Use Simple Certificate Enrollment Protocol (SCEP) policies to allow iOS 6+ devices to obtain certificates from SCEP servers:


SCEP policies are only supported on iOS 6+ devices.

  • 1. To view, edit, or delete SCEP policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete SCEP policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click SCEP.
  • 4. If necessary, click Add New. The following will be displayed:


How Mobile Manager Manages SCEP

The SCEP payload (policy) is not like the other Mobile Manager policies in that when you add a SCEP policy it will not actually get sent to the device on its own. Instead, the SCEP policy needs to be referenced in any of the following policies — VPN, Mail, Exchange ActiveSync, Wi-Fi, and Single Sign On.

In those policies you will see a dropdown menu listing all the available SCEP policies by name from that group and parent groups. When the SCEP policy is referenced in one of those other policies the SCEP policy will then be sent to the device.

Configurable SCEP settings:

Field Description OS Supported
Server URL Enter the base URL (DNS name) for the SCEP server (for example, iOS6+
Name Enter the name of the Certificate Authority (CA) that is proving the certificate (for example, CA-IDENT). iOS6+
Subject Enter the representation of an X.500 name (for example, O=YourOrganization,OU=YourSchool,CN=iPads). iOS6+
Subject Alternative Name Type If needed, enter a subject alternative name (SAN) to place on the CSEP server. iOS6+
Retries From the dropdown list select the number of times to poll the SCEP server, which can be 0 through 10. (The default is 3.) iOS6+
Retry Delay From the dropdown select the number of seconds to wait between poll attempts, which can be which can be 0 through 10. (The default is 10.) iOS6+
Challenge Enter a challenge password, which can be used to automatically authenticate an enrollment request. iOS6+
Key Size From the dropdown select the key size (in bits), which can be 1024 (the default) or 2048. iOS6+
Use as digital signature Use the slider to enable or disable the use of a digital signature. iOS6+
Use as key encipherment Use the slider to enable or disable the use of key encipherments. iOS6+
CA Fingerprint Enter a hex string to use as a CA fingerprint. iOS6+