Hi team, I am trying to deploy a Wifi profile to our macOS devices using SCEP authentication. However, the Scep requests coming from hexnode do not seem to be including the Subject alternative name in the requests. Additionally, when I go to configure the Wifi profile, I cannot specify the SCEP configuration in the “Identity certificate” dropdown, it just doesn’t show up. Am I missing a step in the configuration?
17 Views
Replies (1)
Marked SolutionPending Review
Hexnode Expert
1 month ago
Mar 23, 2026
Marked SolutionPending Review
Hi @aitana! Welcome to the Hexnode Community!
To ensure your macOS devices correctly negotiate the certificate handshake and include the Subject Alternative Name (SAN) details, you need to follow a very specific setup sequence. Here is how to configure it to resolve both the SAN issue and the missing Wi-Fi dropdown:
Step 1: Configure the SCEP Profile (macOS > Security > SCEP)
- Subject: Ensure you use a standard X.500 format. For example: CN=%devicename%, O=BeaconLighting, C=AU.
- Key Size & Usage: Set Key Size to 2048 (standard for most modern CAs) and Key Usage to Signing and Encryption.
- Subject Alternative Name (SAN): Add your variables here (e.g., DNS Name: %devicename%.beaconlighting.com.au).
- Critical Step: Scroll to the bottom to “Upload certificate to extract fingerprint“. You must upload your CA certificate here. This fingerprint allows the Mac to verify the CA’s identity during the enrollment process. If this is missing, the Mac may not trust the full CSR request, which often leads to the SAN being stripped.
Step 2: Configure the Wi-Fi Profile (macOS > Network > Wi-Fi)
For the certificate to actually be sent to the server during Wi-Fi authentication, the Wi-Fi payload must be anchored to the SCEP payload:
- Security Type: Select WPA/WPA2 Enterprise (or WPA3 Enterprise).
- Accepted EAP Types: Select TLS (TLS is the protocol that specifically uses certificates for authentication).
- Identity Certificate: In the dropdown, you must select the SCEP configuration name you created in Step 1.
- Note: If the SCEP profile still doesn’t appear in the list, ensure you have also added the Root CA certificate under macOS > Security > Certificates within the same policy.
How it works in the background: Once you associate this policy, the Mac contacts your Server URL and uses the Fingerprint to verify the server. It then submits a CSR (including your SAN details). The CA issues the certificate to the Mac’s Keychain. When the Mac attempts to connect to the Wi-Fi SSID, it looks at the Identity Certificate requirement, grabs the SCEP-issued certificate from the Keychain, and presents it to the network.
Troubleshooting Tip: If you complete this and the SAN is still missing, check System Settings > General > Device Management on the Mac. View the installed SCEP certificate. If the SAN is visible on the Mac but not in your Server logs, the issue is likely a restriction on your Windows CA Template (specifically, you may need to enable the “Supply in Request” setting on the CA).
Give this setup a try and let me know if it resolves your disconnects!
Cheers,
Eden Pierce
Hexnode UEM
Save
