Workspace ONE UEM supports SCEP (Simple Certificate Enrollment Protocol) for iOS and macOS devices. The integration includes the use of key pairs and the submission of the certificate signing request (CSR) that results in a signed certificate from the SCEP endpoint to devices.
If you’re looking to leverage certificates as part of your mobile deployment, SCEP allows you to securely deploy certificate enrollment requests to iOS devices, even when Workspace ONE UEM does not natively support your PKI infrastructure of choice.
Workspace ONE UEM provisions the device with the parameters to generate the key pair and submit the CSR to the SCEP endpoint. The SCEP endpoint returns a signed certificate back to the mobile device. The device manages the certificate and its private key. The benefit to SCEP is that the private key never leaves the mobile device.
Note: Renewal and revoke are not supported.
|Name||The friendly name of your certificate authority in Workspace ONE UEM.|
|Description||An optional field that you can use to give details about this defined-CA and its uses.|
|Authority Type||The type of certificate authority being defined in Workspace ONE UEM.|
|SCEP Provider||The type of SCEP provider Workspace ONE UEM is integrating with. Basic is the only option supported currently. (This field cannot be changed.)|
|SCEP URL||The URL the device uses during certificate enrollment.|
|Challenge Type||Allows the admin to choose between static challenge and no challenge.|
|Static Challenge||If static challenge is selected, this is the necessary challenge the device must have in order to get its CSR signed by the CA.|
Configure the request template in Workspace ONE UEM console.
|Name||The friendly name given to the request template defined in Workspace ONE UEM.|
|Description||An optional field you can use to describe the details, usages, etc. of the request template.|
|Certificate Authority||The certificate authority you defined previously.|
|Subject Name||The subject given to device when it generates its key pair. Use the lookup value button to the left of the field for dynamic values.|
|Private Key Length||The length of the key pair to be generated.|
|Private Key Type||This tells the device what the private key is to be used for.|
Create a SCEP profile in the Workspace ONE UEM console.
Define a certificate authority, then configure a Credentials payload alongside your EAS, Wi-Fi or VPN payload. Each of these payloads has settings for associating the certificate authority defined in the Credentials payload.