Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Managing iOS Devices
  3. Security

Category filter

How to configure SCEP for iOS devices

Jump To

The Simple Certificate Enrollment Protocol (SCEP) is a scalable industry standard used to automate the secure issuance of digital certificates. In an enterprise environment, manually installing certificates on every iPhone or iPad is inefficient and poses security risks. Hexnode UEM streamlines this by allowing devices to communicate directly with a Certificate Authority (CA) to request, receive, and install certificates automatically.

By leveraging SCEP, organizations can enforce robust identity verification for Wi-Fi, VPN, and Email authentication, ensuring that only trusted, managed devices can access sensitive corporate data.

1. Configuration Workflow

To configure SCEP for iOS devices:

  1. Log in to the Hexnode UEM portal.
  2. Navigate to Policies > New Policy > Create a fully custom policy > iOS > Security > SCEP and click Configure.

2. Select Certificate Authority Provider

Choose the provider type corresponding to your infrastructure:

  • Microsoft CA (AD CS): Select this if using Microsoft Active Directory Certificate Services.
  • Generic: Select this if using a third-party CA that supports the SCEP protocol.

3. SCEP Configuration using Microsoft (AD CS)

Use these settings when integrating with a Microsoft CA environment:

Configuration Description
Server type Specify the hosting environment:
  • On-prem: Microsoft CA is within the organization’s on-premises infrastructure.
  • Cloud: Microsoft CA is hosted in a cloud environment.
Server URL The URL where the portal requests and receives client certificates. This is specified in the device to obtain certificates.
Subject X.500 name to identify entities (e.g., C=Country, ST=State, O=Organization Name). Supports all wildcards.
Challenge type Choose how the device authenticates:
  • Microsoft SCEP (mscep) – Password
  • Microsoft SCEP (mscep) – URL
  • None
Challenge (Appears for Password challenge) Enter the password for authenticating the certificate request.
Agent Select the AD agent connecting to the SCEP server/URL. Required for On-prem CAs to help devices request certificates. If the AD agent isn’t listed, make sure you configure the Hexnode UEM AD agent settings.
Challenge URL (Appears for URL challenge) The CA-provided URL where the device retrieves a one-time challenge password.
Username The username for the SCEP CA.
Password The password for the SCEP CA.
Key size Select 1024 or 2048 bits. Default is 1024.
Key type Select the key encryption type. Currently RSA.
Key used for Specify Signing, Encryption, or both (if supported by the CA).
Number of automatic retries Number of retries if the server response is pending.
Retry delay (in seconds) Seconds between subsequent retries.
Subject Alternative Name Additional details: DNS, Email address, UPN, URI, SID. Supports wildcards.
Upload certificate to extract fingerprint Provide the CA certificate fingerprint to ensure connection to the correct SCEP Server.

4. Generic SCEP Configuration

Use these settings for third-party SCEP-enabled Certificate Authorities:

Configuration Description
Server URL The URL where the portal requests and receives client certificates.
Subject X.500 name used to identify entities (e.g., C=Country, O=Organization). Supports all wildcards.
Challenge The SCEP challenge password for authenticating the certificate request.
Key size Select 1024 or 2048 bits. Default is 1024.
Key type Select the key encryption type. Currently RSA.
Key used for Specify Signing, Encryption, or both (if supported by the CA).
Number of automatic retries Number of retries for a pending response.
Retry delay (in seconds) Seconds between subsequent retries.
Subject Alternative Name Additional details: DNS, Email address, UPN, URI, SID. Supports wildcards.
Upload certificate to extract fingerprint Provide the CA certificate fingerprint to ensure connection to the correct SCEP Server.

5. Policy Association and Deployment

Once the SCEP settings are configured:

  1. Navigate to the Policy Targets tab.
  2. Click +Add Devices and select the target Devices, Users, Device Groups, User Groups, or Domains/OUs.
  3. Click Save to push the policy.

6. Troubleshooting & FAQs

FAQs

  1. Does Hexnode store the private key?
    No. The private key is generated locally on the iOS device and is never sent to the Hexnode portal or the SCEP server.
  2. Can SCEP certificates be used for Wi-Fi or VPN?
    Yes. Once the SCEP certificate is successfully deployed to the device, it can be selected as the “Identity Certificate” in Wi-Fi or VPN policies.
  3. Are dynamic SCEP challenges supported?
    Hexnode deploys the static challenge provided in the policy. For dynamic challenges, advanced integration with the CA (such as Microsoft NDES) is typically required.

Troubleshooting

  • Certificate Request Failed: Verify that the URL is accessible from the device’s network. Check if the Challenge password has expired on the SCEP server.
  • Identity Mismatch: Ensure the Subject field is formatted correctly as a valid X.500 string. If using wildcards, verify that the corresponding user data is populated in the Hexnode portal.
  • Pending Status: If the device remains in a pending state, check the Retries and Retry Delay settings to ensure the device is giving the CA enough time to process the request.
  • Fingerprint Errors: If a fingerprint is provided, it must match the CA certificate exactly. If it does not, the device will reject the connection to the SCEP server.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Managing iOS Devices