>
    Strata Copilot
    User Authentication for iOS on Microsoft Intune
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect Apps
    5. Deploy the GlobalProtect App on Mobile Devices
    6. Manage the GlobalProtect App Using Microsoft Intune
    7. Configure Microsoft Intune for iOS Endpoints
    8. User Authentication for iOS on Microsoft Intune
    Download PDF
    GlobalProtect

    User Authentication for iOS on Microsoft Intune

    Table of Contents

    User Authentication for iOS on Microsoft Intune

    The chapter provides information about user authentication for iOS on Microsoft Intune.
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama or Strata Cloud Manager)
    • Prisma Access (managed by Panorama or Strata Cloud Manager)
    • GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription
    GlobalProtect™ with Microsoft Intune supports certificate-based (SCEP only) and SAML authentication. If you are using SAML authentication, you can skip to the next step, Configure GlobalProtect Settings on iOS Devices via Microsoft Intune.
    SAML authentication isn’t supported for the Always-On connect method.
    If you want to use certificate-based authentication, create a SCEP certificate profile by following the steps below.
    1. On the Microsoft Intune admin center, navigate to DevicesiOS/iPadOS devicesConfiguration.
    2. Click CreateNew Policy.
    3. Set the Profile type to Templates and select SCEP Certificate as the template name.
    4. Click Create.
    5. Enter a name and description and click Next.
    6. In the Configuration settings tab, select a type depending on how you plan to use the certificate profile:
      • User: User certificates can contain both user and device attributes in the subject and SAN of the certificate.
      • Device: Device certificates can only contain device attributes in the subject and SAN of the certificate.
    7. Enter Subject alternative name attributes and values for the profile. You can enter more than one subject alternative name. The text value can contain variables and static text for the attributes.
    8. Enter the Certificate validity period. Intune supports a validity period of up to 24 months.
    9. Select key usage options for the certificate:
      • Digital signature: Allow key exchange only when a digital signature helps protect the key.
      • Key encipherment: Allow key exchange only when the key is encrypted.
    10. Select the number of bits contained in the key.
    11. Select the trusted Root Certificate profile you previously configured and assigned to applicable users and devices for this SCEP certificate profile. The trusted certificate profile is used to provision users and devices with the Trusted Root CA certificate.
    12. Add Extended key usage values for the certificate's intended purpose.
    13. Click Next.
    14. Add user assignments and click Next.
    15. Review the certificate details and click Create.

    © 2026 Palo Alto Networks, Inc. All rights reserved.