Category filter

How to configure SCEP for iOS devices

Security threats caused by accessing work emails, Wi-Fi, VPN etc., from unauthorized devices can be solved by authenticating them with digital certificates. Simple Certificate Enrollment Protocol (SCEP) is a protocol standard used for certificate management that helps deploy these certificates from a trusted certificate authority (CA). SCEP allows you to securely issue certificates to a large number of network devices using an automatic enrollment technique. Support for SCEP is provided by a number of certificate authorities, and there are entire open-source software implementations of certificate authorities with SCEP support. Hexnode UEM allows you to configure SCEP and enforce certificate-based authentication for Wi-Fi, VPN, Email etc., on your iOS devices.

Configure SCEP certificate profiles for iOS

To configure SCEP via policy,

  1. Log in to your MDM portal.
  2. Navigate to Policies > New Policy. Assign a suitable name and description (optional) for the policy. You can also choose to continue with an existing policy.
  3. Go to iOS > Security > SCEP. Click Configure.

SCEP Configuration

To configure SCEP via policy,

Configuration Description
Configuration name Specify a name to identify the SCEP Configuration.
Server URL Enter the URL at which the portal requests and receives client certificates from the SCEP server. This is the URL to be specified in the device to obtain certificates.
Subject Configure the subject to include identifying information in the Certificate Signing Request (CSR) to the SCEP server. Type the representation of a X.500 name used to identify entities. For e.g.: – you can use shortcuts as C=Country, ST=State, O=Organization Name etc.
SCEP Password This password is a part of the authentication process implemented in SCEP. A device admin accesses the SCEP-admin page and receives a temporary/one-time password. The password is used on the device to authorize the certificate request.
Key size Select the key size in bits, either 1024 or 2048. The default value is 1024.
Key type Select the key encryption type. Key type is currently RSA.
Key used for Specify whether you want to use the key in the certificate to validate a signature or to encrypt the data exchanged over the https connection established with the certificates issued by the SCEP server. Note that some certificate authorities won’t support both signing and encryption at the same time.
Number of automatic retries Type the number of times to retry when the server shows a pending response.
Retry delay (in seconds) Specify the number of seconds between subsequent retries.
Subject Alternative Name If needed, enter a subject alternative name to place on the server.
Upload certificate to extract fingerprint Provide the fingerprint of the CA certificate to ensure that the portal connects to the correct SCEP Server.

Associate SCEP profile settings with target devices

If the policy is not saved,

  1. Navigate to Policy Targets > Devices > +Add Devices.
  2. Choose the target devices and click OK. Click Save.
  3. You can also associate the policy with device groups, users, user groups or domains from the left pane of the Policy Targets tab.

If the policy is already saved,

  1. Go to Policies and choose the desired policy.
  2. Click on the Manage drop-down and select Associate Targets.
  3. Choose the target entities and click Associate.

Once the policy is associated with the device, certificate-based authentication is enforced on the managed devices. It provides a secure authentication medium for the network services like Wi-Fi, VPN, email, etc. With this policy activated on the device, access to the network services is controlled using certificates. The digital certificates distributed via SCEP ensure greater security.

  • Managing iOS Devices