This policy configures Simple Certificate Enrollment Protocol (SCEP) for your macOS and iOS devices. SCEP makes issuing digital certificates easier, more secure, and scalable. You’ll need a Certificate Authority (CA) to issue the device credentials using SCEP. The fields in this SCEP Profiles policy are added to the SCEP payload.
The macOS policy works on all ºÚÁϺ£½Ç91Èë¿Ú macOS supported operating systems that are enrolled in Mobile Device Management (MDM). The iOS policy works on all ºÚÁϺ£½Ç91Èë¿Ú iOS and iPadOS supported operating systems on devices that are enrolled in MDM.
To create a macOS or iOS SCEP Profiles Policy:
- Log in to the .
- Go to DEVICE MANAGEMENT > Policy Management.
- In the All tab, click (+).
- On the New Policy panel, select the Mac or the iOS tab.
- Select the Mac or iOS SCEP Profiles policy from the list, then click configure.
- (Optional) Enter a new name for the policy or keep the default. Policy names must be unique.
- For Policy Notes, enter details like when you created the policy, where you tested it, and where you deployed it.
- (Optional) Enter a Base64 encoded string in the Fingerprint field.
- You will need to convert the current SHA1 or SHA256 fingerprint, represented as a series of hexadecimal values, to a Base64 encoding of a "bytes" object. From the macOS Terminal, run the following command, replacing the fingerprint value with your Certificate Authority’s:
- Note: The characters delimiting the hexadecimal pairs within the fingerprint value are not sensitive - meaning that strings using colons, spaces, or no delimiters at all are equally valid for input.
- Enter the resulting Base64 encoded string in the Fingerprint field.
- You will need to convert the current SHA1 or SHA256 fingerprint, represented as a series of hexadecimal values, to a Base64 encoding of a "bytes" object. From the macOS Terminal, run the following command, replacing the fingerprint value with your Certificate Authority’s:
echo "11:22:33:44:aa:bb:cc:dd" | xxd -r -p | base64
- For Challenge, enter the pre-shared secret, which generally identifies the request or the user who is requesting the profile. This policy type requires a static challenge and will not work with a dynamic challenge.
- Click Key Size to choose the size of the key: 1024, 2048, or 4096 bits. The default is 1024.
- For Subject, click Add Value and enter the Object Identifier (OID) and its value for the X.500 name. For example: /C=US/O=ABCEnterprise/CN=foo/1.2.5.3=bar. This field supports one OID statement, so you should encapsulate all the fields in a single statement.
- For Retries, enter the number of times the device should retry if the server sends a Pending response. The default is 3.
- Select Extractable Key to export the private key from the keychain. Generally, you should not export this private key.
- For Key Usage, enter the purpose for the SCEP certificate and keypair, and which bitmask to use for the private key. Enter Signing for digital signature or Encryption for encryption.
- For Retry Delay, enter the number of seconds to wait between subsequent retries. The first retry is attempted without this delay. The default is 10.
- For URL, enter the SCEP server’s URL. For example: http://scep-server/cgi-bin/pkiclient.exe.
- For Name, enter a unique name for the payload that’s understood by the SCEP server. For example, WiFi Certificate. If a CA has multiple CA certificates, this field is used to distinguish which is required.
- Select Include Root Certificate to upload the certificate for the Certificate Authority to add to the device’s trusted anchors list.
- If you selected Include Root Certificate, click upload file for Root Certificate This certificate should not include public keys and should be in the .cer or .crt format. File size must be smaller than 1 MB.
- Select Set Subject Alternative Name to determine subject alternative names characteristics for the SCEP certificate.
- If you selected Set Subject Alternative Name, under Subject Alternative Name choose one or more values that are required by the CA to issue a certificate:
- For DNS Name, enter the DNS name of the CA server. For example, mac1.example.com. This can be a variable from the device’s current status as of hardware variables.
- For Principal, enter the name of the NT principal used in the organization. This can be a variable from the device’s current status as of hardware variables.
- For RFC 822, enter the email address needed for the certificate request.This can be a variable from the device’s current status as of hardware variables.
- For URI, enter the fully-qualified Uniform Resource Identifier for the CA server. This can be a variable from the device’s current status as of hardware variables.
- (Optional) Select the Device Groups tab. Select one or more device groups where you'll apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
- (Optional) Select the Devices tab. Select one or more devices where you'll apply this policy.
For this policy to take effect, you must specify a device or a device group in Step 10 or Step 11.
- Click save.