Jamf Pro allows you to create configuration profiles with payloads that contain certificates for user access to resources such as VPN or Wi-Fi. Enabling Jamf Pro as SCEP Proxy for a configuration profile allows Jamf Pro to communicate with your SCEP server to install the certificate directly on computers or mobile devices.
Before you can distribute a configuration profile with Jamf Pro as SCEP Proxy for the certificates included in the profile, you must enable Jamf Pro as SCEP Proxy in the PKI Certificate settings. This allows you to use Jamf Pro as SCEP Proxy in the configuration profile that you create.
- In Jamf Pro, click Settings
in the top-right corner of the page. - In the Global section, click PKI certificates
. - Click the Management Certificate Template tab, and then click External CA.
- Click Edit
. - Select Enable Jamf Pro as SCEP Proxy for configuration profiles.
Important:
If you are using the Jamf Pro built-in CA for device enrollment, ensure that you do not select Use a SCEP-enabled external CA for computer and mobile device enrollment. Selecting this option requires you to re-enroll all devices with Jamf Pro.
- Enter a base URL for the SCEP server.
- (Optional) Enter the name of the instance in the Name field.
Note:
For Microsoft certificate authorities, SERVERNAME-MSCEP-RA is an example.
- Choose the type of challenge password to use from the Challenge Type pop-up menu:
-
If you want all computers and mobile devices to use the same challenge password, choose and specify a challenge password. The challenge password will be used as the pre-shared secret for automatic enrollment.
-
(Jamf Pro 10.32.0 or later) If you want to use non-Microsoft CA with a SCEP Dynamic challenge type, you can create a webhook using the event SCEPChallenge
. The receiving web server is sent information about the enrolling device and the configuration profile. This allows the returning message body to be used as the SCEP challenge for that enrollment. For more information on webhooks, see Webhooks in the Jamf Pro Documentation and the following page in the Jamf developer resources: https://developer.jamf.com/developer-guide/docs/webhooks.
-
If you are using a Microsoft CA and you want each computer and mobile device to use a unique challenge password, choose .
When using the challenge type, the Username field requires the down-level logon name format. For more information, see the following Microsoft documentation: User Name Formats.
-
If you are using an Entrust CA, choose , and then do the following:
-
Enter the name of your Digital ID Configuration that issues certificates for Entrust in the Digital ID Configuration Name field.
-
Enter the iggroup variable defined in your Entrust Digital ID Configuration in the Group Name field.
-
Click Add to enter additional RDN variables, and then enter the variable name and value.
- Click Save
.
If you are using an external CA, you need to provide the signing and CA certificates for the external CA after saving. This is done by uploading a signing certificate keystore (.jks or .p12) that contains both certificates to Jamf Pro. For instructions, see "Uploading Signing and CA Certificates for an External CA" on the PKI Certificates page in the Jamf Pro Documentation. If you are using the Jamf Pro built-in CA, no action is necessary after saving.