Skip to main content
  1. Addigy
  2. Catalog
  3. Device Settings (MDM Configuration Profiles)

Deploying a SCEP certificate with Addigy

Updated:

Overview

The SCEP protocol enables devices to autonomously request, renew, and revoke digital certificates from a Certificate Authority (CA).

SCEP is commonly used in various security applications like setting up virtual private networks or securing communication between devices in a network. SCEP certificates can be managed via Addigy via a MDM profile. 

Creating SCEP configuration

The SCEP configuration profile is required for issuing certificates to different devices.

  1. Navigating to Addigy Catalog > MDM Profile

  2. Create New profile and select SCEP

Configuring the SCEP profile for your CA Authority 

  1. URL: is required. This is the server url that is used to fetch server challenge and issue certificates to devices.

  2. Challenge Type: 

  • NDES Dynamic: When this field is selected - the Service Account User and Service Account Password are required in order to fetch the SCEP server challenge automatically and set into the profile before deploying it onto a device

    • Service Account User: is the username used to authenticate when requesting a certificate from server

    • Service Account Password: is the password to authenticate when requesting a certificate from server

    • Challenge URL- Is the of the trust point defined for your CA

  • Static:  when this option is selected the challenge value needs to be provided

    • Challenge: value required by SCEP server in order to issue certificates

Proxy SCEP Request

  • when False or not included, the device tries to contact the CA directly. This might not be allowed by some setups. The device must be able to reach the CA server to authenticate and retrieve the certificate

    • If you are using a dynamic NDES challenge, the challenge URL must be accessible by both the device and Addigy

  • When true SCEP url is modified when deploying to device so that the connection goes through Addigy’s MDM server and proxied to the original URL. The CA server must be open to Addigy to make this request. Please refer to the Complete Port Usage for Addigy knowledge base for more information.

  • If you wish to safelist the specific IP the proxied requests will originate from on the Addigy cloud platform use this IP: 32.193.33.65

Auto Renewal: This field is used in order to redeploy the SCEP profile onto the devices so that a new certificate is requested prior to expiration. When this value is set Addigy prepends a CN value to the subject that let us identify which profile to redeploy and when. Ex: if input value is 30 it means that whenever we identify that the certificate has 30 or less day until expiration we attempt to redeploy the SCEP profile so that it gets a new certificate.

Allow All Apps Access - use this feature if you are using the certificate to authenticate with an application on the device.

All other fields within this payload can vary depending on the specific configuration to your organization but most of the time the following fields needs to be set:

  • Subject: used for identifying certificate

  • DNS Name

  • NT Principal Name

  • RFC 822 Name

To use information from the device record itself, such as UDID or Serial Numbers- Device Facts can be used as MDM Profile variables. For more information on how to do this- please refer to this Knowledge Base article.

Screenshot 2025-08-22 at 12.25.43.png

After creating this profile you can go ahead and deploy via policy along with any required certificate profile created in previous step so that device automatically trusts SCEP certificate

Using a SCEP certificate to authenticate with a Wireless Network

Overview

SCEP certificates are often time bundled with a wireless payload, so the certificate can be used as authentication to the enterprise wireless network. To configure the wireless payload, the SCEP MDM profile must already be created and exist within Addigy. 

Creating the Wireless Payload: 

  1. Navigating to Addigy Catalog → MDM Profile

  2. Create New profile and select Networking (Wi-Fi)

Configuring the Wireless payload

  1. Security Type: this field is to select how to authenticate when connecting to the provided SSID network

    1. select enterprise solution depending on your existing setup

    2. Authentication Protocols: Select the relevant protocol for your network

    3. Identity Certificate: when selecting this value the dropdown should display all SCEP payloads within your organization. Select the SCEP profile of your choosing and this profile will be deployed to the device together with the WIFI profile, no need to be added to the profile separately. The certificate issued by this configuration will be used for authentication when connecting.

    4. Certificate Anchor UUID: here you can add different certificates for authentication. Doing this will again deploy all these profile within the WIFI profile.

Once the profile is created, it can be added onto a policy and deploy to devices. This single configuration will take care of making the device fetch the identity certificate from the SCEP server and automatically using that certificate in order to authenticate when connecting to the SSID network using the anchor certificates for trusting the connection without asking the user to trust them.

Was this article helpful?
0 out of 0 found this helpful
Return to top

Didn’t find what you’re looking for?

Contact our Support Team