Distributing Certificates Using the SCEP Protocol

After communication between Jamf Pro and Venafi TPP has been established, you can use Jamf Pro to distribute certificates with Venafi as the certificate authority (CA) to computers and mobile devices in your environment using configuration profiles.

When certificates are distributed using the SCEP protocol, traffic goes directly to Venafi TPP. Traffic does not proxy through Jamf Pro. This enables both dynamic challenges and automatic revocation to harden your certificate security in SCEP workflows.


Ensure the requirements for distributing configuration profiles are met by reviewing the requirements in the following sections of the Jamf Pro Documentation:

  1. In Jamf Pro, click Computers or Devices at the top of the sidebar.
  2. Click Configuration Profiles.
  3. Click New .
  4. Use the General payload to configure basic settings, including the level at which to apply the profile and the distribution method. Only payloads and settings that apply to the selected level are displayed for the profile.
  5. To enable devices to communicate directly with the SCEP server to obtain the CA certificate, select the SCEP payload, click Configure.
  6. Enter the hostname of the Venafi TPP server, and append "certsrv/macOS" to the URL (e.g., https://<venafi-hostname>/certsrv/macOS/).
  7. Enter the name of the certificate authority that appears on the Venafi Configuration Profile in the Name field.

    The Redistribute Profile option is not available for Venafi.

  8. Enter the appropriate keys and values for the Subject field.

    If you are using the PROFILE_IDENTIFIER payload variable, it must be the first substitution in the Subject field.

  9. Choose a Subject Alternative Name Type if needed.
  10. Choose Dynamic-Venafi from the Challenge Type pop-up menu.
  11. Select the Venafi PKI Instance you want to use.
  12. Enter the Username and Password to log in to the SCEP Admin page (e.g., https://<venafi-hostname>/certsrv/mscep_admin).

    Ensure the dynamic challenge settings in Venafi TPP allow for enough dynamic challenges at one time and for an appropriate duration for devices to receive a certificate.

  13. If you want to retry the certificate request, enter values in the Retries and RetryDelay, and Certificate Expiration Notification Threshold fields.
  14. Depending on the requirements of the Certificate Profile being used in Venafi, you may be required to configure additional settings (e.g., Key Size, Fingerprint, Use a digital signature, and Use for key encipherment).
  15. Select the appropriate values for your workflow for the Allow export from keychain and Allow all apps access checkboxes.
  16. Click the Scope tab and scope the configuration profile to the appropriate devices.
  17. Click Save .