Workspace ONE UEM supports SCEP (Simple Certificate Enrollment Protocol) for iOS and macOS devices. The integration includes the use of key pairs and the submission of the certificate signing request (CSR) that results in a signed certificate from the SCEP endpoint to devices.

If you’re looking to leverage certificates as part of your mobile deployment, SCEP allows you to securely deploy certificate enrollment requests to iOS devices, even when Workspace ONE UEM does not natively support your PKI infrastructure of choice.

Workspace ONE UEM provisions the device with the parameters to generate the key pair and submit the CSR to the SCEP endpoint. The SCEP endpoint returns a signed certificate back to the mobile device. The device manages the certificate and its private key. The benefit to SCEP is that the private key never leaves the mobile device.

Prerequisites

  • Workspace ONE UEM 9.5 or later
  • iOS 5.0 or later
  • macOS 10.9 or later
  • CA or SCEP endpoint must support SCEP as per the Internet Engineering Task Force's Simple Certificate Enrollment Protocol draft document.
  • SCEP endpoint must be accessible from the device in order for the certificate enrollment to finish.
    • The exception to this requirement is when you use the Enable Proxy item in the Certificate Authority - Add/Edit page for non-generic SCEP protocol use.
Note: Renewal and revoke are not supported.

Procedure

  1. Configure the SCEP CA in the Workspace ONE UEM console.
    1. Navigate to Devices > Certificates > Certificate Authorities, and select Add.
    2. Select Generic SCEP from the Authority Type drop-down.
    3. Enter the information pertaining to your SCEP Endpoint.
      Settings Description
      Name The friendly name of your certificate authority in Workspace ONE UEM.
      Description An optional field that you can use to give details about this defined-CA and its uses.
      Authority Type The type of certificate authority being defined in Workspace ONE UEM.
      SCEP Provider The type of SCEP provider Workspace ONE UEM is integrating with. Basic is the only option supported currently. (This field cannot be changed.)
      SCEP URL The URL the device uses during certificate enrollment.
      Challenge Type Allows the admin to choose between static challenge and no challenge.
      Static Challenge If static challenge is selected, this is the necessary challenge the device must have in order to get its CSR signed by the CA.
    4. Select Save.
  2. Configure the request template in Workspace ONE UEM console.
    1. Navigate to Devices > Certificates > Certificate Authorities. Select the Request Templates tab. Select Add.
    2. Enter the following information pertaining to your request template.
      Settings Description
      Name The friendly name given to the request template defined in Workspace ONE UEM.
      Description An optional field you can use to describe the details, usages, etc. of the request template.
      Certificate Authority The certificate authority you defined previously.
      Subject Name The subject given to device when it generates its key pair. Use the lookup value button to the left of the field for dynamic values.
      Private Key Length The length of the key pair to be generated.
      Private Key Type This tells the device what the private key is to be used for.
    3. For SAN Type, select Add to include one or more Subject Alternate Names with the template.
      This is used for additional unique certificate identification. In most cases, this needs to match the certificate template on the server. Use the drop-down menu to select the SAN Type and enter the subject alternate name in the corresponding data entry field. Each field supports lookup values. Email Address, User Principal Name, and DNS Name are supported by SCEP templates by default, and Workspace ONE UEM recommends that you use them.
    4. Select Save.
  3. Create a SCEP profile in the Workspace ONE UEM console.
    Define a certificate authority, then configure a Credentials payload alongside your EAS, Wi-Fi or VPN payload. Each of these payloads has settings for associating the certificate authority defined in the Credentials payload.
    1. Navigate to Devices > Profiles > List View > Add and select iOS from the platform list.
    2. Configure General profile settings as appropriate.
    3. Select either an EAS, Wi-Fi or VPN payload to configure. Fill out the necessary information, depending on the payload you selected.
    4. Select the SCEP payload and select your SCEP Certificate Authority and Certificate Template from the drop-down lists. Navigate back to the previous payload for EAS, Wi-Fi or VPN.
    5. Specify the Identity Certificate in the payload.
      • EAS – Select the Payload Certificate under Login Information.
      • Wi-Fi – Select a compatible Security Type (WEP Enterprise, WPA/WPA2 Enterprise or Any (Enterprise)) and select the Identity Certificate under Authentication.
      • VPN – Select a compatible Connection Type (for example, CISCO AnyConnect, F5 SSL) and select Certificate from the User Authentication drop-down. Select the Identity Certificate.
    6. Select Save and Publish when you are done configuring any remaining settings.