Requirements:

  • NDES Server URL and Challenge

  • Creating a SCEP Profile

  • Addigy Custom MDM Configurations




NDES Server URL and Challenge


The first step to having your NDES push certificates to your macOS devices is to collect the necessary credentials needed for your device to make the CSR request to your services in order to generate the unique certificate.


The two items that will be required from your NDES are 

  • URL

  • Challenge



The URL will follow this structure, replace DOMAIN_HERE with your windows server domain. 

http://DOMAIN_HERE.com/certsrv/mscep
Note: The URL should be accessible by the macOS devices to request a certificate.


When you navigate to this URL, you’ll be prompted to enter credentials and will land on a page that looks like the image below which contains the challenge. Take note of both the URL and the Challenge as this will be used later in the setup process.





Creating the SCEP Profile


Now that we have our SCEP Url and Challenge it's time to build the SCEP payload that will be deployed to the macOS devices from Addigy MDM. 


Note: In this walkthrough, we will use Apple Configurator 2 to build out the profile but you can use any profile creator tool or XML for this process.



In Apple Configurator 2, create a new profile and search for SPEC on the left-hand side. 


Once you select to configure a SCEP payload, you will be presented with the following screen. Here is where we will drop in the URL and Challenge that we gathered from NDES. You’ll also have to enter other information such as your Instance Name, and the properties that will be used to generate the Certificate Signing Request. 

Addigy uses special syntax to be able to pull unique information from each device. As an example, passing in {{.Fact “udid” }} will populate that field with the devices UUID upon deployment. You can use any device fact being recorded by Addigy. 
To learn more: https://support.addigy.com/support/solutions/articles/8000085414-setting-up-an-mdm-payload-using-device-facts-as-variables


Once you finish populating the SCEP payload. Press File > Save and then give your profile a name. This will create the mobile configuration file that we will upload and deploy via Addigy.




Deploying Profile via Addigy Custom MDM Configuration


Now that we have our SCEP profile ready and pointing to our NDES, it's time to deploy that to devices.


Once you are on the Addigy Platform, Navigate to the Policies > Catalog > MDM Configurations.



Create a new configuration, select macOS, and then select Custom configuration.


From here, click on “Select .mobileconfig file” and then select the .mobileconfig profile that we created in Apple configuration in the last step. 




You should then see the profile populate on the Addigy UI, you can look at the contents of the profile and validate the URL and Challenge by selecting the “Show raw XML” option.


Now that our profile is uploaded to Addigy it is ready to deploy. Navigate to a policy which has your test devices, select MDM Configurations, find the profile we just uploaded, and add it to the policy.


Then, click on the deploy changes policy item, confirm changes and deploy.



From a detailed walkthrough on uploading Custom MDM Profiles:
https://support.addigy.com/support/solutions/articles/8000071698-configuring-and-deploying-any-mdm-profile



Within a few minutes, the profile will be deployed to the devices that are in that policy, and the certificates will be created and viewable/revocable from NDES.  


If you have an Addigy account and have additional questions, you can create a ticket by emailing support@addigy.com.

Alternatively, you can submit a support request within Addigy.