Simple Certificate Enrollment Protocol(SCEP)

Simple Certificate Enrollment Protocol (SCEP) is a certificate management protocol which is predominantly used for enabling certificate-based authentication. With SCEP, Mobile Device Manager Plus MSP lets you enforce certificate-based authentication for Wi-Fi, VPN, and E-mail configurations on your managed Android devices.

Generally, in large scale organizations, it becomes a cumbersome task for the IT administrator to manually issue client certificates for all the Android devices within the organizational network. SCEP simplifies certificate configuration and distribution by providing a simple and scalable method for handling certificates within organizations.

The major advantages of certificate-based authentication using SCEP are as follows:

Info Message

The device directly contacts the SCEP server to generate the certificate, therefore ensure the SCEP server is reachable from the device. It is not necessary for the SCEP server to be reachable to MDM


Configuring SCEP in MDM

Info Message

  1. The value for Subject should be in LDAP DN format as explained here.
  2. You can verify Server details such as enrollment challenge password from http://<your-server>/CertSrv/mscep_admin and http://<Your-Server>/crtsrv/mscep/mscep.dll.
  3. If the SCEP server is unreachable, try accessing the SCEP server URL in the format http://<your-server>/CertSrv/mscep/mscep.dll from the device. If the URL can not be reached, try accessing the URL after connecting to a local WiFi and then distribute the profile.

Profile Specification


SCEP Configuration Name

The user-defined configuration name, which is used to refer this configuration in other configurations such as Wi-Fi, VPN etc.,


Server URL

The URL to be specified in the device to obtain certificate. Provide HTTP Server URL, if the SCEP server is within the organization network and not exposed to external networks. The certificate is requested through this URL.
For NDES, the server URL format: http://<your-server>/CertSrv/mscep/mscep.dll

Certificate Authority Name

Specify the name of the Certificate Authority issuing certificates.


Specify the details(%username%, %email%, %domainname%,%devicename%) to map the corresponding details in the device.

Subject Alternative Name Type

Specify the alternate details(RFC 822 Name, DNS Name, Uniform Resource Identifier).

Subject Alternative Name Type Value (Can be configured only if Subject Alternative Name Type is configured)

Specify the value for alternative name type.

NT Principal Name

Specify the NT Principal Name used in the organization.

Maximum Number of Failed Attempts

Number of attempts to obtain the certificate from the CA.

Time interval between attempts

Time to wait before subsequent attempts to obtain certificate

Challenge Type

A pre-shared secret key provided by the CA, which adds additional layer of security

Enrollment Challenge Password

Provide the challenge password to be used. Challenge Password can be identified as explained here.

Key Size

Specify whether the key is 1024 or 2048 bits

Use as Digital Signature

Enabling ensures the certificate can be used as Digital Signature

Use for Key Encipherment

Enabling ensures the certificate can be used as Key Encipherment

See Also:  Associating Profiles to Groups, Associating Profiles to Devices,  App Management, Distribute Apps to Devices, Distribute Apps to Groups
Copyright © 2021, ZOHO Corp. All Rights Reserved.