Merge pull request #291 from smallstep/carl/intune-jamf-flow

Update Intune tutorial to fix UX gap
smallstep · Dec 12, 2023 · 798a13e · 798a13e
2 parents b269447 + 2c4af9e
commit 798a13e
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 5 deletions.
diff --git a/tutorials/apple-mdm-jamf-setup-guide.mdx b/tutorials/apple-mdm-jamf-setup-guide.mdx
@@ -52,7 +52,7 @@ In this section, we will set up an MDM profile that instructs devices to establi
 
 Smallstep will provide the following values, which you’ll need later:
 
-- A Jamf webhook URL, username and password to be used when configuring your Jamf webhook.
+- A Jamf webhook URL, username and password to be used when configuring your Jamf webhook
 - Your root CA certificate, for configuring the `Certificate` payload
 - Your SCEP CA URL, for configuring the `SCEP` payload
 - Your intermediate CA fingerprint, for configuring the `SCEP` payload
@@ -193,6 +193,18 @@ For this section, you will need a RADIUS server that your users will authenticat
 
 6. Under the Certificate Common Name, use the Common Name of your RADIUS server.
 
+## Changing Production Profiles
+
+As you plan changes to your configuration profile, it is recommended to stage your changes.
+Here's one approach:
+- Clone your production profile in Jamf
+- Exclude your test computer or device from your production profile
+- Add your test computer or device to the cloned profile
+- Make and test changes to the cloned profile
+- Apply your changes back to the production profile
+- Re-add your test device to the production profile scope
+- Finally, remove the cloned profile
+
 ### Troubleshooting
 
 - Check the expected certificates have been deployed to the right stores on macOS: user vs. device; trusted roots; personal certificates.

diff --git a/tutorials/intune-mdm-setup-guide.mdx b/tutorials/intune-mdm-setup-guide.mdx
@@ -42,6 +42,7 @@ You’ll need to register an Application in Entra ID that connects Smallstep to
 In the Entra Admin Center, [Register an Application](https://entra.microsoft.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade/quickStartType~/null/isMSAApp~/false) with the following properties:
 
 - Name the application “Smallstep SCEP Connector”
+- Leave all other values alone
 - Select **Register**
 
 In your new App Registration, copy the **Application (client) ID** value, which you will register with Smallstep later.
@@ -75,7 +76,7 @@ Here’s how the Configured permissions should look:
 
 You’ve completed the App Registration setup.
 
-### 3. Configure Smallstep
+## 3. Configure Smallstep
 
 In your Smallstep dashboard,
 visit the **Devices** tab,
@@ -89,11 +90,18 @@ Configure the Collection with the values you gathered above:
 - The App Registration **Application (client) ID**
 - The App Registration **Secret Value**
 
-Once the Collection is created, go to the **Settings** tab and gather your Intune configuration values:
+Once the Collection is created, you'll need to make a new Account.
+Choose **+ Add Account**.
+Choose either Wi-Fi or VPN, depending on what you need, and select Create.
+This tutorial assumes you are configuring EAP-TLS Wi-Fi network access.
 
-- Copy your SCEP URL
+Once you've created the Account, open the Account details.
+You cna keep this tab open as you configure Intune.
+
+To prepare for the next section:
 - Download your Root CA Certificate
 - Download your Intermediate CA Certificate
+- Copy your SCEP URL
 
 ## 4. Configure Intune
 
@@ -162,7 +170,7 @@ Create [a new SCEP certificate profile](https://intune.microsoft.com/#view/Micro
 
 - SCEP Server URL: Use the SCEP URL you copied from Smallstep
 
-## 4. Test and verify your profile
+## 5. Test and verify your profile
 
 Now try enrolling or syncing a device.