{"id":85633,"date":"2023-06-05T13:09:51","date_gmt":"2023-06-05T17:09:51","guid":{"rendered":"https:\/\/jumpcloud.com\/?post_type=support&#038;p=85633"},"modified":"2023-11-01T15:27:17","modified_gmt":"2023-11-01T19:27:17","slug":"create-mac-or-ios-scep-profiles-policy","status":"publish","type":"support","link":"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy","title":{"rendered":"Create a Mac or iOS SCEP Profiles Policy"},"content":{"rendered":"\n<p>This policy configures Simple Certificate Enrollment Protocol (SCEP) for your macOS and iOS devices. SCEP makes issuing digital certificates easier, more secure, and scalable. You\u2019ll need a Certificate Authority (CA) to issue the device credentials using SCEP. The fields in this SCEP Profiles policy are added to the SCEP payload. <\/p>\n\n\n\n<p>The macOS policy works on all&nbsp;<a href=\"https:\/\/jumpcloud.com\/support\/agent-compatibility-system-requirements-and-impacts\" target=\"_blank\" rel=\"noreferrer noopener\">JumpCloud macOS supported operating systems<\/a>&nbsp;that are enrolled in Mobile Device Management (MDM). The iOS policy works on all JumpCloud iOS and iPadOS supported operating systems on devices that are enrolled in MDM. &nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>To create a macOS or iOS SCEP Profiles Policy<\/strong>:<\/p>\n\n\n\n<ol>\n<li>Log in to the <a href=\"https:\/\/console.jumpcloud.com\/login\" target=\"_blank\" rel=\"noreferrer noopener\">JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n<li>Go to <strong>DEVICE MANAGEMENT &gt; Policy Management<\/strong>.<\/li>\n\n\n\n<li>In the <strong>All<\/strong> tab, click (<strong>+<\/strong>).<\/li>\n\n\n\n<li>On the New Policy panel, select the <strong>Mac<\/strong> or the<strong> iOS <\/strong>tab.<\/li>\n\n\n\n<li>Select the Mac or iOS <strong>SCEP Profiles<\/strong> policy from the list, then click <strong>configure<\/strong>.<\/li>\n\n\n\n<li>(Optional) Enter a new name for the policy or keep the default. Policy names must be unique.<\/li>\n\n\n\n<li>For<strong> Policy Notes<\/strong>, enter details like when you created the policy, where you tested it, and where you deployed it.<\/li>\n\n\n\n<li>(Optional) Enter a Base64 encoded string in the <strong>Fingerprint<\/strong> field.\n<ol class=\"is-lower-alpha\">\n<li>You will need to convert the current SHA1 or SHA256 fingerprint, represented as a series of hexadecimal values, to a Base64 encoding of a &#8220;bytes&#8221; object. From the macOS Terminal, run the following command, replacing the fingerprint value with your Certificate Authority\u2019s:\n<ul>\n<li><strong>Note<\/strong>: The characters delimiting the hexadecimal pairs within the fingerprint value are not sensitive &#8211; meaning that strings using colons, spaces, or no delimiters at all are equally valid for input.<\/li>\n\n\n\n<li>Enter the resulting Base64 encoded string in the <strong>Fingerprint<\/strong> field.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>echo &#8220;11:22:33:44:aa:bb:cc:dd&#8221; | xxd -r -p | base64<\/p>\n<\/div><\/div>\n\n\n\n<ol start=\"9\">\n<li>For <strong>Challenge<\/strong>, enter the pre-shared secret, which generally identifies the request or the user who is requesting the profile. This policy type requires a static challenge and will not work with a dynamic challenge.<\/li>\n\n\n\n<li>Click <strong>Key Size<\/strong> to choose the size of the key: 1024, 2048, or 4096 bits. The default is 1024.<\/li>\n\n\n\n<li>For <strong>Subject<\/strong>, click <strong>Add Value<\/strong> and enter the Object Identifier (OID) and its value for the X.500 name. For example: \/C=US\/O=ABCEnterprise\/CN=foo\/1.2.5.3=bar. This field supports one OID statement, so you should encapsulate all the fields in a single statement.<\/li>\n\n\n\n<li>For <strong>Retries<\/strong>, enter the number of times the device should retry if the server sends a <em>Pending<\/em> response. The default is 3.<br><img decoding=\"async\" width=\"1843\" height=\"1192\" class=\"wp-image-93180\" style=\"width: 800px\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/06\/SCEPPolicy1.png\" alt=\"\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/SCEPPolicy1.png 1843w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/SCEPPolicy1-300x194.png 300w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/SCEPPolicy1-1024x662.png 1024w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/SCEPPolicy1-768x497.png 768w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/SCEPPolicy1-1536x993.png 1536w\" sizes=\"(max-width: 1843px) 100vw, 1843px\" \/><\/li>\n\n\n\n<li>Select <strong>Extractable Key<\/strong> to export the private key from the keychain. Generally, you should not export this private key.&nbsp;<\/li>\n\n\n\n<li>For <strong>Key Usage<\/strong>, enter the purpose for the SCEP certificate and keypair, and which bitmask to use for the private key. Enter <strong>Signing<\/strong> for digital signature or <strong>Encryption<\/strong> for encryption.<\/li>\n\n\n\n<li>For <strong>Retry Delay<\/strong>, enter the number of seconds to wait between subsequent retries. The first retry is attempted without this delay. The default is 10.&nbsp;<\/li>\n\n\n\n<li>For <strong>URL<\/strong>, enter the SCEP server\u2019s URL. For example: <kbd>http:\/\/scep-server\/cgi-bin\/pkiclient.exe<\/kbd>.<\/li>\n\n\n\n<li>For <strong>Name<\/strong>, enter a unique name for the payload that\u2019s understood by the SCEP server. For example, WiFi Certificate. If a CA has multiple CA certificates, this field is used to distinguish which is required.&nbsp;<\/li>\n\n\n\n<li>Select<strong> Include Root Certificate<\/strong> to upload the certificate for the Certificate Authority to add to the device\u2019s trusted anchors list.&nbsp;<\/li>\n\n\n\n<li>If you selected <strong>Include Root Certificate<\/strong>, click <strong>upload file<\/strong> for <strong>Root Certificate<\/strong> This certificate should <em>not<\/em> include public keys and should be in the .cer or .crt format. File size must be smaller than 1 MB.&nbsp;<\/li>\n\n\n\n<li>Select <strong>Set Subject Alternative Name<\/strong> to determine subject alternative names characteristics for the SCEP certificate.<\/li>\n\n\n\n<li>If you selected <strong>Set Subject Alternative Name<\/strong>, under <strong>Subject Alternative Name<\/strong> choose one or more values that are required by the CA to issue a certificate:\n<ol class=\"is-lower-alpha\">\n<li>For <strong>DNS Name<\/strong>, enter the DNS name of the CA server. For example, mac1.example.com. This can be a variable from the device\u2019s current status as <a href=\"https:\/\/support.apple.com\/guide\/deployment\/variables-settings-for-mdm-payloads-dep04666af94\/web\">drawn from Apple\u2019s list<\/a> of hardware variables.&nbsp;<\/li>\n\n\n\n<li>For <strong>Principal<\/strong>, enter the name of the NT principal used in the organization. This can be a variable from the device\u2019s current status as <a href=\"https:\/\/support.apple.com\/guide\/deployment\/variables-settings-for-mdm-payloads-dep04666af94\/web\">drawn from Apple\u2019s list<\/a> of hardware variables.&nbsp;<\/li>\n\n\n\n<li>For <strong>RFC 822<\/strong>, enter the email address needed for the certificate request.This can be a variable from the device\u2019s current status as <a href=\"https:\/\/support.apple.com\/guide\/deployment\/variables-settings-for-mdm-payloads-dep04666af94\/web\">drawn from Apple\u2019s list<\/a> of hardware variables.&nbsp;<\/li>\n\n\n\n<li>For <strong>URI<\/strong>, enter the fully-qualified Uniform Resource Identifier for the CA server. This can be a variable from the device\u2019s current status as <a href=\"https:\/\/support.apple.com\/guide\/deployment\/variables-settings-for-mdm-payloads-dep04666af94\/web\">drawn from Apple\u2019s list<\/a> of hardware variables.<br><img decoding=\"async\" width=\"1848\" height=\"1180\" class=\"wp-image-93166\" style=\"width: 800px\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/07\/SCEP2Final.png\" alt=\"\"><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n<ol start=\"10\">\n<li>(Optional) Select the&nbsp;<strong>Device Groups<\/strong>&nbsp;tab. Select one or more device groups where you&#8217;ll apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.<\/li>\n\n\n\n<li>(Optional) Select the&nbsp;<strong>Devices<\/strong>&nbsp;tab. Select one or more devices where you&#8217;ll apply this policy.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card tip\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Tip:<\/strong> \n<p>For this policy to take effect, you must specify a device or a device group in Step 10 or Step 11.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"12\">\n<li>Click&nbsp;<strong>save<\/strong>.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>This policy configures Simple Certificate Enrollment Protocol (SCEP) for your macOS and iOS devices. SCEP makes issuing digital certificates easier, [&hellip;]<\/p>\n","protected":false},"author":200,"featured_media":0,"template":"","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"support_category":[2925,2852,3082],"support_tag":[],"coauthors":[2841],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v22.9 (Yoast SEO v22.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Create a Mac or iOS SCEP Profiles Policy - JumpCloud<\/title>\n<meta name=\"description\" content=\"Learn how to create a Mac or iOS Simple Certificate Enrollment Protocol Profiles Policy to make issuing digital certificates easier, more secure, and scalable.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Create a Mac or iOS SCEP Profiles Policy\" \/>\n<meta property=\"og:description\" content=\"Learn how to create a Mac or iOS Simple Certificate Enrollment Protocol Profiles Policy to make issuing digital certificates easier, more secure, and scalable.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy\" \/>\n<meta property=\"og:site_name\" content=\"JumpCloud\" \/>\n<meta property=\"article:modified_time\" content=\"2023-11-01T19:27:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/06\/SCEPPolicy1.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"4 minutes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data2\" content=\"natecopt\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy\",\"url\":\"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy\",\"name\":\"Create a Mac or iOS SCEP Profiles Policy - JumpCloud\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/06\/SCEPPolicy1.png\",\"datePublished\":\"2023-06-05T17:09:51+00:00\",\"dateModified\":\"2023-11-01T19:27:17+00:00\",\"description\":\"Learn how to create a Mac or iOS Simple Certificate Enrollment Protocol Profiles Policy to make issuing digital certificates easier, more secure, and scalable.\",\"breadcrumb\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy#primaryimage\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/SCEPPolicy1.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/SCEPPolicy1.png\",\"width\":1843,\"height\":1192},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jumpcloud.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Support\",\"item\":\"https:\/\/jumpcloud.com\/support\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Create a Mac or iOS SCEP Profiles Policy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jumpcloud.com\/#website\",\"url\":\"https:\/\/jumpcloud.com\/\",\"name\":\"JumpCloud\",\"description\":\"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.\",\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jumpcloud.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jumpcloud.com\/#organization\",\"name\":\"JumpCloud\",\"url\":\"https:\/\/jumpcloud.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"width\":598,\"height\":101,\"caption\":\"JumpCloud\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Create a Mac or iOS SCEP Profiles Policy - JumpCloud","description":"Learn how to create a Mac or iOS Simple Certificate Enrollment Protocol Profiles Policy to make issuing digital certificates easier, more secure, and scalable.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy","og_locale":"en_US","og_type":"article","og_title":"Create a Mac or iOS SCEP Profiles Policy","og_description":"Learn how to create a Mac or iOS Simple Certificate Enrollment Protocol Profiles Policy to make issuing digital certificates easier, more secure, and scalable.","og_url":"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy","og_site_name":"JumpCloud","article_modified_time":"2023-11-01T19:27:17+00:00","og_image":[{"url":"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/06\/SCEPPolicy1.png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"4 minutes","Written by":"natecopt"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy","url":"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy","name":"Create a Mac or iOS SCEP Profiles Policy - JumpCloud","isPartOf":{"@id":"https:\/\/jumpcloud.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy#primaryimage"},"image":{"@id":"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy#primaryimage"},"thumbnailUrl":"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/06\/SCEPPolicy1.png","datePublished":"2023-06-05T17:09:51+00:00","dateModified":"2023-11-01T19:27:17+00:00","description":"Learn how to create a Mac or iOS Simple Certificate Enrollment Protocol Profiles Policy to make issuing digital certificates easier, more secure, and scalable.","breadcrumb":{"@id":"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy#primaryimage","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/SCEPPolicy1.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/SCEPPolicy1.png","width":1843,"height":1192},{"@type":"BreadcrumbList","@id":"https:\/\/jumpcloud.com\/support\/create-mac-or-ios-scep-profiles-policy#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jumpcloud.com\/"},{"@type":"ListItem","position":2,"name":"Support","item":"https:\/\/jumpcloud.com\/support"},{"@type":"ListItem","position":3,"name":"Create a Mac or iOS SCEP Profiles Policy"}]},{"@type":"WebSite","@id":"https:\/\/jumpcloud.com\/#website","url":"https:\/\/jumpcloud.com\/","name":"JumpCloud","description":"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.","publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jumpcloud.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jumpcloud.com\/#organization","name":"JumpCloud","url":"https:\/\/jumpcloud.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","width":598,"height":101,"caption":"JumpCloud"},"image":{"@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/85633"}],"collection":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support"}],"about":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/types\/support"}],"author":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/users\/200"}],"version-history":[{"count":3,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/85633\/revisions"}],"predecessor-version":[{"id":100655,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/85633\/revisions\/100655"}],"wp:attachment":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media?parent=85633"}],"wp:term":[{"taxonomy":"support_category","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support_category?post=85633"},{"taxonomy":"support_tag","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support_tag?post=85633"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/coauthors?post=85633"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}