Hi CheckMates!
I'm working on a PoC for our customer and this is what I'm trying to achieve:
Intune deployment of Capsule VPN for Android using personal certificate for authentication and Azure AD (Entra ID) for authorization. Azure certificate connector takes care of requesting certificate and Intune deploys it to Android device. I followed sk170320. The VPN client deployment with site info, authentication method and pushing the actual certificate is currently working. Also the certificate authentication itself is working by using generic* profile with 'Public Key' option selected as authentication scheme.
What I need to get working is authorization with Azure AD. I don't know how to get the user to match a group in AAD (pdp monitor does not show a role for the Android device). I also have a TAC case open where I have explained the case and asked if this is even possible. I haven't gotten a no-no response, so I assume it is possible. I have created Azure AD object and I call pull the groups from the AAD.
I have also tried to follow many different documents about getting the roles from the AAD but all of those refer to SAML. We are not using SAML in this case. Followed this and this.
Background why not using SAML.
Devices used here are Android phones. These phones are not personal i.e. they are shared devices and they have multiple users.
One device is for on-call plumber no.1 and when his/her shift ends phone is passed to plumber no. 2. Second device is for nursery and different people there use the common phone for accessing company resources via VPN.
Group info (role) is needed in order to create access roles for the different lines of work because they access different company resources. E.g. group_plumber_android for plumbers and group_nursery_android from nurseries.
Versions:
Capsule VPN for Android 1.601.25
Gateway in which the client is terminated to, R81.10 JHF take 129
Android OS 13
I would really appreciate if someone could help me with this.