This policy configures Simple Certificate Enrollment Protocol (SCEP) for your Windows devices. SCEP makes issuing digital certificates easier, more secure, and scalable.
This is a device level policy that applies system-wide to the device and all of its users. You can bind this policy to individual devices or device groups. For policies that apply to a specific user's profile across devices, see Get Started: Policies and Learn More section of this article.
Prerequisites
- The device must be enrolled in JumpCloud MDM. This policy works on devices running Windows 10/11.
Considerations
- You need a Certificate Authority (CA) to issue device credentials using SCEP.
- The fields in the SCEP Profiles policy are added to the SCEP payload.
Creating the Policy
To create a SCEP Profiles policy for Windows devices, do the following:
Selecting the Policy Template
- Log in to the JumpCloud Admin portal.
If your data is stored outside of the US, check which login URL you should be using depending on your region. If your organization uses LDAP, RADIUS, or requires firewall allow list configuration, the Fully Qualified Domain Names (FQDNs) will also be region specific. See JumpCloud Data Centers for the URLs, FQDNs, and IP addresses.
- Go to Device Management > Policy Management. The Policy Management page is displayed.
- On the Policy Management page, click +Add New.
- Select Device Policy to assign the policy to devices and device groups. On the New Device Policy page:
- Select the Windows tab.
- Search and select the policy name and click Configure. The Details tab of the policy is displayed.
- On the Details tab, configure the required policy configuration settings.
- (Optional) In the Policy Name field, enter a new name for the policy or keep the default. Policy names must be unique.
- (Optional) In the Policy Notes field, enter details such as creation date of the policy, and information on testing and deployment of the policy.
Configuring the Policy
- (Mandatory) In the CA ThumbPrint field, enter a Base64 encoded string.
This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. See Determining the Sha1 and Sha256 Fingerprint (Thumbprint) to learn more.
- In the Challenge field, enter the one-time pre-shared secret.
- This policy type requires a static challenge and will not work with a dynamic challenge.
- Challenges can be used to identify the user requesting the profile.
- Challenges should be in base64 format.
- Challenges should not contain special characters like (!@#$%^&*_).
- In the Key Length field, select the size of the key: 1024, 2048, or 4096 bits. The default is 1024.
- Specify the Subject Name. This should always start with CN=.
Example- CN="Organization Root Authority"
If the Subject Name value includes a leading or trailing white space or any of these characters (, = + ; / < > # ), ensure the Subject Name value is quoted.
Example- CN="/C=US/O=ABCEnterprise/CN=foo/1.2.5.3=bar"
The following device-specific variables are supported:
%SerialNumber%%HostName%%HardwareUUID%- %JumpCloudSystemID%
- %MACAddress%
- In the Retry Count field, enter the number of times the device should retry if the server sends a Pending response. The default is 3.
- In the Retry Delay field, enter the number of seconds to wait between subsequent retries. The first retry is attempted without this delay. The default is 3.
- In the Server URL field, enter the SCEP server’s URL. For example:
http://scep-server/cgi-bin/pkiclient.exe. - In the Name(Template Name) field, enter a unique name for the payload that’s recognized by the SCEP server. For example, WiFi Certificate.
If a CA has multiple CA certificates, this field is used to distinguish which is required.
- In the Set Subject Alternative Name field, enter an alternate name for the SCEP certificate.
- (Mandatory) Enter the Renew Period value in days. The number of days must be less than the root CA expiry date.
- Select one or more of the following Enhanced Key Usage (EKU) options depending on your SCEP server configuration to allow them to be included in the Certificate Signing Request (CSR):
- Include Client Authentication EKU: Use this option for client authentication services (OID: 1.3.6.1.5.5.7.3.2).
- Include Document Signing EKU (default): Use this option for document signing services (OID: 1.3.6.1.4.1.311.10.3.12).
- For existing Windows - SCEP Profiles Policies, this option is enabled by default.
- Include Smart Card Logon EKU: Use this option for Smart Card authentication services (OID: 1.3.6.1.4.1.311.20.2.2).
- (Optional) For custom use cases not included in the previous step, enter one or multiple custom EKUs and the corresponding OIDs.
- Select the Include Root Certificate checkbox to upload the certificate for the Certificate Authority to add to the device’s trusted anchors list.
- The root certificate can be installed manually, using an install certificate policy, or using a SCEP policy.
- If you selected Include Root Certificate, click upload file for Root Certificate. File size must be smaller than 1 MB.
- This certificate should be in the .cer or .crt format. If the root CA is from Okta, the file must be in .cer format.
- This certificate should not include private keys.
Applying the Policy
- (Optional) Select the Policy Groups tab. Select one or more policy groups where you want to add this policy.
- Select the Device Groups tab. Select one or more device groups where you want to apply this policy to. For device groups with multiple OS member types, the policy only applies when a user logs into a supported Windows device that is enrolled in MDM.
- Or, select the Devices tab. Select one or more devices where you want to apply this policy.
- Click Create Policy. A success message is displayed indicating the completion of policy creation.
You must select either a device or device group to create and apply this policy.
Viewing Policy Status
- Select the Status tab.
- To see the last Result Log for a device where this policy is applied, click view.
- If any errors occur, they're listed in Exit Status. If you have an Exit Status of 0, no errors occurred when applying or enforcing this policy.
