This policy configures Simple Certificate Enrollment Protocol (SCEP) for your Windows devices. SCEP makes issuing digital certificates easier, more secure, and scalable.
This is a user level policy that applies to a user's profile across managed devices. You can bind this policy to individual users or user groups. For policies that apply system-wide to a device and all of its users, see Get Started: Policies and Learn More section of this article.
Prerequisities
- The target Windows device must be enrolled in JumpCloud MDM.
- This policy works on devices running Windows 10/11.
Considerations
- You need a Certificate Authority (CA) to issue device credentials using SCEP.
- The fields in the SCEP Profile policy are added to the SCEP payload.
Creating the Policy
To create a SCEP Profile policy for Windows devices, do the following:
Selecting the Policy Template
- Log in to the JumpCloud Admin portal.
If your data is stored outside of the US, check which login URL you should be using depending on your region. If your organization uses LDAP, RADIUS, or requires firewall allow list configuration, the Fully Qualified Domain Names (FQDNs) will also be region specific. See JumpCloud Data Centers for the URLs, FQDNs, and IP addresses.
- Go to Device Management > Policy Management. The Policy Management page is displayed.
- On the Policy Management page, click +Add New.
- Select User Policy to assign the policy to users and users groups. On the New User Policy page:
- Select the Windows tab.
- Search and select the required policy name and click Configure. The Details tab of the policy is displayed.
- On the Details tab, configure the required policy configuration settings.
- (Optional) In the Policy Name field, enter a new name for the policy or keep the default. Policy names must be unique.
- (Optional) In the Policy Notes field, enter details such as creation date of the policy, and information on testing and deployment of the policy.
Configuring the Policy
- (Mandatory) In the CA ThumbPrint field, enter a Base64 encoded string. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. See Determining the Sha1 and Sha256 Fingerprint (Thumbprint) to learn more.
- In the Challenge field, enter the one-time pre-shared secret. This password is auto-generated during the creation of a new SCEP endpoint in the SCEP Endpoints tab present under Certificate Authority. See Add a SCEP Endpoint for more information.
Note:- This policy type requires a static challenge and will not work with a dynamic challenge.
- Challenges can be used to identify the user requesting the profile.
- Challenges should be in base64 format.
- Challenges should not contain special characters like (!@#$%^&*_).
- In the Key Length field,select the size of the key: 1024, 2048, or 4096 bits. The default is 1024.
- Specify the Subject Name. This should always start with CN=.
Example- CN="Organization Root Authority"
If the Subject Name value includes a leading or trailing white space or any of these characters (, = + ; / < > # ), ensure the Subject Name value is quoted.
Example- CN="/C=US/O=ABCEnterprise/CN=foo/1.2.5.3=bar" - In the Retry Count field, enter the number of times the device should retry if the server sends a Pending response. The default is 3.
- In the Retry Delay field, enter the number of seconds to wait between subsequent retries. The first retry is attempted without this delay. The default is 3.
- In the Server URL field, enter the SCEP server’s URL. For example: http://scep-server/cgi-bin/pkiclient.exe.
- In the Name(Template Name) field, enter a unique name for the payload that’s recognized by the SCEP server. For example, WiFi Certificate.
If a CA has multiple CA certificates, this field is used to distinguish which is required.
- In the Set Subject Alternative Name field,enter an alternate name for the SCEP certificate.
- (Mandatory) Enter the Renew Period value in days. The number of days must be less than the root CA expiry date.
- Select one or more of the following Enhanced Key Usage (EKU) options depending on your SCEP server configuration to allow them to be included in the Certificate Signing Request (CSR):
- Include Client Authentication EKU: Use this option for client authentication services (OID: 1.3.6.1.5.5.7.3.2).
- Include Document Signing EKU (default): Use this option for document signing services (OID: 1.3.6.1.4.1.311.10.3.12).
- For existing Windows - SCEP Profiles Policies, this option is enabled by default.
- Include Smart Card Logon EKU: Use this option for Smart Card authentication services (OID: 1.3.6.1.4.1.311.20.2.2).
- (Optional) For custom use cases not included in the previous step, enter one or multiple custom EKUs and the corresponding OIDs.
- Select the Include Root Certificate checkbox to upload the certificate for the Certificate Authority to add to the device’s trusted anchors list.
- The root certificate can be installed manually, using an install certificate policy, or using a SCEP policy.
- If the root cert is already deployed, do not deploy it again either via Install certificate or SCEP policy.
- If you selected Include Root Certificate, click upload file for Root Certificate. File size must be smaller than 1 MB.
- This certificate should be in the .cer or .crt format. If the root CA is from Okta, the file must be in .cer format.
- This certificate should not include private keys.
You can also configure a user SCEP and enterprise Wifi for zero-touch network access policy. See Configuring a User SCEP and Enterprise Wifi Policy for Zero-Touch Network Access to learn more.
Applying the Policy
- (Optional) Select the Policy Groups tab. Select one or more policy groups where you want to add this policy.
- Select the User Groups tab. Select one or more user groups where you want to apply this policy. For user groups with multiple OS member types, the policy only applies when a user logs into a supported Windows device that is enrolled in MDM.
- Or, select the Users tab. Select one or more users to whom you want to assign this policy.
- Click Create Policy. A success message is displayed indicating the completion of policy creation.
Viewing Policy Status
- Select the Status tab.
- To see the last Result Log for a device where this policy is applied, click view.
- If any errors occur, they're listed in Exit Status. If you have an Exit Status of 0, no errors occurred when applying or enforcing this policy.