Profile Manager SCEP settings
Use this payload to specify settings that allow the device to obtain certificates from a Certificate Authority (CA) using Simple Certificate Enrollment Protocol (SCEP).
Note: Use the SCEP payload for all configuration profiles. For more information, see About profiles and payloads and Payload best practices.
Setting | Description |
|---|---|
URL | The address of the SCEP server. |
Name | Any string understood by the certificate authority. It can be used to distinguish between instances, for example. |
Subject | The representation of an X.500 name represented as an array of OID and value. For example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar, which translates to: [ [ [“C”, “US”] ], [ [“O”, “Apple Inc.”] ], ..., [ [ “1.2.5.3”, “bar” ] ] ] |
Subject Alternative Name Type | Specify the type of an alternative name for the SCEP server. Types are RFC 822 Name, DNS Name, and Uniform Resource Identifier (URI). This can be the Uniform Resource Locator (URL), Uniform Resource Name (URN), or both. |
NT Principal Name | The principal name to be used in the certificate request. (optional) |
Retries | The number of times to poll the SCEP server for a signed certificate before giving up. |
Retry Delay | The number of seconds to wait between poll attempts. |
Challenge | The pre-shared secret the SCEP server uses to identify the request or user. |
Certificate expiration notification threshold (OS X only) | The number of days before a certificate expires at which to start showing the expiration notification. |
Key Size and Usage | Select a key size, and—using the checkboxes below this field—the acceptable uses of the key. |
Fingerprint | If your CA uses HTTP, use this field to provide the fingerprint of the CA’s certificate, which the device uses to confirm the authenticity of the CA’s response during enrollment. You can enter a SHA1 or an MD5 fingerprint, or select a certificate to import its signature. |
You can add SCEP configurations by clicking 
.
Variables
With OS X, you can use the following variables in the SCEP Subject and Subject Alternate Name, and NT Principal Name fields. These variables are resolved on the device during installation, letting you dynamically customize the certificate enrollment request. You can combine these variables with static text, such as Mac.%ComputerName%, to create a compound subject.
Variable | Substitution |
|---|---|
%AD_ComputerID% | Active Directory computer ID |
%AD_Domain% | Active Directory domain |
%AD_DomainForestName% | Active Directory forest name |
%AD_DomainGuid% | Active Directory GUID |
%AD_DomainNameDNS% | Active Directory DNS Name |
%AD_KerberosID% | Active Directory Kerberos ID |
%ComputerName% | The computer’s name, as set in System Preferences > Sharing |
%HardwareUUID% | The computer’s unique identifier |
%HostName% | The computer’s DNS name, such as mac1.example.com |
%LocalHostName% | The computer’s local network name, such as Mac1.local |
%MACAddress% | The computer’s Ethernet (en0) MAC address |
%SerialNumber% | The computer’s serial number |