Adding a SCEP profile to iOS MDM devices

You have to add a SCEP profile to enable the iOS MDM device user to automatically receive certificates from the Certification Center via the internet. The SCEP profile enables support of the Simple Certificate Enrollment Protocol.

A SCEP profile with the following settings is added by default:

• The alternative subject name is not used for registering certificates.
• Three attempts 10 seconds apart are made to poll the SCEP server. If all attempts to sign the certificate have failed, you have to generate a new certificate signing request.
• The certificate that has been received cannot be used for data signing or encryption.

You can edit the specified settings when adding the SCEP profile.

To add a SCEP profile:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the SCEP section.
5. Click the Add button in the SCEP profiles section.

   The SCEP profile window opens.

6. In the Server web address field, enter the web address of the SCEP server on which the Certification Center is deployed.

   The URL can contain the IP address or the full domain name (FQDN). For example, http://10.10.10.10/certserver/companyscep.

7. In the Name field, enter the name of the Certification Center deployed on the SCEP server.
8. In the Subject field, enter a string with the attributes of the iOS MDM device user that are contained in the X.500 certificate.

   Attributes can contain details of the country (С), organization (O), and common user name (CN). For example: /C=RU/O=MyCompany/CN=User/. You can also use other attributes specified in RFC 5280.

9. In the Type of alternative name of subject drop-down list, select the type of alternative name of the subject of the SCEP server:
   • No – alternative name identification is not used.
   • RFC 822 name – identification using the email address. The email address must be specified according to RFC 822.
   • DNS name – identification using the domain name.
   • URI – identification using the IP address or address in FQDN format.

   You can use an alternative name of the subject for identifying the user of the iOS MDM mobile device.

10. In the Subject Alternative Name field, enter the alternative name of the subject of the X.500 certificate. The value of the subject alternative name depends on the subject type: the user's email address, domain, or web address.
11. In the NT subject name field, enter the DNS name of the iOS MDM mobile device user on the Windows NT network.

    The NT subject name is contained in the certificate request sent to the SCEP server.

12. In the Number of polling attempts on SCEP server field, specify the maximum number of attempts to poll the SCEP server to get the certificate signed.
13. In the Frequency of attempts (sec) field, specify the period of time in seconds between attempts to poll the SCEP server to get the certificate signed.
14. In the Registration request field, enter a pre-published registration key.

    Before signing a certificate, the SCEP server requests the mobile device user to supply a key. If this field is left blank, the SCEP does not request the key.

15. In the Key Size drop-down list, select the size of the registration key in bits: 1024 or 2048.
16. If you want to allow the user to use a certificate received from the SCEP server as a signing certificate, select the Use for signing check box.
17. If you want to allow the user to use a certificate received from the SCEP server for data encryption, select the Use for encryption check box.

    It is prohibited to use the SCEP server certificate as a data signing certificate and a data encryption certificate at the same time.

18. In the Certificate fingerprint field, enter a unique certificate fingerprint for verifying the authenticity of the response from the Certification Center. You can use certificate fingerprints with the SHA-1 or MD5 hashing algorithm. You can copy the certificate fingerprint manually or select a certificate using the Create from certificate button. When the fingerprint is created using the Create from certificate button, the fingerprint is added to the field automatically.

    The certificate fingerprint has to be specified if data exchange between the mobile device and the Certification Center takes place via the HTTP protocol.

19. Click OK.

    The new SCEP profile appears in the list.

20. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, the user's mobile device is configured to automatically receive a certificate from the Certification Center via the internet.