Apple Platform Deployment
- Welcome
- Intro to Apple platform deployment
- What’s new
-
-
- Declarative status reports
- Declarative app configuration
- Authentication credentials and identity asset declaration
- Background task management declarative
- Calendar declarative configuration
- Certificates declarative configuration
- Contacts declarative configuration
- Exchange declarative configuration
- Google Accounts declarative configuration
- LDAP declarative configuration
- Legacy interactive profile declarative configuration
- Legacy profile declarative configuration
- Mail declarative configuration
- Math and Calculator app declarative configuration
- Passcode declarative configuration
- Passkey Attestation declarative configuration
- Safari browsing management declarative configuration
- Safari extensions management declarative configuration
- Screen Sharing declarative configuration
- Service configuration files declarative configuration
- Software Update declarative configuration
- Software Update settings declarative configuration
- Storage management declarative configuration
- Subscribed Calendars declarative configuration
-
-
- Accessibility payload settings
- Active Directory Certificate payload settings
- AirPlay payload settings
- AirPlay Security payload settings
- AirPrint payload settings
- App Lock payload settings
- Associated Domains payload settings
- Automated Certificate Management Environment (ACME) payload settings
- Autonomous Single App Mode payload settings
- Calendar payload settings
- Cellular payload settings
- Cellular Private Network payload settings
- Certificate Preference payload settings
- Certificate Revocation payload settings
- Certificate Transparency payload settings
- Certificates payload settings
- Conference Room Display payload settings
- Contacts payload settings
- Content Caching payload settings
- Directory Service payload settings
- DNS Proxy payload settings
- DNS Settings payload settings
- Dock payload settings
- Domains payload settings
- Energy Saver payload settings
- Exchange ActiveSync (EAS) payload settings
- Exchange Web Services (EWS) payload settings
- Extensible Single Sign-on payload settings
- Extensible Single Sign-on Kerberos payload settings
- Extensions payload settings
- FileVault payload settings
- Finder payload settings
- Firewall payload settings
- Fonts payload settings
- Global HTTP Proxy payload settings
- Google Accounts payload settings
- Home Screen Layout payload settings
- Identification payload settings
- Identity Preference payload settings
- Kernel Extension Policy payload settings
- LDAP payload settings
- Lights Out Management payload settings
- Lock Screen Message payload settings
- Login Window payload settings
- Managed Login Items payload settings
- Mail payload settings
- Network Usage Rules payload settings
- Notifications payload settings
- Parental Controls payload settings
- Passcode payload settings
- Printing payload settings
- Privacy Preferences Policy Control payload settings
- Relay payload settings
- SCEP payload settings
- Security payload settings
- Setup Assistant payload settings
- Single Sign-on payload settings
- Smart Card payload settings
- Subscribed Calendars payload settings
- System Extensions payload settings
- System Migration payload settings
- Time Machine payload settings
- TV Remote payload settings
- Web Clips payload settings
- Web Content Filter payload settings
- Xsan payload settings
-
- Glossary
- Document revision history
- Copyright and trademarks

SCEP device management payload settings for Apple devices
You can configure SCEP settings to obtain certificates from a certificate authority (CA) for Apple devices that enroll in a device management service. Use the SCEP payload to specify settings that allow the device to obtain certificates from a certificate authority (CA) using the Simple Certificate Enrollment Protocol (SCEP).
The SCEP payload supports the following. For more information, see Payload information. To see a list of SCEP variables, see Variables settings for device management payloads for Apple devices.
Supported payload identifier: com.apple.security.scep
Supported operating systems and channels: iOS, iPadOS, Shared iPad device, macOS device, macOS user, tvOS, watchOS 10, visionOS 1.1.
Supported enrollment methods: User Enrollment, Device Enrollment, Automated Device Enrollment.
Duplicates allowed: True—more than one SCEP payload can be delivered to a user or device.
You can use the settings in the table below with the SCEP payload.
Setting | Description | Required | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
URL | The address of the SCEP server. | Yes | |||||||||
Name | Any string understood by the certificate authority. It can be used to distinguish between instances. | No | |||||||||
Subject | The representation of an X.500 name represented as an array of OID and value. For example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar, which translates to: [ [ [“C”, “US”] ], [ [“O”, “Apple Inc.”] ], ..., [ [ “1.2.5.3”, “bar” ] ] ] | No | |||||||||
Subject Alternative Name Type | Specify the type of an alternative name for the SCEP server. Types are RFC 822 Name, DNS Name, and Uniform Resource Identifier (URI). This can be the Uniform Resource Locator (URL), Uniform Resource Name (URN), or both. | No | |||||||||
Subject Alternative Name Value | The value of the subject alternative name. | No | |||||||||
NT Principal Name | The principal name to be used in the certificate request. (optional) | No | |||||||||
Retries | The number of times to poll the SCEP server for a signed certificate before giving up. | No | |||||||||
Retry Delay | The number of seconds to wait between poll attempts. | No | |||||||||
Challenge | The preshared secret the SCEP server uses to identify the request or user. | No | |||||||||
Certificate expiration notification threshold (macOS) | The number of days, in advance, before the certificate starts showing an expiration notification. | No | |||||||||
Key size | Select a key size (in bits), and—using the checkboxes below this field—select the acceptable uses of the key. The options are1024, 2048, and 4096. | No | |||||||||
Key usage | Select to use the key for any of the following:
| No | |||||||||
Fingerprint | If your CA uses HTTP, use this field to provide the fingerprint of the CA’s certificate, which the device uses to confirm the authenticity of the CA’s response during enrollment. You can enter a SHA1 or an MD5 fingerprint, or select a certificate to import its signature. | No | |||||||||
Allow export from the Keychain (macOS) | Allow the private key to be exported from the Keychain. | No | |||||||||
Allow access to all apps (macOS) | Allow all apps to access the certificate in keychain. Note: This key needs to be used in macOS to allow a third-party VPN agent to use a certificate for authentication. The certificate payload needs to be in the same profile as the ACME or SCEP payload. | No |
Note: Each device management service developer implements these settings differently. To learn how SCEP settings are applied to your devices and users, consult your developer’s device management service documentation.