SCEP Profile

By Vicky Munsell

Learn how to deploy SCEP profiles inside Kandji

Kandji's SCEP Profile feature allows you to automatically distribute & re-distribute certificates to macOS, iOS, iPadOS & tvOS devices.

Create a SCEP Profile 

Log in to your Kandji instance before performing the next steps. 

  1. Click Library from the left-hand navigation bar. 
  2. Click Add New from the upper right-hand corner.


  3. Select the SCEP Profile option and then click Add & Configure.


  4. Select your desired Blueprints.
  5. Input your SCEP Server information.
  6. Click Save.


Important considerations 

Profile Redistribution 

When the Automatic profile redistribution option is selected, Kandji will check the expiration date of the issued certificate, and attempt to automatically re-install the profile to renew the certificate.

When using this option the $PROFILE_UUID will automatically be appended to the Subject in the request.

Preventing Key Extraction

Using the 'Don’t allow key to be extracted' option, can prevent users from extracting the private key for the issued certificate.

This key is only respected on macOS 10.15 and later

NDES Server Considerations

SCEP will require a static challenge when using an NDES server for profile deliverance.