Learn how to deploy SCEP profiles inside Kandji
Kandji's SCEP Profile feature allows you to automatically distribute & re-distribute certificates to macOS, iOS, iPadOS & tvOS devices.
Create a SCEP Profile
Log in to your Kandji instance before performing the next steps.
- Click Library from the left-hand navigation bar.
- Click Add New from the upper right-hand corner.
- Select the SCEP Profile option and then click Add & Configure.
- Select your desired Blueprints.
- Input your SCEP Server information.
- Click Save.
When the Automatic profile redistribution option is selected, Kandji will check the expiration date of the issued certificate, and attempt to automatically re-install the profile to renew the certificate.
When using this option the $PROFILE_UUID will automatically be appended to the Subject in the request.
Preventing Key Extraction
Using the 'Don’t allow key to be extracted' option, can prevent users from extracting the private key for the issued certificate.
This key is only respected on macOS 10.15 and later
NDES Server Considerations
SCEP will require a static challenge when using an NDES server for profile deliverance.