Windows Phone 8.1 Enterprise Services and Certificates

Windows Phone 8.1 has some great enterprise features and is one of the most secure phones in the market.
However, there are some things to consider, if You want to use these devices in an MDM managed enterpise service (VPN/Wi-Fi) scenario.
One of these things are device certificates: Quite a few companies use several dedicated certificates to access enterprise services like VPN and Wi-Fi. This approach does not work with WP 8.1 phones, because they expect only a single device certificate per device and company root CA, not service specific ones.
Of course, you could roll-out a variety of different SCEP certificates via an MDM system, but the cert-picker on the phone will not automatically select the fitting certificate for a service, because it always chooses the first device cert from your company CA, it finds in the cert store!
This will naturally not always be the suiting one, which causes trouble accessing the service.

This behavior is by design and seems to be annoying at the first glance, but it is, if you think about it from an architectural perspective, much cleaner than the different certs for different services approach. A device certificate should only be used to authenticate the device and user against enterprise services, the related user / device rights should be stored in the directory services of your company.
Using this approach, rights management is much more transparent for administrators and not dependent on the possession of a certain service certificate. In addition, managing a single certificate is much less effort than multiple per device.

 

Alexander