Security threats caused by accessing work emails, Wi-Fi, VPN etc. from unauthorized devices can be solved by authenticating them with digital certificates. Simple Certificate Enrollment Protocol (SCEP) is a protocol standard used for certificate management that helps deploy these certificates from a trusted certificate authority (CA). SCEP allows you to securely issue certificates to large number of network devices using an automatic enrollment technique. Support for SCEP is provided by a number of certificate authorities, and there are entire open-source software implementations of certificate authorities with SCEP support. Hexnode MDM allows you to configure SCEP and enforce certificate-based authentication for Wi-Fi, VPN, Email etc. on your iOS devices.
To configure SCEP with Hexnode MDM
Create a Policy
- On your Hexnode MDM portal navigate to Policies.
- Create a New Policy or continue with an existing one.
- Click on SCEP under iOS Settings > Configure.
|Configuration name||Specify a name to identify the SCEP Configuration.|
|Server URL||Enter the URL at which the portal requests and receives client certificates from the SCEP server. This is the URL to be specified in the device to obtain certificates.|
|Subject||Configure the subject to include identifying information in the Certificate Signing Request (CSR) to the SCEP server. Type the representation of a X.500 name used to identify entities. For e.g.: – you can use shortcuts as C=Country, ST=State, O=Organization Name etc.|
|SCEP Password||This password is a part of the authentication process implemented in SCEP. A device admin accesses the SCEP-admin page and receives a temporary/one -time password. The password is used on the device to authorize the certificate request.|
|Key size||Select the key size in bits, either 1024 or 2048. Default value is 1024.|
|Key type||Select the key encryption type. Key type is currently RSA.|
|Key usage||Specify whether you want to use the key in the certificate to validate a signature or to encrypt the data exchanged over the https connection established with the certificates issued by the SCEP server. Note that some certificate authorities won’t support both signing and encryption at the same time.|
|Retries||Type the number of times to retry when the server shows a pending response.|
|Retry delay||Specify the number of seconds between subsequent retries.|
|Subject Alternative Name||If needed enter a subject alternative name to place on the server.|
|Upload certificate to extract fingerprint||Provide the fingerprint of the CA certificate to ensure that the portal connects to the correct SCEP Server.|
Associate the policy to target devices
If the policy is not saved
- Go to Policy Targets > Click on Add Devices.
- Select the device to which the policy is to be associated > Click OK.
- Save the policy.
If the policy is already saved
- Check the required Policy from the Policies tab.
- Click on Manage > Associate Targets.
- Select the device > Associate.