Category filter
How to configure SCEP for iOS devices
Security threats caused by accessing work emails, Wi-Fi, VPN etc., from unauthorized devices can be solved by authenticating them with digital certificates. Simple Certificate Enrollment Protocol (SCEP) is a protocol standard used for certificate management that helps deploy these certificates from a trusted certificate authority (CA). SCEP allows you to securely issue certificates to a large number of network devices using an automatic enrollment technique. Support for SCEP is provided by a number of certificate authorities, and there are entire open-source software implementations of certificate authorities with SCEP support. Hexnode UEM allows you to configure SCEP and enforce certificate-based authentication for Wi-Fi, VPN, Email etc., on your iOS devices.
Configure SCEP certificate profiles for iOS
To configure SCEP via policy,
- Log in to your Hexnode UEM portal.
- Navigate to Policies > New Policy. Assign a suitable name and description (optional) for the policy. You can also choose to continue with an existing policy.
- Go to iOS > Security > SCEP. Click Configure.
- Specify a name to identify the SCEP Configuration in the Configuration name field.
- Select the type of Certificate Authority provider. The options available are:
- Microsoft CA (AD CS): Select this option if you’re using Microsoft Active Directory Certificate Services.
- Generic: Select this option if you’re using a third-party CA that supports the SCEP protocol.
SCEP Configuration using Microsoft (AD CS)
To configure SCEP using Microsoft CA (AD CS):
| Configuration | Description |
|---|---|
| Server type | Specify the hosting environment of the Microsoft CA:
|
| Server URL | Enter the URL at which the portal requests and receives client certificates from the SCEP server. This is the URL to be specified in the device to obtain certificates. |
| Subject | Configure the subject to include identifying information in the Certificate Signing Request (CSR) to the SCEP server. Type the representation of a X.500 name used to identify entities. For e.g.: – you can use shortcuts as C=Country, ST=State, O=Organization Name etc. This field supports the use of all wildcards. |
| Challenge type | Select how the device will authenticate its certificate request: The options are:
|
| Challenge (Appears when Microsoft SCEP (mscep) – Password is selected) | Enter the SCEP challenge password for authenticating the certificate request. |
| Agent | Select the Active Directory (AD) agent that will connect to the SCEP server and Challenge URL. This agent helps devices request certificates from your Microsoft CA, especially when the CA is On-prem.
Note:
|
| Challenge URL (Appears when Microsoft SCEP (mscep) – URL is selected) | Enter the URL provided by your Certificate Authority where the device can retrieve a one-time challenge password. |
| Username | Enter the username for the SCEP CA. |
| Password | Enter the password for the SCEP CA. |
| Key size | Select the key size in bits, either 1024 or 2048. The default value is 1024. |
| Key type | Select the key encryption type. Key type is currently RSA. |
| Key used for | Specify whether you want to use the key in the certificate to validate a signature or to encrypt the data exchanged over the https connection established with the certificates issued by the SCEP server. Note that some certificate authorities won’t support both signing and encryption at the same time. |
| Number of automatic retries | Type the number of times to retry when the server shows a pending response. |
| Retry delay (in seconds) | Specify the number of seconds between subsequent retries. |
| Subject Alternative Name | Provide additional details for the certificate. This field supports the use of wildcards. The available options are:
|
| Upload certificate to extract fingerprint | Provide the fingerprint of the CA certificate to ensure that the portal connects to the correct SCEP Server. |
Generic SCEP Configuration
To configure generic SCEP:
| Configuration | Description |
|---|---|
| Server URL | Enter the URL at which the portal requests and receives client certificates from the SCEP server. This is the URL to be specified in the device to obtain certificates. |
| Subject | Configure the subject to include identifying information in the Certificate Signing Request (CSR) to the SCEP server. Type the representation of a X.500 name used to identify entities. For e.g.: – you can use shortcuts as C=Country, ST=State, O=Organization Name etc. This field supports the use of all wildcards. |
| Challenge | Enter the SCEP challenge password for authenticating the certificate request. |
| Key size | Select the key size in bits, either 1024 or 2048. The default value is 1024. |
| Key type | Select the key encryption type. Key type is currently RSA. |
| Key used for | Specify whether you want to use the key in the certificate to validate a signature or to encrypt the data exchanged over the https connection established with the certificates issued by the SCEP server. Note that some certificate authorities won’t support both signing and encryption at the same time. |
| Number of automatic retries | Type the number of times to retry when the server shows a pending response. |
| Retry delay (in seconds) | Specify the number of seconds between subsequent retries. |
| Subject Alternative Name | Provide additional details for the certificate. This field supports the use of wildcards. The available options are:
|
| Upload certificate to extract fingerprint | Provide the fingerprint of the CA certificate to ensure that the portal connects to the correct SCEP Server. |
Associate SCEP profile settings with target devices
If the policy is not saved,
- Navigate to Policy Targets > Devices > +Add Devices.
- Choose the target devices and click OK. Click Save.
- You can also associate the policy with device groups, users, user groups or domains from the left pane of the Policy Targets tab.
If the policy is already saved,
- Go to Policies and choose the desired policy.
- Click on the Manage drop-down and select Associate Targets.
- Choose the target entities and click Associate.
Once the policy is associated with the device, certificate-based authentication is enforced on the managed devices. It provides a secure authentication medium for the network services like Wi-Fi, VPN, email, etc. With this policy activated on the device, access to the network services is controlled using certificates. The digital certificates distributed via SCEP ensure greater security.
