This policy configures Simple Certificate Enrollment Protocol (SCEP) for your Windows devices. SCEP makes issuing digital certificates easier, more secure, and scalable.
The device must be enrolled in JumpCloud MDM. This policy works on devices running Windows 10/11.
Considerations:
- You need a Certificate Authority (CA) to issue device credentials using SCEP.
- The fields in the SCEP Profiles policy are added to the SCEP payload.
To create a Windows SCEP Profiles Policy:
- Log in to the Jumpcloud Admin Portal.
- Go to DEVICE MANAGEMENT > Policy Management.
- In the All tab, click (+).
- On the New Policy panel, select the Windows tab.
- Select the Windows SCEP Profiles policy from the list, then click configure.
- (Optional) In the Policy Name field, enter a new name for the policy or keep the default. Policy names must be unique.
- (Optional) In the Policy Notes field, enter details like when you created the policy, where you tested it, and where you deployed it.
Configure the following policy settings:
- (Mandatory) In the CA ThumbPrint field, enter a Base64 encoded string.
This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. See Determining the Sha1 and Sha256 Fingerprint (Thumbprint) to learn more.
- In the Challenge field, enter the one-time pre-shared secret.
- This policy type requires a static challenge and will not work with a dynamic challenge.
- Challenges can be used to identify the user requesting the profile.
- Challenges should be in base64 format.
- Challenges should not contain special characters like (!@#$%^&*_).
- In the Key Length field, select the size of the key: 1024, 2048, or 4096 bits. The default is 1024.
- Specify the Subject Name. This should always start with CN=.
Example– CN=”Organization Root Authority”
If the Subject Name value includes a leading or trailing white space or any of these characters (, = + ; / < > # ), ensure the Subject Name value is quoted.
Example– CN=”/C=US/O=ABCEnterprise/CN=foo/1.2.5.3=bar”
- In the Retry Count field, enter the number of times the device should retry if the server sends a Pending response. The default is 3.
- In the Retry Delay field, enter the number of seconds to wait between subsequent retries. The first retry is attempted without this delay. The default is 3.
- In the Server URL field, enter the SCEP server’s URL. For example: http://scep-server/cgi-bin/pkiclient.exe.
- In the Name(Template Name) field, enter a unique name for the payload that’s recognised by the SCEP server. For example, WiFi Certificate.
If a CA has multiple CA certificates, this field is used to distinguish which is required.
- In the Set Subject Alternative Name field, enter an alternate name for the SCEP certificate.
- Select the Include Root Certificate checkbox to upload the certificate for the Certificate Authority to add to the device’s trusted anchors list.
- The root certificate can be installed manually, using an install certificate policy, or using a SCEP policy.
- If you selected Include Root Certificate, click upload file for Root Certificate. File size must be smaller than 1 MB.
- This certificate should be in the .cer or .crt format. If the root CA is from Okta, the file must be in .cer format.
- This certificate should not include public keys.
- (Mandatory) Enter the Renew Period value in days. The number of days must be less than the root CA expiry date.
- Once you are done, click Save.