SCEP

An SCEP payload automates the request of a client certificate from an SCEP server.

Note

GetCACaps is mentioned in the documentation but not included in this manifest.

Summary

PayloadType:com.apple.security.scep
Supervised Only:
 N/A
macOS:N/A
macOS Deprecated:
 N/A
iOS:N/A
iOS Deprecated:N/A
Highlander:N/A

Keys

URL

URL

The base URL for the SCEP server

Type Default Required Regex iOS macOS Supervised
string N/A always N/A N/A N/A N/A

Name

Name

Optional. Any string that is understood by the SCEP server. For example, it could be a domain name like example.org. If a certificate authority has multiple CA certificates this field can be used to distinguish which is required.

Type Default Required Regex iOS macOS Supervised
string N/A N/A N/A N/A N/A N/A

Optional. Any string that is understood by the SCEP server. For example, it could be a domain name like example.org. If a certificate authority has multiple CA certificates this field can be used to distinguish which is required.

Subject

Subject

The representation of a X.500 name represented as an array of OID and value. OIDs can be represented as dotted numbers, with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN).

Type Default Required Regex iOS macOS Supervised
array N/A N/A N/A N/A N/A N/A

Optional. The representation of a X.500 name represented as an array of OID and value. For example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar, which would translate to:

[ [ [“C”, “US”] ], [ [“O”, “Apple Inc.”] ], ..., [ [ “1.2.5.3”, “bar” ] ] ]

OIDs can be represented as dotted numbers, with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN).

Challenge

Challenge

Used as the pre-shared secret for automatic enrollment

Type Default Required Regex iOS macOS Supervised
string N/A N/A N/A N/A N/A N/A

Keysize

Key Size

Key size in bits

Type Default Required Regex iOS macOS Supervised
integer 1024 N/A N/A N/A N/A N/A

Valid Choices

  • 1024
  • 2048

CAFingerprint

Fingerprint

Optional. The fingerprint of the Certificate Authority certificate.

Type Default Required Regex iOS macOS Supervised
data N/A N/A N/A N/A N/A N/A

KeyType

Key Type

Optional. Currently always “RSA”.

Type Default Required Regex iOS macOS Supervised
string RSA N/A N/A N/A N/A N/A

Valid Choices

  • RSA

KeyUsage

Key Usage

A bitmask indicating the use of the ky. 1 - signing, 4 - encryption, 5 - signing and encryption

Type Default Required Regex iOS macOS Supervised
integer 0 N/A N/A 4.0 N/A N/A

SubjectAltName

Subject Alt Name

Specifies the Subject Alt Name for the certificate

Type Default Required Regex iOS macOS Supervised
dictionary N/A N/A N/A N/A N/A N/A

Retries

Retries

The number of times the device should retry if the server sends a PENDING response

Type Default Required Regex iOS macOS Supervised
integer 3 N/A N/A N/A N/A N/A

RetryDelay

Retry Delay

The number of seconds to wait between subsequent retries. The first retry is attempted without this delay

Type Default Required Regex iOS macOS Supervised
integer 10 N/A N/A N/A N/A N/A

Substitution Variables

The values of these can be obtained by running (in a Terminal window):

/usr/libexec/mdmclient dumpSCEPVars
%AD_ComputerID%
computername$
%AD_ComputerName%
computername
%AD_Domain%
CONTOSO
%AD_DomainForestName%
contoso.com
%AD_DomainGUID%
<GUID value>
%AD_DomainNameDNS%
contoso.com
%AD_KerberosID%
computer$@AD.DOMAIN
%ComputerName%
computer
%HardwareUUID%
<Hardware unique UUID>
%HostName%
computer.local
%LocalHostName%
computername
%MACAddress%
ethernet mac address
%SerialNumber%
mac serial number

Unified Logging

SCEP Networking

Console:subsystem:com.apple.SCEP
CLI:log show --info --debug --predicate 'subsystem == "com.apple.SCEP"' --last 1h

Certificate Payload Plugin

Console:subsystem:com.apple.ManagedClient library:Certificate
CLI:log show --info --debug --predicate '(subsystem == "com.apple.ManagedClient") && (senderImagePath ENDSWITH "Certificate")' --last 1h