Skip to main content

Configuring SCEP Certificate Profiles in Mobile Guardian

  • Updated

Configuring SCEP Certificate Profiles in Mobile Guardian

Simple Certificate Enrollment Protocol (SCEP) allows managed devices to automatically request and install digital certificates from a Certificate Authority (CA) without user intervention. Certificates deployed via SCEP are commonly used for Wi-Fi authentication (802.1X), VPN access, and email encryption.

Mobile Guardian supports SCEP configuration across iOS/iPadOS, macOS, Android, Windows, and ChromeOS. This article covers how to configure SCEP settings within a device profile for each platform.

What You Will Learn

  • How to configure SCEP certificate settings in a Mobile Guardian profile
  • What fields are required and what values to use
  • Platform-specific considerations for each operating system
  • How to verify certificate deployment on devices

Prerequisites

Before configuring SCEP, confirm the following with your PKI (Public Key Infrastructure) or network team:

  • SCEP Server URL (e.g. http://scep.yourdomain.com/certsrv/mscep/mscep.dll)
  • Challenge Password / SCEP Secret (static or dynamic challenge, depending on your CA)
  • Subject Name (DN) format (e.g. CN=%UserName% or CN=%DeviceSerialNumber%)
  • Certificate Authority (CA) root certificate chain (the CA’s root and any intermediate certificates)
  • Key size and usage requirements as defined by your network security policy

Note: If you do not have this information, contact your network or infrastructure team before proceeding. Incorrect SCEP settings will result in certificate enrollment failures.

 

Navigating to SCEP Settings

SCEP is configured within a profile and applies to all devices assigned to that profile.

  1. Log in to your Mobile Guardian Dashboard.
  2. Navigate to Profiles: Click on “Profiles” in the left-hand navigation panel.
  3. Edit the profile: Click the pencil icon under the “Actions” column for the profile you want to configure (Baseline or Conditional).
  4. Open Networks: Click on “Networks” in the profile configuration options.
  5. Select SCEP: Click on “SCEP” and then click “Add New” to create a new SCEP certificate configuration.

 

Field Reference

When creating a new SCEP payload, complete the following fields:

Field Description Example Value
Credential Name A friendly name to identify this certificate configuration School Wi-Fi SCEP
URL The full HTTP/HTTPS URL of your SCEP server http://scep.yourdomain.com/certsrv/mscep/mscep.dll
Subject The X.500 Distinguished Name for the certificate. Supports variables for per-device values CN=%UserName% or CN=%DeviceSerialNumber%
Challenge The pre-shared secret or challenge password provided by your SCEP server Provided by your PKI team
Key Size The cryptographic key length in bits 2048 (standard) or 4096 (high security)
Key Usage The permitted uses for the certificate Digital Signature and Key Encipherment (required for Wi-Fi/VPN authentication)
Subject Alternative Name (SAN) Optional additional identity fields (e.g. email address, DNS name, URI) RFC 822 Name: %EmailAddress%
Certificate Expiry How long the certificate remains valid before renewal is required Defined by your CA policy

 

Platform-Specific Configuration

The SCEP payload is configured once in the profile and applies across platforms. However, each operating system has specific requirements and behaviours.

iOS/iPadOS

  • Minimum version: iOS 7 or later (iOS 14+ recommended)
  • Supervision required: No, but supervised devices offer additional control
  • How it works: The SCEP payload is delivered as part of the MDM profile. The device contacts the SCEP server, completes the enrollment challenge, and installs the certificate into the device keychain.
  • Certificate storage: System keychain. Available to all apps configured to use it (e.g. Wi-Fi, VPN, Mail).
  • Renewal: iOS devices can automatically renew certificates before expiry if the SCEP profile remains installed.

Note: If you are using SCEP for Wi-Fi authentication, configure the Wi-Fi profile in the same Mobile Guardian profile and reference the SCEP certificate as the identity credential.

macOS

  • Minimum version: macOS 10.10 or later
  • Supervision required: No, but ABM/ASM-enrolled devices are recommended
  • How it works: Identical to iOS. The SCEP payload is delivered via the MDM profile and the certificate is installed into the system keychain.
  • Certificate storage: System keychain. Accessible to system-level network configurations.
  • Renewal: Supported. Same behaviour as iOS.

Android

  • Minimum version: Android 7.0 or later
  • Enrolment type: Requires Android Enterprise (EMM) or AMA Zero-Touch enrolment
  • How it works: The SCEP payload is pushed via the managed device profile. The device contacts the SCEP server and installs the certificate in the work profile certificate store.
  • Certificate storage: Work profile certificate store. Only apps within the managed profile can access the certificate.
  • Renewal: Depends on the device manufacturer and Android version. Monitor certificate expiry dates and re-push if automatic renewal is not supported.

Note: On Android, the SCEP certificate is isolated within the work profile. If you need the certificate available outside the work profile (e.g. for device-level Wi-Fi), your enrolment type must support device-level certificate installation.

Windows

  • Minimum version: Windows 10/11 Pro or Education
  • How it works: SCEP certificate deployment on Windows is managed through Microsoft Intune. The SCEP profile is created in the Intune Admin Centre and assigned to the Azure AD group corresponding to your Mobile Guardian profile.
  • Certificate storage: Windows certificate store (Computer or User, depending on profile configuration)
  • Renewal: Intune handles certificate renewal automatically when the SCEP profile remains assigned.

To configure SCEP for Windows devices in Intune:

  1. Sign in to the Microsoft Intune Admin Centre.
  2. Navigate to Devices > Manage Devices > Configuration > Create > New Policy.
  3. Select Platform: Windows 10 and later.
  4. Select Profile type: Templates > SCEP certificate.
  5. Click Create and complete the fields using the values from the field reference table above.
  6. Under Assignments, add the Azure AD group that matches your Mobile Guardian profile.
  7. Click Review + Create.

Note: Windows SCEP profiles also require a Trusted Certificate profile to be deployed first, containing the CA root certificate. Create this as a separate Intune configuration profile and assign it to the same group.

ChromeOS

  • Minimum version: ChromeOS 37 or later
  • How it works: Certificate deployment for ChromeOS is managed through the Google Admin console. The SCEP or certificate settings are configured as part of the network configuration pushed to Chromebooks.
  • Certificate storage: ChromeOS system certificate store.

To configure certificates for ChromeOS devices:

  1. Sign in to the Google Admin console.
  2. Navigate to Devices > Networks > Certificates.
  3. Upload the CA root certificate.
  4. Configure the network profile (e.g. Wi-Fi) to use certificate-based authentication.
  5. Assign to the organisational unit that corresponds to your Mobile Guardian-managed Chromebooks.

Note: ChromeOS does not natively support SCEP enrollment in the same way as iOS or Android. Certificate distribution on ChromeOS is typically handled via the Google Admin console using pre-issued certificates or via a connector to your CA. Contact your PKI team to confirm the supported method for your environment.

 

Saving and Deploying

  1. Once all fields are completed, click “Save”.
  2. Navigate to the “Which Device” tab of the profile to confirm it is targeted to the correct devices.
  3. Click “Sync with Devices” to push the updated profile to assigned devices.

Devices will check in, process the SCEP payload, and request their certificate from the CA automatically.

 

Verifying Certificate Deployment

From the Mobile Guardian Dashboard

  1. Navigate to “Devices” > “All Devices”.
  2. Select a device to open the device details.
  3. Click on the “Certificates” tab to view the certificates installed on the device.
  4. Confirm the SCEP-issued certificate appears with the correct credential name and expiry date.

From the Device

Platform How to verify
iOS/iPadOS Settings > General > VPN & Device Management > Management Profile > More Details > Certificate
macOS Keychain Access > System keychain > Certificates
Android Settings > Security > Encryption & Credentials > User Credentials (within work profile)
Windows Run certmgr.msc > Personal > Certificates
ChromeOS Settings > Security and Privacy > Manage certificates

 

Troubleshooting

Issue Likely Cause Resolution
Certificate not appearing on device Incorrect SCEP URL or challenge password Verify the SCEP server URL is reachable from the device network and the challenge is correct
Enrollment fails with authentication error Challenge password expired or incorrect Request a new challenge from your SCEP server or PKI team
Certificate installs but Wi-Fi still fails Wi-Fi profile not referencing the SCEP certificate Edit the Wi-Fi profile in Mobile Guardian and set the identity certificate to the SCEP credential
Windows devices not receiving certificate Trusted Certificate profile missing Deploy the CA root certificate as a separate Trusted Certificate profile in Intune before the SCEP profile
ChromeOS devices not receiving certificate SCEP not configured in Google Admin console ChromeOS certificates are managed via the Google Admin console, not directly through Mobile Guardian
Certificate expired and not renewing Automatic renewal not supported on device OS version Re-push the SCEP profile or manually trigger a sync from the Mobile Guardian Dashboard

 

Best Practices

  • Always deploy the CA root certificate chain to devices before configuring SCEP. Without the trusted root, devices will reject the SCEP-issued certificate.
  • Use device-specific variables in the Subject field (e.g. CN=%DeviceSerialNumber%) for school-owned devices, and user-specific variables (e.g. CN=%UserName%) for 1:1 device programs.
  • Select a key size of 2048 bits unless your security policy specifically requires 4096. Larger keys increase enrollment time on lower-powered devices.
  • Monitor certificate expiry dates. Set a calendar reminder to review certificates 30 days before they expire, particularly for Android devices where automatic renewal may not be supported.
  • Test the SCEP configuration on a single device before deploying to your full fleet. Confirm the certificate installs and the target service (Wi-Fi, VPN) connects successfully.
  • For Windows and ChromeOS, coordinate with your Intune and Google Admin administrators respectively, as certificate deployment for these platforms is managed outside the Mobile Guardian Dashboard.

Please let us know if you found this helpful. 

Thanks for reading! 🙂

Related articles