SCEP Profile

Learn how to deploy SCEP profiles using Kandji

Kandji's SCEP Profile feature allows you to distribute and re-distribute certificates to Apple devices automatically.

Only static challenges are supported when using the SCEP Library Item.

Create a SCEP Profile 

Log in to your Kandji tenant before performing the next steps. 

1. Click Library from the left-hand navigation bar. 
2. Click Add New from the upper right-hand corner.
3. Select the SCEP option and then click Add & Configure.
   
4. Give your SCEP Library Item a name.
5. Select the Blueprints you want to deploy the SCEP profile to.
6. Input the base URL for your SCEP server.
7. Optionally, put in a display Name, Challenge, and Fingerprint.
   
8. Configure the Subject (optional), and Subject Alternative Name Type.
9. Configure the Key Size and Key Usage
   
10. Optionally, configure retry, access, export, expiration, and redistribution settings.
    

Other Considerations 

Profile Redistribution 

When the Automatic profile redistribution option is selected, Kandji will check the expiration date of the issued certificate and attempt to re-install the profile automatically to renew the certificate.  When using this option, the $PROFILE_UUID will be appended to the Subject in the request.

Preventing Key Extraction

Using the Prevent the private key data from being extracted in the keychain option can prevent users from extracting the private key for the issued certificate.