SCEP¶
An SCEP payload automates the request of a client certificate from an SCEP server.
Note
GetCACaps is mentioned in the documentation but not included in this manifest.
Contents
Summary¶
PayloadType: | com.apple.security.scep |
---|---|
Supervised Only: | |
N/A | |
macOS: | N/A |
macOS Deprecated: | |
N/A | |
iOS: | N/A |
iOS Deprecated: | N/A |
Highlander: | N/A |
Keys¶
URL¶
URL
The base URL for the SCEP server
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | always | N/A | N/A | N/A | N/A |
Name¶
Name
Optional. Any string that is understood by the SCEP server. For example, it could be a domain name like example.org. If a certificate authority has multiple CA certificates this field can be used to distinguish which is required.
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
Optional. Any string that is understood by the SCEP server. For example, it could be a domain name like example.org. If a certificate authority has multiple CA certificates this field can be used to distinguish which is required.
Subject¶
Subject
The representation of a X.500 name represented as an array of OID and value. OIDs can be represented as dotted numbers, with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN).
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
array | N/A | N/A | N/A | N/A | N/A | N/A |
Optional. The representation of a X.500 name represented as an array of OID and value. For example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar, which would translate to:
[ [ [“C”, “US”] ], [ [“O”, “Apple Inc.”] ], …, [ [ “1.2.5.3”, “bar” ] ] ]
OIDs can be represented as dotted numbers, with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN).
Challenge¶
Challenge
Used as the pre-shared secret for automatic enrollment
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
Keysize¶
Key Size
Key size in bits
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
integer | 1024 | N/A | N/A | N/A | N/A | N/A |
Valid Choices¶
- 1024
- 2048
CAFingerprint¶
Fingerprint
Optional. The fingerprint of the Certificate Authority certificate.
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
data | N/A | N/A | N/A | N/A | N/A | N/A |
KeyType¶
Key Type
Optional. Currently always “RSA”.
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | RSA | N/A | N/A | N/A | N/A | N/A |
Valid Choices¶
- RSA
KeyUsage¶
Key Usage
A bitmask indicating the use of the ky. 1 - signing, 4 - encryption, 5 - signing and encryption
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
integer | 0 | N/A | N/A | 4.0 | N/A | N/A |
SubjectAltName¶
Subject Alt Name
Specifies the Subject Alt Name for the certificate
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
dictionary | N/A | N/A | N/A | N/A | N/A | N/A |
Retries¶
Retries
The number of times the device should retry if the server sends a PENDING response
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
integer | 3 | N/A | N/A | N/A | N/A | N/A |
RetryDelay¶
Retry Delay
The number of seconds to wait between subsequent retries. The first retry is attempted without this delay
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
integer | 10 | N/A | N/A | N/A | N/A | N/A |
Substitution Variables¶
The values of these can be obtained by running (in a Terminal window):
/usr/libexec/mdmclient dumpSCEPVars
%AD_ComputerID%
- computername$
%AD_ComputerName%
- computername
%AD_Domain%
- CONTOSO
%AD_DomainForestName%
- contoso.com
%AD_DomainGUID%
- <GUID value>
%AD_DomainNameDNS%
- contoso.com
%AD_KerberosID%
- computer$@AD.DOMAIN
%ComputerName%
- computer
%HardwareUUID%
- <Hardware unique UUID>
%HostName%
- computer.local
%LocalHostName%
- computername
%MACAddress%
- ethernet mac address
%SerialNumber%
- mac serial number
Unified Logging¶
SCEP Networking¶
Console: | subsystem:com.apple.SCEP |
---|---|
CLI: | log show --info --debug --predicate 'subsystem == "com.apple.SCEP"' --last 1h |
Certificate Payload Plugin¶
Console: | subsystem:com.apple.ManagedClient library:Certificate |
---|---|
CLI: | log show --info --debug --predicate '(subsystem == "com.apple.ManagedClient") && (senderImagePath ENDSWITH "Certificate")' --last 1h |