SCEP (Simple Certificate Enrollment Protocol) allows a client device to retrieve a certificate from a certificate authority without user or administrator interaction. This guide explains how SCEP works within CapaOne Mobile Manager and how to deploy it correctly across Apple and Android devices.
Prerequisites
Before implementing SCEP, administrators should understand:
- Customer PKI infrastructure details
- SCEP server configuration parameters
- Required certificates (CA, intermediates, issuing certificates)
- Network access pathways to SCEP servers
- Platform constraints on Apple and Android devices
What Is SCEP?
SCEP applies to any situation requiring certificates, particularly for establishing device and user trust. Administrators configure SCEP servers to accept certificate requests from clients that provide the correct configuration details.
In Microsoft PKI environments, NDES (Network Device Enrollment Service) servers typically act as the SCEP endpoint, issuing certificates from the internal PKI.
Key Configuration Principles
Trust Chains
Devices must trust the complete certificate chain — including the root CA, intermediate certificates, and issuing certificates. Unlike desktop systems, mobile devices do not automatically download certificate chains. All required certificates must be explicitly included in the configuration profile delivered to the device.
SCEP Server Access
SCEP servers often reside on-premises within the customer network. This creates challenges when managed devices are not yet trusted on the internal network, and when the SCEP server itself presents an internal TLS certificate that devices do not yet trust.
Static Secrets
SCEP servers must use a static challenge secret when communicating with mobile devices. Mobile platforms lack support for the dynamic challenge negotiation used in some enterprise setups.
Wi-Fi Profiles with SCEP (EAP-TLS)
Advanced Wi-Fi configurations using EAP-TLS can leverage SCEP-supplied certificates for authentication. Certificates can be pre-created or generated per device.
Platform-specific considerations:
- Apple: Devices do not automatically renew certificates. Profiles must be reapplied before the certificate expires.
- Android: Android lacks native SCEP support. The CapaOne Agent must be installed on Android devices to enable SCEP enrollment.
Common Problems and Debugging
Incomplete Trust Chains
The most frequent issue is an incomplete certificate chain. Devices need the full chain — for the SCEP server, any intermediate CAs, the root CA, and the RADIUS server — to avoid prompting users to manually accept certificates.
Pre-Verification in Wi-Fi Profiles
Open network standards require certificate pre-verification. This must be configured within the Wi-Fi profile by explicitly linking certificate payloads to the relevant authorities. Omitting this step results in connection failures or user-facing trust prompts.
Maintenance and Best Practices
- Include the full certificate chain in all configuration profiles
- Ensure SCEP servers are configured with static challenge secrets
- Validate network access paths to the SCEP server before deploying profiles
- Reapply profiles on Apple devices before certificate expiration
- Install the CapaOne Agent on all Android devices that require SCEP
Ready to see how CapaOne handles certificate management at scale? Request a demo.
