Azure Configuration

Perform these Azure app registration steps prior to the specific Android, iOS, or Windows configuration steps. You only need to register one Azure app for Duo to use with all three client operating systems. These instructions create a single-tenant application where the application is intended to run within only one organization.

Create Azure Active Directory Application

1. Log in to the Microsoft Azure Administrator console as an Azure AD administrator with the "Global Administrator" role.

  1. Click Azure Active Directory and then click on the Azure Active Directory domain.

  2. Click on App registrations in the "Manage" section of your Azure domain's blade.

  3. Click New registration.

  4. Enter a descriptive name for the application and select Accounts in this organizational directory only under "Supported account types".

  5. Click Register. You'll be sent to the details page for the new app registration.

  6. On the newly-created application's page, click API Permissions in the "Manage" section, and then click Add a Permission.

  7. On the "Request API Permissions" page, select Intune from the available Microsoft APIs, and then select Application Permissions.

  8. Select the scep_challenge_provider (SCEP challenge validation) Intune permission and then click Add Permissions. You can type in the permission name to filter the list of available permissions.

  9. Click Add a Permission again, and this time select Microsoft Graph from the available Microsoft APIs, and then select Application Permissions.

  10. Select the following Microsoft Graph permissions:

    • DeviceManagementManagedDevices.Read.All
    • Directory.Read.All
    • User.Read.All

    Click Add Permissions after selecting all three Graph permissions.

  11. Back on the API permissions page you should see the full list of API permissions you selected. Click the Grant admin consent for button, and when asked if you want to grant consent for all accounts in your Azure domain click Yes.

Assign the Application to a Role

  1. In the Azure portal, navigate to Subscriptions.

  2. Select your Azure subscription and click Access Control (IAM).

  3. Click the Role assignments tab, and then click AddAdd role assignment.

  4. Make the following selections:

    • Role: select Contributor.
    • Assign access to: select Azure AD user, group or service principal.
    • Select: select the Duo app registration created in the previous section.

    Click Save.

Create an Application Secret

  1. In the Azure portal, return to Azure Active Directory and then click on the Azure Active Directory domain.

  2. Click on App registrations in the "Manage" section of your Azure domain's blade and select the Duo app registration you created earlier.

  3. Click Certificate & secrets in the "Manage" section.

  4. Under "Client secrets" click New client secret. In the Description leave a comment, then under "Expires" select Never. This creates a new secret, but the secret value is hidden until you save your changes. Click Add.

  5. The new secret's value is shown after you save. Copy the secret VALUE for use in the next configuration section's steps.

    This is your only chance to view the secret value! If you leave this area of the Azure portal before entering the secret Intune management integration configuration in the Duo Admin Panel, then you can't view the same key's value again and you'll have to create a new one.

Register Azure Application with Duo

  1. Return to your Intune management integration page in the Duo Admin Panel. Click on the tab for whichever client platform you'd like to configure: Android, iOS, or Windows.

  2. Copy the Azure application client secret value that you just generated in the previous configuration section, and paste the copied secret as the Azure Secret value in step 4 on your Intune management integration's config page in the Duo Admin Panel.

  3. Click Overview on the Duo Azure app registration's page. You'll see the Application (client) ID and Directory (tenant) ID listed at the top of the page.

  4. Copy the Application (client) ID value from Azure and paste it as the Azure Application ID value in step 4 on your Intune management integration's config page in the Duo Admin Panel.

  5. Copy the Directory (tenant) ID value from Azure and paste it as the Azure Directory ID value in step 4 on your Intune management integration's config page in the Duo Admin Panel.

  6. Click Save & Configure on the Duo Intune management integration page.

Android Configuration

Use the following instructions to complete setup on the Android tab of your Duo Intune management integration.

Setup Managed Google Play

  1. In the Azure Portal, navigate to IntuneDevice EnrollmentAndroid Enrollment.

  2. Select Manage Google Play in the "Prerequisites" section to connect to your organization's Google Play account.

  3. Grant Microsoft permission to send user/device information to Google, and click the Launch Google to connect now button to access Google.

  4. Sign in to Google using the account you use to manage and publish apps in Google Play and complete linking your managed Google Play account to Intune.

Approve Duo in the Managed Google Play Store

  1. In the Azure Portal, navigate to IntuneClient AppsManaged Google Play.

  2. Click the Open the Managed Google Play Store link.

  3. Search the Google Play Store for Duo Mobile and click the Duo Mobile app icon to select it from the search results.

  4. Click the Approve button on the Duo Mobile app page, and click Approve again after reviewing the requested app permissions.

  5. When asked "how to handle new app permission requests", select Keep approved when app requests new permissions and then click Done.

  6. After you've approved the Duo Mobile app in the Play store, return the Intune Managed Google Play page and click the Sync button.

Configure Managed Duo Mobile

  1. In the Azure Portal, navigate to IntuneClient appsApp configuration policies.

  2. Click the Add button and select Managed devices.

  3. Enter the following information on the "Create app configuration policy" page's "Basics" tab:

    Name Enter a descriptive name.
    Description Enter additional information about this new policy, if desired.
    Device Enrollment Type Select Managed Devices.
    Platform Select Android Enterprise.
    profile Select Work Profile only.
  4. Click the Select app link next to "Targeted app".

  5. In the "Associated App" search find and and choose Duo Mobile. Click OK to return to the "Basics" tab, and then click Next.

  6. On the "Settings" tab, under "Configuration settings format", choose Use configuration designer.

  7. Click Add+ and select Trusted Endpoint Identifier and Trusted Endpoints Configuration Key. The Trusted Endpoint Identifier should have value type "Variable" and Trusted Endpoints Configuration Key should have value type "String".

  8. Return to your Intune management integration page in the Duo Admin Panel and copy the information for these fields from Duo and paste into the corresponding configuration value fields in the Azure configuration designer:

    • Trusted Endpoint Identifier
    • Trusted Endpoints Configuration Key

    Click Next after entering the information for those two configuration settings.

  9. On the "Assignment" tab, choose the Azure group to which you would like to push Duo Mobile. We recommend starting with a test group. Click Next after selecting your target groups.

  10. Verify the information on the "Review + Create" tab, and click Create if it looks correct.

Assign Duo Mobile to Android Phones

  1. In the Azure Portal, navigate to IntuneClient AppsApps.

  2. Select the Duo Mobile app with type "Android Store App".

  3. Select Assignments and then click Add Group.

  4. Make the following selections:

    • Assignment Type: choose Required.
    • Group: choose the Azure group to which you would like to push Duo Mobile. We recommend starting with a test group.
  5. Click OK and then click Save.

Duo Mobile should now be available to download from the Intune Work Profile App Store on Android devices.

Enable Intune for Android

Click to enable this Intune for Android configuration. Once activated, Duo will start reporting trusted status for your Android endpoints.

iOS Configuration

Use the following instructions to complete setup on the iOS tab of your Duo Intune management integration.

Create the Duo Root Certificate Profile

  1. Download the Duo Endpoint Root Certificate from the iOS tab of the Intune management integration page in the Duo Admin Panel.

  2. In the Azure portal, navigate to IntuneDevice ConfigurationProfiles.

  3. Click Create profile and make these selections on the "Create a profile" blade:

    • Platform: select iOS/iPadOS
    • Profile: select Trusted Certificate.

    Click Create.

  4. Enter this information in the "Trusted Certificate" profile editor:

    • Name: provide a name for the Duo Trusted Root Certificate profile.
    • Description: optionally add a description.

    Click Next.

  5. Upload the Duo Endpoint Root Certificate you downloaded earlier and click Next, and then click Next again without adding any scope tags.

  6. On the "Assignments" tab, assign the profile to your desired Azure users, groups, or devices. Click Next.

  7. Verify the information on the "Review + Create" tab, and click Create if it looks correct.

Create the SCEP Certificate Profile

  1. In the Azure Portal, navigate to IntuneDevice ConfigurationProfiles.

  2. Click Create profile and make these selections on the "Create a profile" blade:

    • Platform: select iOS/iPadOS
    • Profile: select SCEP Certificate.

    Click Create.

  3. Enter this information in the "SCEP Certificate" profile editor:

    • Name: provide a name for the Duo SCEP Certificate profile.
    • Description: optionally add a description.

    Click Next.

  4. Enter the following configuration information Create a new profile with the values below.

    • Certificate Type: select User.
    • Subject Name Format: select Common Name.
    • Subject Alternative Name: select both Email Address and User Principal Name.
    • Certificate Validity Period: select Years and enter 1.
    • Key Usage: select Digital Signature.
    • Key Size (bits): select 2048.
    • Root Certificate: Click the + Root certificate link, select the Duo Root Certificate Profile you created in the previous config section, and click OK to make the certificate selection.
    • Extended Key Usage: click the drop-down arrow under Predefined values and select Client Authentication (1.3.6.1.5.5.7.3.2) from the list. The "Name" and "Object Identifier" values will be automatically filled.
    • Renewal Threshold: enter 20.
    • SCEP Server URL: Paste in the SCEP Server URL from the "Create the SCEP Certificate Profile" section of the iOS configuration tab on the Intune management integration page in the Duo Admin Panel.

    Click Next, and then click Next again without adding any scope tags.

  5. On the "Assignments" tab, assign the profile to your desired Azure users, groups, or devices, in the same way you deploy device profiles for other purposes. When making your assignment selections, consider the following:

    • The SCEP certificate profile installs only on devices that run the platform you specified when you created the certificate profile, in this case iOS and iPadOS.
    • You can assign certificate profiles to user collections or to device collections.
    • To publish a certificate to a device quickly after the device enrolls, assign the certificate profile to a user group rather than to a device group. If you assign to a device group, a full device registration is required before the device receives policies.

    Click Next after selecting the policy assignment targets.

  6. Verify the information on the "Review + Create" tab, and click Create if it looks correct.

Enable Intune for iOS

Click to enable this Intune for iOS configuration. Once activated, Duo will start reporting trusted status for your iOS endpoints.

Windows Configuration

Create the Duo Root Certificate Profile

  1. Download the Duo Endpoint Root Certificate from the Windows tab of the Intune management integration page in the Duo Admin Panel.

  2. In the Azure portal, navigate to IntuneDevice ConfigurationProfiles.

  3. Click Create profile and make these selections on the "Create a profile" blade:

    • Platform: select Windows 8.1 and later
    • Profile: select Trusted Certificate.

    Click Create.

  4. Enter this information in the "Trusted Certificate" profile editor:

    • Name: provide a name for the Duo Trusted Root Certificate profile.
    • Description: optionally add a description.

    Click Next.

  5. Upload the Duo Endpoint Root Certificate you downloaded earlier, leave the "Destination Store" set to Computer certificate store - Root, and click Next, and then click Next again without adding any scope tags.

  6. On the "Assignments" tab, assign the profile to your desired Azure users, groups, or devices. Click Next.

  7. Verify the information on the "Review + Create" tab, and click Create if it looks correct.

Create the SCEP Certificate Profile

  1. In the Azure Portal, navigate to IntuneDevice ConfigurationProfiles.

  2. Click Create profile and make these selections on the "Create a profile" blade:

    • Platform: select Windows 8.1 and later
    • Profile: select SCEP Certificate.

    Click Create.

  3. Enter this information in the "SCEP Certificate" profile editor:

    • Name: provide a name for the Duo SCEP Certificate profile.
    • Description: optionally add a description.

    Click Next.

  4. Enter the following configuration information Create a new profile with the values below.

    • Certificate Type: select User.
    • Subject Name Format: select Common Name.
    • Subject Alternative Name: select both Email Address and User Principal Name.
    • Certificate Validity Period: select Years and enter 1.
    • Key Storage Provider (KSP): select Enroll to Software KSP.
    • Key Usage: select Digital Signature.
    • Key Size (bits): select 2048.
    • Hash algorithm: select SHA-2.
    • Root Certificate: Click the + Root certificate link, select the Duo Root Certificate Profile you created in the previous config section, and click OK to make the certificate selection.
    • Extended Key Usage: click the drop-down arrow under Predefined values and select Client Authentication (1.3.6.1.5.5.7.3.2) from the list. The "Name" and "Object Identifier" values will be automatically filled.
    • Renewal Threshold: enter 20.
    • SCEP Server URL: Paste in the SCEP Server URL from the "Create the SCEP Certificate Profile" section of the Windows configuration tab on the Intune management integration page in the Duo Admin Panel.

    Click Next, and then click Next again without adding any scope tags.

  5. On the "Assignments" tab, assign the profile to your desired Azure users, groups, or devices, in the same way you deploy device profiles for other purposes. When making your assignment selections, consider the following:

    • The SCEP certificate profile installs only on devices that run the platform you specified when you created the certificate profile, in this case Windows 8.1 and later.
    • You can assign certificate profiles to user collections or to device collections.
    • To publish a certificate to a device quickly after the device enrolls, assign the certificate profile to a user group rather than to a device group. If you assign to a device group, a full device registration is required before the device receives policies.

    Click Next after selecting the policy assignment targets.

  6. Verify the information on the "Review + Create" tab, and click Create if it looks correct.

Upload the PowerShell Script to Update Registry Settings

The PowerShell script configures automatic selection of the Duo certificate by Internet Explorer, and by Edge Chromium and Chrome as long as those browsers are installed on the client before the script runs. If Chrome or Edge Chromium get installed on the client afterwards, you'll need to make sure the PowerShell script runs on those clients again after installation to configure automatic Duo certificate selection.

  1. Download the Duo PowerShell Script from the Windows tab of the Intune management integration page in the Duo Admin Panel.

  2. In the Azure Portal, navigate to IntuneDevice ConfigurationScripts and click Add.

  3. Enter a Name for the script and a Description, if desired. Click Next.

  4. Enter the following information on the "Script settings" page:

    • Script Location: upload the Duo PowerShell script you downloaded from the Duo Admin Panel.
    • Run this script using the logged on credentials: select No.
    • Enforce script signature check: select No.
    • Run script in 64 bit PowerShell Host: select No.

    Click Next.

  5. On the "Assignments" tab, assign the profile to your desired Azure users, or the users receiving a Trusted Endpoint Configuration from Intune. Click Next.

  6. Verify the information on the "Review + Create" tab, and click Create if it looks correct.

Enable Intune for Windows

Click to enable this Intune for Windows configuration. Once activated, Duo will start reporting trusted status for your Windows endpoints.

Verify Your Setup

Users on Android devices see a prompt to "check your permissions" when authenticating to a protected resource via the Duo Prompt.

Android Trusted Endpoint Verification - Step 1

Duo uses the API access you granted in Intune to verify device information. Duo Mobile must be installed and activated for Duo Push.

Android Trusted Endpoint Verification - Step 2

If Duo successfully verifies the device information using the Intune API access, then the user receives access to the protected application.

Android Trusted Endpoint Verification Failed

iOS and Windows users will see a prompt asking them to choose a certificate when authenticating to a protected resource via the Duo prompt. After selecting the Duo Device Authentication certificate and completing authentication, subsequent Duo authentications from the same device will automatically use that same certificate for verification.

Expanding to Additional Client platforms

You only need to perform the Azure app registration and configuration in Duo once. The same Azure app is used for Android, iOS, and Windows Intune clients. After completing the full setup for one client platform in Duo, you need only complete the OS-specific setup steps for additional client operating systems.

Removing the Intune Management Integration

Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Intune integration from "Trusted Endpoints Configuration". You should also disable your Duo admin user in Intune.

Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.