.. _payloadtype-com.apple.security.scep: SCEP ==== An SCEP payload automates the request of a client certificate from an SCEP server. .. note:: GetCACaps is mentioned in the documentation but not included in this manifest. .. contents:: Summary ------- .. pfmheader:: /_static/manifests/com.apple.security.scep manifest.plist Keys ---- .. pfmkey:: PayloadContent:URL /_static/manifests/com.apple.security.scep manifest.plist .. pfmkey:: PayloadContent:Name /_static/manifests/com.apple.security.scep manifest.plist Optional. Any string that is understood by the SCEP server. For example, it could be a domain name like example.org. If a certificate authority has multiple CA certificates this field can be used to distinguish which is required. .. pfmkey:: PayloadContent:Subject /_static/manifests/com.apple.security.scep manifest.plist Optional. The representation of a X.500 name represented as an array of OID and value. For example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar, which would translate to: [ [ ["C", "US"] ], [ ["O", "Apple Inc."] ], ..., [ [ "1.2.5.3", "bar" ] ] ] OIDs can be represented as dotted numbers, with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN). .. pfmkey:: PayloadContent:Challenge /_static/manifests/com.apple.security.scep manifest.plist .. pfmkey:: PayloadContent:Keysize /_static/manifests/com.apple.security.scep manifest.plist .. pfmkey:: PayloadContent:CAFingerprint /_static/manifests/com.apple.security.scep manifest.plist .. pfmkey:: PayloadContent:KeyType /_static/manifests/com.apple.security.scep manifest.plist .. pfmkey:: PayloadContent:KeyUsage /_static/manifests/com.apple.security.scep manifest.plist .. pfmkey:: PayloadContent:SubjectAltName /_static/manifests/com.apple.security.scep manifest.plist .. pfmkey:: PayloadContent:Retries /_static/manifests/com.apple.security.scep manifest.plist .. pfmkey:: PayloadContent:RetryDelay /_static/manifests/com.apple.security.scep manifest.plist Substitution Variables ---------------------- The values of these can be obtained by running (in a Terminal window):: /usr/libexec/mdmclient dumpSCEPVars ``%AD_ComputerID%`` computername$ ``%AD_ComputerName%`` computername ``%AD_Domain%`` CONTOSO ``%AD_DomainForestName%`` contoso.com ``%AD_DomainGUID%`` ``%AD_DomainNameDNS%`` contoso.com ``%AD_KerberosID%`` computer$@AD.DOMAIN ``%ComputerName%`` computer ``%HardwareUUID%`` ``%HostName%`` computer.local ``%LocalHostName%`` computername ``%MACAddress%`` ethernet mac address ``%SerialNumber%`` mac serial number Unified Logging --------------- SCEP Networking ^^^^^^^^^^^^^^^ :Console: ``subsystem:com.apple.SCEP`` :CLI: ``log show --info --debug --predicate 'subsystem == "com.apple.SCEP"' --last 1h`` Certificate Payload Plugin ^^^^^^^^^^^^^^^^^^^^^^^^^^ :Console: ``subsystem:com.apple.ManagedClient library:Certificate`` :CLI: ``log show --info --debug --predicate '(subsystem == "com.apple.ManagedClient") && (senderImagePath ENDSWITH "Certificate")' --last 1h`` Links ----- - `Official Documentation `_. - `Certificate Renewal Behaviour `_.