SCEP MDM payload settings for Apple devices
You can configure SCEP settings to obtain certificates from a certificate authority (CA) for Apple devices enrolled in a mobile device management (MDM) solution. Use the SCEP payload to specify settings that allow the device to obtain certificates from a certificate authority (CA) using the Simple Certificate Enrollment Protocol (SCEP).
OS and channel
Supported enrollment types
Shared iPad device
The address of the SCEP server.
Any string understood by the certificate authority. It can be used to distinguish between instances, for example.
The representation of an X.500 name represented as an array of OID and value. For example, /C=US/O=Apple Inc./CN=foo/22.214.171.124=bar, which translates to: [ [ [“C”, “US”] ], [ [“O”, “Apple Inc.”] ], ..., [ [ “126.96.36.199”, “bar” ] ] ]
Subject Alternative Name Type
Specify the type of an alternative name for the SCEP server. Types are RFC 822 Name, DNS Name, and Uniform Resource Identifier (URI). This can be the Uniform Resource Locator (URL), Uniform Resource Name (URN), or both.
Subject Alternative Name Value
The value of the subject alternative name.
NT Principal Name
The principal name to be used in the certificate request. (optional)
The number of times to poll the SCEP server for a signed certificate before giving up.
The number of seconds to wait between poll attempts.
The pre-shared secret the SCEP server uses to identify the request or user.
Certificate expiration notification threshold
The number of days, in advance, before the certificate starts showing an expiration notification.
Select a key size (in bits), and—using the checkboxes below this field—select the acceptable uses of the key. The options are1024, 2048, and 4096.
Select to use the key for any of the following:
If your CA uses HTTP, use this field to provide the fingerprint of the CA’s certificate, which the device uses to confirm the authenticity of the CA’s response during enrollment. You can enter a SHA1 or an MD5 fingerprint, or select a certificate to import its signature.
Allow export from the Keychain
Allow the private key to be exported from the Keychain.
Allow access to all apps
Allow all apps to access the certificate in keychain.
With macOS, you can use the following variables in the SCEP Subject and Subject Alternate Name, and NT Principal Name fields. These variables are resolved on the device during installation, letting you dynamically customize the certificate enrollment request. You can combine these variables with static text, such as Mac.%ComputerName%, to create a compound subject.
Consult your MDM vendor’s documentation to learn which variables they support.
Active Directory computer ID
Active Directory domain
Active Directory forest name
Active Directory GUID
Active Directory DNS Name
Active Directory Kerberos ID
The computer’s name, as set in System Preferences > Sharing
The computer’s unique identifier
The computer’s DNS name, such as mac1.example.com
The computer’s local network name, such as Mac1.local
The computer’s Ethernet (en0) MAC address
The computer’s serial number