Ever wonder what the Simple Certificate Enrollment Protocol (SCEP) section is when setting up a configuration profile? Are you curious if you should be setting it up? Will something amazing happen if you did? Let’s see if we can help shed some light on the subject.
First, it’s important to understand that IT environments are using certificates more and more for authentication. The proof is in all of the certificates being used for communication between an iOS device and a MDM server. Even the JAMF Software Server (JSS) has a built-in certificate server (called a certificate authority.) Some IT environments also require certificates be in place for network access. So, certificates are everywhere!
That’s great, but why certificates instead of good ol’ username and passwords? First, certificates are very mathematically complex and very difficult to figure out. Second, they’re very easy to change without bothering the end user.
But, getting a certificate used to be a real pain. You had to get a special link from your environment’s security professional, go to a web form, fill out a lot of details, and download the certificate. Once you had the certificate, you’d often need instructions on how to use it. This was a tolerable process when only a few needed to use certificates, but now more and more people need many certificates to do even basic tasks.
How SCEP helps
SCEP was designed to automate the process of getting these certificates out to people. Let’s say that your network administrator has setup the wireless so that you had to have a certificate to get onto the network. Well, if you had an SCEP server, the computer—not the end user—would contact the certificate authority and request the certificate, download the result, and put it in its proper place.
Do you need to do it?
Well, it depends on if you have the need for certificates and if you have an SCEP server on your network. If you do, you really should consider using your SCEP server. It’ll make things a LOT easier in the long run.
Steps for configuring SCEP
Now that you know why you’d want to use SCEP, let’s cover how you’d configure it in the JSS.
First, SCEP is configured in the configuration profiles section of the JSS under Computers or Mobile Devices. (Note, if you can’t press the add button, ensure your JSS is setup for MDM.) Next, add a new configuration profile.
Navigate to the SCEP server tab, and click configure. Fill out the details provided by your security professional. These details give information about the server and include things such as the server URL, the instance name (in case the same server provides more than one SCEP service), and authentication details. The authentication parameters provide a means to ensure that only valid customers and devices are given a certificate.
Once you fill out the SCEP details, you can start to use this SCEP certificate for other parts of the same configuration profile. For example, if you add the VPN and choose certificate authentication, you can drop down the SCEP certificate as an option. What does this actually mean for the end users? From a single configuration profile, they can request a certificate from the SCEP server and start using that resulting certificate as an authentication method.
Tips for SCEP use
Remember, that in order to configure a service using the resulting SCEP certificate, you have to configure that service in the same configuration profile as the SCEP service.
If you configure all this, your devices should start contacting your SCEP service automatically, downloading certificates, and then turning around and using them as a means to authenticate other services on your network.