Custom Wi-Fi, SCEP, and Cert Chain Profile

By Corey Willis

Use this guide to help configure a custom profile with iMazing Profile Editor and deploy the custom profile from your Kandji instance


This guide is intended as an example to get you started. The intent is that you can use the example profile as a starting point and modify the profile to meet your environments specific needs.

Modifying the custom mobileconfig profile

  1. Launch iMazing Profile Editor and open the custom_wifi_scep_certchain_example.mobileconfig download earlier 

  2. You should see 4 payloads listed in the Configured Domains section

  3. Select the Certificates payload

  4. Remove the existing example certificates by clicking the minus buttons next to each one ENWo9mSYi5qHqmq9RlGJiA_sMNJwQF2CqA

  5. Click + Add Configuration Payload to add your root certificate ZtRnoJhFk4saJ0tp9EdxLP3llcv5Et_qVg

  6. In the Finder window navigate to your root certificate and select it 

  7. Click Open DIbbfkoAEirzDrDcNlh9LkjtNsKb94n3Vg

  8. To add additional certificates, click the plus button in the top-right corner, and repeat this step for all of your intermediate certificates if applicable. In the example below, there are three certificates in this payload, a Root and two intermediate CA certificates. AtM1qzRNtq_Yum_5uwT9jPSMJHAQLZ-e8w

  9. Copy each certificate's Payload UUID and paste them to a temporary text document. These will be used later in the Wi-Fi payload.

  10. Select the SCEP payload

  11. Go down to the Payload UUID and copy it to the same temporary text document for use later in the Wi-Fi payload.


  12. Fill in the SCEP server URL (required)

  13. Enter any additional SCEP server settings information according to your requirements

    1. URL and Payload UUID are required fields.

    2. All other fields are optional based on your needs and should be left empty if not needed.

    3. Kandji Global Variables can be used if needed to dynamically fill in information such as $SERIAL_NUMBER or $EMAIL


  14. Select the Wi-Fi payload

  15. Enter your network Service Set Identifier (SSID)

  16. Select an Encryption Type

  17. Add the Accept EAP Types for your network

  18. In the Certificate Anchor UUID section paste in the Certificate UUIDs that you copied earlier

  19. In the Certificate UUID field paste in the SCEP payload UUID that you copied from earlier wxGgBGJxvALDhuCABx4O0VRhk2MbfE3w5g


  20. If there are any additional Wi-Fi settings that are required for your network be sure to configure those in the Wi-Fi as well

  21. Save the mobile config file by pressing ⌘ + S or by going to the File menu and selecting Save

    • At this point you can change the file name if you would like

Create Custom Configuration Profile in Kandji

  1. Create a Custom Configuration Profile in Kandji by going Selecting Library > Add New > Custom Profile > Add & Configure

  2. Give the custom profile the following name: Wi-Fi Settings

  3. Assign the library item to a Blueprint.

    1. It is generally good practice to assign a new library item to a testing Blueprint to ensure that everything functions as expected.

  4. Set Device Families to Mac.

  5. Upload the custom_wifi_scep_certchain_example.mobileconfig file to Kandji as a custom configuration profile. 

  6. Click Save in the bottom right.