Configure SCEP infrastructure
To configure the infrastructure to support SCEP feature, complete the following steps:
- Step 1: Configure NDES server - You must configure a Network Device
Enrollment Service (NDES) server role on Windows Server 2012 R2 or later. For
instructions on installing and troubleshooting NDES, see BigFix Wiki page Configure NDES server.
- The server that hosts NDES must be domain-joined and in the same forest as your Enterprise CA.
- You cannot use NDES that is installed on the server that hosts the Enterprise CA.
- You must install the Certificate connector on the same server that hosts NDES.
- Step 2: Configure the Fixlet Configure settings for SCEP functionality on MDM server
- Step 3: Trusted certificate profile: SCEP profile must be pushed as the
pre-enrollment policy and must be included in the Policy Group. Ensure you have
trusted certificate profile to devices that use SCEP certificate profiles. SCEP
certificate profiles directly reference the trusted certificate profile that you
use to provision devices with a Trusted Root CA certificate.
- User certificate - to provide certificate to authenticate logged in user (supported in Windows and Apple).
- Device certificate - to provide certificate to authenticate the managed device (supported in Windows only).
- Windows SCEP DeviceID template
- Windows SCEP Username template
- Apple SCEP TemplateNote: You must upgrade to MCM v3.0 to create custom SCEP policy from custom template.