SCEP servers

Tools > Modern Device Management > MDM Configurations > Common Settings > SCEP

Connecting to a SCEP server allows you to dynamically provision certificates. Each time a device is added, your SCEP server will automatically distribute a certificate to it. This effectively secures your corporate network and devices from random (non-SCEP) device enrollments and access. SCEP is also used for securing iOS Wi-Fi payloads.

Use of this feature assumes that the following services are set up and fully configured:

Active Directory.

Certificate Services, including Microsoft Network Device Enrollment Service (NDES). It is highly recommended that this server is running Windows Server 2012 R2 or newer.

The NDES server should be configured to allow more than the 5 passwords per hour. It is recommended 20 passwords per hour via registry setting.

Network Policy Server (RADIUS).

EAP-based wireless infrastructure.

In the LDMS console, configure Directory to connect to Active Directory; pass-through user authentication is not sufficient.

When connected to a SCEP server, Endpoint Manager communicates with it through the CSA. The SCEP server should then make any certificate requests to a certificate authority, which then publishes the certificate to an access point. The certificate is then distributed on a device-by-device basis.

The SCEP Configuration dialog has the following fields:

SCEP Server URL: The NDES server hostname or IP. Both HTTP and HTTPS are supported, though we recommend using HTTPS. Only include HTTPS followed by the hostname or IP; do not include a full path. Only Microsoft NDES is supported, thus only the first part of the URL is needed.

Username: The username you created when installing NDES.

Password: The password for the NDES user.

Domain: The NDES user’s domain.

To ensure a proper connection with your SCEP server, click Verify. If successful, then click Apply.

The Verify button is designed with a limited number of challenge IDs that it can submit in an hour to verify connections, so use it sparingly. To reset the password counter, restart IIS on the NDES server.

Creating Apple device profiles that support SCEP

You can deploy SCEP payloads to Apple devices. The SCEP payload has several components that you need to configure for them to work correctly.

  1. Configure SCEP as described above in Tools > Modern Device Management > MDM Configurations > Common Settings > SCEP.
  2. In Tools > Configuration > Agent settings, open the Apple configuration profile you want to modify.
  3. In the configuration profile editor, click the Certificates payload, and click the Configure button if you don't see the configuration options.
  4. Import the SCEP server CA root cert.
  5. In the configuration profile editor, click the SCEP payload, and click the Configure button if you don't see the configuration options.
  6. In the first URL field, you can see that it accepts a ${SCEPURL}$ database variable. This variable will be replaced by the URL you entered in step 1 at deployment time. Enter this variable for the URL.
  7. In the Name field, specify the name of the CA Root cert.
  8. In the Subject Alternative Name Type list, select RFC 822 Name.
  9. In the Subject Alternative Name Value, type ${EMAIL}$ to retrieve the email of the user that enrolled the device or specify the email address of the user manually.
  10. For NT Principle Name, type ${UPN}$ to retrieve the UPN of the user who enrolled the device or type in the user UPN manually.
  11. Select Dynamic as Challenge type.
  12. In the SCEP challenge server URL field, type ${SCEPCHLGURL}$ to pull the value of the server from the database. This is the URL to the SCEP server as configured in step 1.
  13. In SCEP challenge server username field, type ${SCEPCHLGUSRNM}$ to pull the value of the user from the database. This is the username that has access to the SCEP server as configured in step 1.
  14. In SCEP challenge server password field, type ${SCEPCHLGPSWD}$ to pull the user password from the database. This is the password for the username that has access to the SCEP server as configured in step 1.
  15. Select 2048 in the Key size list.
  16. Select Digital Signature and Encryption in the Usage list.
  17. In the configuration profile editor, click the Network (Wi-Fi) payload.
  18. In the Security type option, select the enterprise security option you want.
  19. Select the TLS authentication protocol.
  20. In the Identity certificate option, select the CARoot Cert added in step 4.
  21. Click the Trust tab and select the CARoot Cert.
  22. Click OK and save your changes.
  23. Deploy the profile.

If you attach multiple X.509 certificates on the Certificates payload page, the first time users connect to Wi-Fi they will be prompted to select a certificate from the available list of certificates. If users select the wrong certificate, the connection will fail. On Apple devices it may not be obvious which certificate users should select, so you may have to provide guidance.