Category filter

Configure Android SCEP settings from Hexnode

This document serves as a guide for IT administrators to configure Android SCEP settings in Hexnode and enable certificate-based authentication for services such as Wi-Fi, VPN, and others.
The Simple Certificate Enrollment Protocol (SCEP) is designed to simplify the distribution of digital certificates across large device fleets. By automating certificate requests and issuance, SCEP helps maintain secure, certificate-based authentication.
SCEP configuration automates how devices request and receive digital certificates from a Certificate Authority (CA). In most setups, the device generates a Certificate Signing Request (CSR), which is then securely submitted to a Certificate Authority (CA). The CA issues a signed certificate that allows the device to securely connect to services like Wi-Fi, VPNs and authenticate with other enterprise resources that require trusted credentials.
With Hexnode, this process becomes seamless, allowing IT teams to centrally manage certificate-based authentication and enhance the overall security posture of their Android device fleet.

Configure SCEP for Android

To configure SCEP on Android follow the below steps:

Login to your Hexnode UEM console.
Navigate to the Policies tab.
Click on New Policy to create a new one or click on any policy to edit an existing one. Enter the Policy Name and Description in the provided fields.
Go to Android > Security > SCEP. Click Configure.

To create an SCEP policy configure the following options

Configuration	Description
Configuration name	Enter the name of your choice to identify the SCEP configuration.
Certificate Authority	Specify the type of certificate authority (CA) provider used to issue device certificates through SCEP: Microsoft (AD CS): Select this option if you’re using Microsoft Active Directory Certificate Services. Generic: Select this option if you’re using a third-party CA that supports the SCEP protocol.
Server type (Only if selected Microsoft (AD CS) for Certificate Authority)	Specify the hosting environment of the Microsoft Certificate Authority: On-prem: Select this when the Microsoft CA is deployed within your organization’s on-premises infrastructure. Cloud: Select this when the Microsoft CA is hosted in a cloud environment.
Server URL	Enter the full URL of the SCEP server used to issue certificates. This URL should be provided by your Certificate Authority. Devices will use this URL to request an identity certificate from the CA.
Subject	Configure the Subject field to include identifying information in the Certificate Signing Request (CSR) sent to the SCEP server. Use the X.500 name format to identify the entity, such as C=Country, ST=State, L=Locality, O=Organization Name, OU=Organizational Unit, CN=Common Name, etc.
Challenge	Specify the challenge password that the SCEP server uses to verify a certificate request from a user to the Certificate Authority (CA).
Challenge type (Applicable only if Microsoft (AD CS) option is selected in Certificate Authority)	Choose how the SCEP server will authenticate certificate requests. You can select from the following options: None: No challenge is required for certificate enrollment. Microsoft SCEP (mscep) – URL: Requires a Challenge URL, Username, and Password for authentication. Microsoft SCEP (mscep) – Password: Requires only a static password for verification.
Challenge URL (Applicable only if Microsoft SCEP (mscep) – URL* option is selected)*	The URL of the Certificate Authority (CA)’s authentication server, where the system requests a challenge password to proceed with the certificate enrollment. Example: https://your-ca-server.domain.com/certsrv/mscep_admin
User name (Applicable only if Microsoft SCEP (mscep) – URL* option is selected)*	The user account that is authorized to access the challenge URL.
Password (Applicable only if Microsoft SCEP (mscep) – URL* option is selected)*	The password is associated with the above user account.
Agent (Applicable only if the On-prem* option is selected for the Server type Setting)*	The agent facilitates secure communication between SCEP and your on-premises Microsoft Certificate Authority (CA). It allows Android devices managed by Hexnode to request and retrieve certificates from your internal CA infrastructure. To establish this connection, you’ll need to install the Hexnode MDM_AD agent app on your Windows device (Check this documentation on how to install the agent app). Once the agent is installed and set up, the server will automatically appear in the Agent list within the SCEP settings of the Android policy in the Hexnode portal.
Key usage	Specify the intended purpose of the public key in the certificate. These cryptographic actions define what the key can be used for: Digital Signature: Allows the key to be used for verifying digital signatures. Non-repudiation: Ensures that the sender of a message cannot deny having sent it. Key Encipherment: Enables the key to encrypt other keys (typically for key exchange). Data Encipherment: Allows the key to directly encrypt user data. Key Agreement: Supports key exchange protocols, such as Diffie-Hellman. Key Cert Sign: Permits the key to sign other digital certificates. CRL Sign: Allows the key to sign Certificate Revocation Lists (CRLs). Encipher Only: This can be used only for encryption during key agreement. Decipher Only: This can be used only for decryption during key agreement. Select one or more options based on what the certificate will be used for.
Key size	Choose the key size (in bits) for the certificate. The available options are 1024 and 2048.
Hash algorithm	Select the hash algorithm to be used for signing the certificate request. Available options include SHA-1, SHA-256, and SHA-512.
Thumbprint	Upload a CA certificate to automatically extract its thumbprint. This thumbprint is used to validate the identity of the CA when devices request certificates through SCEP. The following are the supported formats; .cer .cert .pem .der .crt .p12 .pfx
Extended key usage	Specify the intended purpose(s) of the certificate’s public key beyond the basic key usage. This setting defines how the certificate can be used after it is issued via SCEP. Below are the available options; Any Purpose Code Signing Email Protection Client Authentication Server Authentication
Number of retries	Specify how many times (0 to 30) the system should retry contacting the SCEP server if the certificate request is pending.
Retry delay (in seconds)	Specify the time interval between each retry attempt when the SCEP server response is pending. Note: This delay applies between retries as defined in the “Number of retries” setting.
Subject Alternative Name	Provide additional identifiers to be included in the certificate. These values help uniquely identify the subject across various services. You can select multiple options from below and add the value to it. DNS Email address IP address UPN URI SID By default, the following value is used to populate the SID field tag:microsoft.com,2022-09-14:sid:%ad_sid%. This wildcard automatically pulls the Active Directory user’s SID during certificate issuance.

Associate SCEP profile settings with Android devices

If the policy is not saved,

Go to Policy Targets > Devices > +Add Devices.
Choose the target devices and click Ok. Click Save.
You can also associate the policy with device groups, users, user groups, or domains from the left pane of the Policy Targets tab.

If the policy is already saved,

Go to Policies and choose the desired policy.
Click on the Manage drop-down and select Associate Targets.
Choose the target entities and click Associate.

What happens at the device end?

When this policy is applied to managed Android devices, it enables certificate-based authentication for supported network services like Wi-Fi, VPN, and others. Instead of relying on passwords, devices use digital certificates issued via SCEP to securely prove their identity. This method helps strengthen data protection and ensures that only trusted devices can connect to the organization’s resources.

Need more help?

Raise a Ticket

Ask Community

Chat With us