Awhile back, I wrote about Delivering a Full Cloud Workspace ONE environment. I would expand on that idea to add in Azure AD Join to account for the large shift to modern management and using Workspace ONE to manage PCs. At our company, we decided to launch the passwordless evolution. Can that be done without on-premise infrastructure? How can this happen and not have a trash user experience? Read on and find out how we make the impossible POSSIBLE!

How we Started to Bring Zero Trust to Workspace ONE

The key thing to know with Zero Trust in Workspace ONE is that it is based off the UUID of a device.

Let’s look at an example of the Mobile SSO certificate that Workspace ONE generates for you:

So, the reason why the “Device Compliance” capability in Workspace ONE works is it will use that UDID to check the compliance state in Workspace ONE Access via the Device Compliance/Workspace ONE integration inside of Workspace ONE Access:

Simply, the UDID is what makes this all work. This also means to deliver true zero trust you must use authentication methods that support this, such as Certificate Authentication and Mobile SSO. Thus for all of my managed PCs, it means we must MOVE to CERTIFICATES!!!

Why is Moving to Certificates a Challenge For a Full Workspace ONE Cloud?

Azure AD Domain Services is a really great and underrated product, but it does not offer any sort of enterprise-grade certificate solution. Essentially, I would need to request individual certificate and execute some sort of ridiculous copy or other nonsense from Workspace ONE onto their PCs a.k.a. no bueno. I did look at that quite a bit to see if I could craft a solution, but it’s a non-starter.

You will notice the issue below (No Templates!)

No templates means no integration with Workspace ONE, which is basically an epic fail, but that’s okay. So now the question is: “Where do we go from here?”

I looked at several solutions, and landed on one that would be absolutely perfect for Workspace ONE: SCEPman

SCEPman: A New Friend for My Workspace ONE Cloud

Let’s start by talking about what exactly SCEPman is. There is a nice little company called glueckkanja-gab, who is a Microsoft Gold partner in Germany. Their idea was pretty simple. Intune devices are in the cloud so why aren’t the identities in the cloud also? You can see below from their infrastructure setup that it’s not too complicated.

Essentially SCEPman is an Azure Web App that has a user interface that provides certificates signed by a root CA key that is stored in Azure Key Vault. Additionally, SCEPman has an OCSP responder that can validate certificates in real-time. Provided the device or user lives in Azure AD and is enabled.

You can actually use SCEPman also for Radius-as-a-Service, but that isn’t the point of what we are doing here. You can read more about that here if you’re interested.

How SCEPman Issues and Validates Certificates

SCEPman issues certificates pretty easily. You integrate your system whether that is Intune or a 3rd party MDM as a SCEP server. It sends the SCEP request over and you supply a template and after through the validation as you can see below a certificate is delivered to the device.

One of the issues when you use something like Workspace ONE is you have to use a challenge password for integration. We address this by forcing Workspace ONE to act as a SCEP Proxy aka client so that the SCEP challenge password is never available on a client device”

Then you have the certificate validation, which is pretty straight-forward. Your service like Workspace ONE Access will use SCEPman to perform OCSP validation as you can see below to ensure the certificate and user are truly valid:

Deploying SCEPman to Azure

We start our deployment by first building the App Registration similar to most things that live in Azure so it can tie into the Graph API/Intune:

From here, we will do the actual SCEPMan Deployment. As you will see in the deployment, SCEPman isn’t too difficult to deploy. If you go through their documentation, you have a variety of ways you can deploy SCEPman to achieve your desired result. Enjoy the video:

Setting up Workspace ONE for SCEPman

In the video below, we will be covering a basic setup for SCEPman and Workspace ONE, but we will cover some additional capabilities specific to Zero Trust shortly so don’t get too tied to some of the stuff we did here. This will give you the basics on getting started:

Locking Down SCEPman to Workspace ONE IP Addresses

This part of the article lends much better to text, so I’ll explain how we properly lock things down.

First, you will install the Azure CLI from here.

Once Installed, you can enforce your app restrictions with a basic CSV import. This CSV contains all of the US IPs for Workspace ONE:

You just need to run a little bit of code to make the magic happen after you install the Azure CLI:

az login (This will open a window to authenticate you to Azure CLI)

##Import CSV of WS1 IPs to Azure##
import-csv 'C:\users\jjtowles\Downloads\AppServiceList2.csv' | ForEach-Object {az webapp config access-restriction add --resource-group Synterex --name synterexca --action Allow --ip-address $_.ipaddress --priority $_.priority}  

You may also want to import the IPs for Access/Hub Services, but my testing showed that it isn’t needed at this point. Now, we can move onto the Zero Trust fun.

Implementing Zero Trust for Certificate-Based Authentication on Workspace ONE

We have 2 main tasks we need to do for Zero Trust: (1) update the certificate template and (2) update the policy in Workspace ONE Access.

The template update is simple. You just add a SAN for DNS Name with UDID={DeviceUid} and redeploy your certificates:

The second task entails adding “Device Compliance” to your Authentication Policies:

You should Windows Health Attestation in Workspace ONE UEM to decide what items you want to make a PC non-compliant. I’ve found in many environments you need to craft something that specifically meets your needs, depending on the landscape:

In Closing

My main theme of this article is appreciation for the ingenuity of the cloud age. In years past, we never would have been able to deploy a cloud CA. With the constant evolution, we can deliver more dynamic technology and deliver zero trust to a small or medium business. We are actually taking this one step farther with leveraging Okta for Passwordless authentication via Okta FastPass for unmanaged devices.

We evolve and learn constantly about what works and doesn’t work. This article is a great example of how you can evolve and grow an idea into something even better. I hope you enjoyed this article and look for me at EUC Day 2022 in February where I discuss it in more detail.