Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 00:49:03 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 143

[Feature guide] Deploy certificates from DigiCert and custom SCEP certificate authority on macOS (#27439)

Browse source 
Related to:

- #25822

Updating existing guide for NDES. Adding instructions on how to connect
and issue certificates from DigiCert and custom SCEP certificate
authorities.

---------

Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
This commit is contained in:
Marko Lisica 2025-04-01 15:40:03 +02:00 committed by GitHub
parent 718e1bed1f
commit 2ced8f710f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 307 additions and 147 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

307
articles/connect-end-user-to-wifi-with-certificate.md Normal file
View file

@ -0,0 +1,307 @@
# Connect end users to Wi-Fi or VPN with a certificate (DigiCert, NDES, or custom SCEP)
_Available in Fleet Premium_
Fleet can help your end users connect to Wi-Fi or VPN by deploying certificates from your certificate authority (CA). Fleet currently supports [DigiCert](https://www.digicert.com/digicert-one), [Microsoft NDES](https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/network-device-enrollment-service-overview), and custom [SCEP](https://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol) server.
## DigiCert
To connect end users to W-Fi or VPN with DigiCert certificates, we'll do the following steps:
- [Create service user in DigiCert](#step-1-create-service-user-in-digicert)
- [Create certificate profile in DigiCert](#step-2-create-certificate-profile-in-digicert)
- [Connect Fleet to DigiCert](#step-3-connect-fleet-to-digicert)
- [Add PKCS #12 configuration profile to Fleet](#step-4-add-pkcs-12-configuration-profile-to-fleet)
### Step 1: Create service user in DigiCert
1. Head to [DigiCert One](https://one.digicert.com/)
2. Follow the instructions to create a service user [here](https://docs.digicert.com/en/platform-overview/manage-your-accounts/account-manager/users-and-access/service-users/create-a-service-user.html) and save the service user's API token.
> Make sure to assign **User and certificate manager** and **Certificate profile manager** roles
> when creating service user.
### Step 2: Create certificate profile in DigiCert
1. In DigiCert [Trust Lifcycle Manager](https://one.digicert.com/mpki/dashboard), select **Policies > Certificate profiles** from the main menu. Then select **Create profile from template** and select **Generic Device Certificate** from the list.
2. Add a friendly **Profile name** (e.g. "Fleet - Wi-Fi authentication").
3. Select your **Business unit** and **Issuing CA**.
4. Select **REST API** from **Enrollment method**. Then select **3rd party app** from the **Authentication method** dropdown and select **Next**.
5. Configure the certificate expiration. At most organizations, this is set to 90 days.
6. In the **Subject DN and SAN fields** section, make sure to add **Common name**. **Other name (UPN)** is optional. For **Common name**, select **REST request** from **Source for the field's value** dropdown and check **Required**. If you use **Other name (UPN)**, select **REST Request** and check both **Required** and **Multiple**. Organizations usually use device's serial number or user's email, you can use Fleet variables in the next section, and Fleet will replace these variables with the actual values before certificate is delivered to a device.
7. Click **Next** and leave all default options. We'll come back to this later.
### Step 3: Connect Fleet to DigiCert
1. In Fleet, head to **Settings > Integrations > Certificates**.
2. Select **Add CA** and then choose **DigiCert** in the dropdown.
3. Add a **Name** for your certificate authority. The best practice is to create a name based on your use case in all caps snake case (ex. "WIFI_AUTHENTICATION"). We'll use this name later as variable name in a configuration profile.
4. If you're using DigiCert One's cloud offering, keep the default **URL**. If you're using a self-hosted (on-prem) DigiCert One, update the URL to match the one you use to login to your DigiCert One.
5. In **API token**, paste your DigiCert server user's API token (from step 1).
6. In **Profile GUID**, paste your DigiCert One certificate profile GUID (from step 2). To get your profile GUID, in DigiCert, head to the [Certificate profiles](https://one.digicert.com/mpki/policies/profiles) page, open your profile, and copy **GUID**.
7. In **CN**, **UPN**, and **Certificate seat ID**, you can use fixed values or one of the [Fleet's host variables](https://fleetdm.com/docs/configuration/yaml-files#macos-settings-and-windows-settings). Organizations usually use the host's serial number or end user's email to deliver a certificate that's unique to the host.
8. Select **Add CA**. Your DigiCert certificate authority (CA) should appear in your list of CAs in Fleet.
### Step 4: Add PKCS12 configuration profile to Fleet
1. Create a [configuration profile](https://fleetdm.com/guides/custom-os-settings) with a PKCS12 payload. In the profile, for `Password`, use `$FLEET_VAR_DIGICERT_PASSWORD_<CA_NAME>`. For `Data`, use `$FLEET_VAR_DIGICERT_DATA_<CA_NAME>`.
2. Replace the `<CA_NAME>`, with name you created in step 3. For example, if the name of the CA is "WIFI_AUTHENTICATION" the variables will look like this: `$FLEET_VAR_DIGICERT_PASSWORD_WIFI_AUTHENTICATION` and `$FLEET_VAR_DIGICERT_DATA_WIFI_AUTHENTICATION`.
3. In Fleet, head to **Controls > OS settings > Custom settings** and add the configuration profile to deploy certificates to your hosts.
When Fleet delivers the profile to your hosts, Fleet will replace the variables. If something goes wrong, errors will appear on each host's **Host details > OS settings**.
If you resend the profile (select **Resend** in **Host details > OS settings**), Fleet will get a new certificate and create a new seat in DigiCert, which will take 1 license. If you want to revoke a license, in DigiCert, head to [**Trust Lifcycle Manager > Account > Seats**](https://demo.one.digicert.com/mpki/account/seats) and remove the seat.
#### Example configuration profile
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>Password</key>
<string>$FLEET_VAR_DIGICERT_PASSWORD_CA_NAME</string>
<key>PayloadContent</key>
<data>$FLEET_VAR_DIGICERT_DATA_CA_NAME</data>
<key>PayloadDisplayName</key>
<string>CertificatePKCS12</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.pkcs12</string>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadUUID</key>
<string>ee86cfcb-2409-42c2-9394-1f8113412e04</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>DigiCert profile</string>
<key>PayloadIdentifier</key>
<string>TopPayloadIdentifier</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>TopPayloadUUID</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
```
## Microsoft NDES
To connect end users to W-Fi or VPN with Microsoft NDES certificates, we'll do the following steps:
- [Connect Fleet to NDES](#step-1-connect-fleet-to-ndes)
- [Add SCEP configuration profile to Fleet](#step-2-add-scep-configuration-profile-to-fleet)
### Step 1: Connect Fleet to NDES
1. In Fleet, head to **Settings > **Integrations > Certificates**.
2. Select the **Add CA** button and select **Microsoft NDES** in the dropdown.
3. Add your **SCEP URL**, **Admin URL**, and **Username** and **Password**.
5. Select **Add CA**. Your NDES certificate authority (CA) should appear in the list in Fleet.
The example paths end with `/certsrv/mscep/mscep.dll` and `/certsrv/mscep_admin/` respectively. These path suffixes are the default paths for NDES on Windows Server 2022 and should only be changed if you have customized the paths on your server.
When saving the configuration, Fleet will attempt to connect to the SCEP server to verify the connection, including retrieving a one-time challenge password. This validation also occurs when adding a new SCEP configuration or updating an existing one via API and GitOps, including dry runs. Please ensure the NDES password cache size is large enough to accommodate this validation.
### Step 2: Add SCEP configuration profile to Fleet
1. Create a [configuration profile](https://fleetdm.com/guides/custom-os-settings) with the SCEP payload. In the profile, for `Challenge`, use`$FLEET_VAR_NDES_SCEP_CHALLENGE`. For `URL`, use `$FLEET_VAR_NDES_SCEP_PROXY_URL`.
2. If your Wi-Fi or VPN requires certificates that are unique to each host, update the `Subject`. You can use `$FLEET_VAR_HOST_END_USER_EMAIL_IDP` if your hosts automatically enrolled (via ADE) to Fleet with end user authentication enabled (learn more [here](https://fleetdm.com/docs/rest-api/rest-api#get-human-device-mapping)). You can also use any of the [Apple's built-in variables](https://support.apple.com/en-my/guide/deployment/dep04666af94/1/web/1.0).
3. In Fleet, head to **Controls > OS settings > Custom settings** and add the configuration profile to deploy certificates to your hosts.
When Fleet delivers the profile to your hosts, Fleet will replace the variables. If something goes wrong, errors will appear on each host's **Host details > OS settings**.
![NDES SCEP failed profile](../website/assets/images/articles/ndes-scep-failed-profile.png)
#### Example configuration profile
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>Challenge</key>
<string>$FLEET_VAR_NDES_SCEP_CHALLENGE</string>
<key>Key Type</key>
<string>RSA</string>
<key>Key Usage</key>
<integer>5</integer>
<key>Keysize</key>
<integer>2048</integer>
<key>Subject</key>
<array>
<array>
<array>
<string>CN</string>
<string>%SerialNumber% WIFI $FLEET_VAR_HOST_END_USER_EMAIL_IDP</string>
</array>
</array>
<array>
<array>
<string>OU</string>
<string>FLEET DEVICE MANAGEMENT</string>
</array>
</array>
</array>
<key>URL</key>
<string>$FLEET_VAR_NDES_SCEP_PROXY_URL</string>
</dict>
<key>PayloadDisplayName</key>
<string>WIFI SCEP</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.scep.9DCC35A5-72F9-42B7-9A98-7AD9A9CCA3AC</string>
<key>PayloadType</key>
<string>com.apple.security.scep</string>
<key>PayloadUUID</key>
<string>9DCC35A5-72F9-42B7-9A98-7AD9A9CCA3AC</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>SCEP proxy cert</string>
<key>PayloadIdentifier</key>
<string>Fleet.WiFi</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>4CD1BD65-1D2C-4E9E-9E18-9BCD400CDEDC</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
```
## Custom SCEP server
To connect end users to W-Fi or VPN with a custom SCEP server, we'll do the following steps:
- [Connect Fleet to custom SCEP server](#step-1-connect-fleet-to-custom-scep-server)
- [Add SCEP configuration profile to Fleet](#step-2-add-scep-configuration-profile-to-fleet2)
### Step 1: Connect Fleet to custom SCEP server
1. In Fleet, head to **Settings > **Integrations > Certificates**.
2. Select the **Add CA** button and select **Custom** in the dropdown.
3. Add a **Name** for your certificate authority. The best practice is to create a name based on your use case in all caps snake case (ex. "WIFI_AUTHENTICATION"). We'll use this name later as variable name in a configuration profile.
4. Add your **SCEP URL** and **Challenge**.
6. Select **Add CA**. Your custom SCEP certificate authority (CA) should appear in the list in Fleet.
### Step 2: Add SCEP configuration profile to Fleet
1. Create a [configuration profile](https://fleetdm.com/guides/custom-os-settings) with the SCEP payload. In the profile, for `Challenge`, use`$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_<CA_NAME>`. For, `URL`, use `$FLEET_VAR_CUSTOM_SCEP_PROXY_URL_<CA_NAME>`.
2. Replace the `<CA_NAME>`, with name you created in step 3. For example, if the name of the CA is "WIFI_AUTHENTICATION" the variables will look like this: `$FLEET_VAR_CUSTOM_SCEP_PASSWORD_WIFI_AUTHENTICATION` and `FLEET_VAR_CUSTOM_SCEP_DIGICERT_DATA_WIFI_AUTHENTICATION`.
3. If your Wi-Fi or VPN requires certificates that are unique to each host, update the `Subject`. You can use `$FLEET_VAR_HOST_END_USER_EMAIL_IDP` if your hosts automatically enrolled (via ADE) to Fleet with end user authentication enabled (learn more [here](https://fleetdm.com/docs/rest-api/rest-api#get-human-device-mapping)). You can also use any of the [Apple's built-in variables](https://support.apple.com/en-my/guide/deployment/dep04666af94/1/web/1.0).
4. In Fleet, head to **Controls > OS settings > Custom settings** and add the configuration profile to deploy certificates to your hosts.
When Fleet delivers the profile to your hosts, Fleet will replace the variables. If something goes wrong, errors will appear on each host's **Host details > OS settings**.
#### Example configuration profile
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>Challenge</key>
<string>$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_CA_NAME</string>
<key>Key Type</key>
<string>RSA</string>
<key>Key Usage</key>
<integer>5</integer>
<key>Keysize</key>
<integer>2048</integer>
<key>Subject</key>
<array>
<array>
<array>
<string>CN</string>
<string>%SerialNumber% WIFI $FLEET_VAR_HOST_END_USER_EMAIL_IDP</string>
</array>
</array>
<array>
<array>
<string>OU</string>
<string>FLEET DEVICE MANAGEMENT</string>
</array>
</array>
</array>
<key>URL</key>
<string>$FLEET_VAR_CUSTOM_SCEP_PROXY_URL_CA_NAME</string>
</dict>
<key>PayloadDisplayName</key>
<string>WIFI SCEP</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.scep.9DCC35A5-72F9-42B7-9A98-7AD9A9CCA3AC</string>
<key>PayloadType</key>
<string>com.apple.security.scep</string>
<key>PayloadUUID</key>
<string>9DCC35A5-72F9-42B7-9A98-7AD9A9CCA3AC</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>SCEP proxy cert</string>
<key>PayloadIdentifier</key>
<string>Fleet.WiFi</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>4CD1BD65-1D2C-4E9E-9E18-9BCD400CDEDC</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
```
## How the SCEP proxy works
Fleet acts as a middleman between the host and the NDES or custom SCEP server. When a host requests a certificate from Fleet, Fleet requests a certificate from the NDES or
custom SCEP server, retrieves the certificate, and sends it back to the host.
In addition, Fleet does the following:
SCEP proxy:
- Retrieves the one-time challenge password from NDES. The NDES admin password is encrypted in Fleet's database by the [server private key](https://fleetdm.com/docs/configuration/fleet-server-configuration#server-private-key). It cannot be retrieved via the API or the web interface. Retrieving passwords for many hosts at once may cause a bottleneck. To avoid long wait times, we recommend a gradual rollout of SCEP profiles.
- Restarting NDES will clear the password cache and may cause outstanding SCEP profiles to fail.
- Resends the configuration profile to the host if the one-time challenge password has expired.
- If the host has been offline and the one-time challenge password is more than 60 minutes old, Fleet assumes the password has expired and will resend the profile to the host with a new one-time challenge password.
Certificates will appear in the System Keychain on macOS. During the profile installation,
the OS generates several temporary certificates needed for the SCEP protocol. These certificates may be briefly visible in the Keychain Access app on macOS. The CA certificate must also be installed and marked as trusted on the device for the issued certificate to appear as trusted. The IT admin can send the CA certificate in a separate [CertificateRoot profile](https://developer.apple.com/documentation/devicemanagement/certificateroot?language=objc)
## Assumptions and limitations
* NDES SCEP proxy is currently supported for macOS devices via Apple config profiles. Support for DDM (Declarative Device Management) is coming soon, as is support for iOS, iPadOS, Windows, and Linux.
* Certificate renewal is coming soon.
* Fleet server assumes a one-time challenge password expiration time of 60 minutes.
<meta name="articleTitle" value="Connect end users to Wi-Fi with a certificate (DigiCert, NDES, or custom SCEP)">
<meta name="authorFullName" value="Victor Lyuboslavsky">
<meta name="authorGitHubUsername" value="getvictor">
<meta name="category" value="guides">
<meta name="publishedOn" value="2024-10-30">
<meta name="description" value="Learn how to automatically connect device to a Wi-Fi by adding your certificate authority and issuing certificate from it.">

147
articles/ndes-scep-proxy.md
View file

@ -1,147 +0,0 @@
# Connect end users to Wi-Fi with Simple Certificate Enrollment Protocol (SCEP)
Fleet [v4.59.0](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.59.0) introduces support for helping your end users connect to Wi-Fi by adding your SCEP server. Fleet currently supports Microsoft's Network Device Enrollment Service (NDES) as a SCEP server.
This guide will walk you through configuring and using NDES with Fleet acting as a SCEP proxy.
## Prerequisites
* Fleet Premium with admin permissions.
* Fleet [v4.59.0](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.59.0) or greater.
* Apple MDM enabled.
* A Windows Server with AD CS (Active Directory Certificate Services) and NDES installed and configured, including the certificate templates for the certificates you want to enroll for.
* The default password cache size for NDES is five passwords. Increase this value to account for the number of devices you expect to enroll simultaneously, including devices that may be offline and need to enroll when they come online.
## Step-by-step instructions
### 1. Add SCEP in Fleet
Go to the Fleet web interface, navigate to `Settings`, go to the `Integrations` tab, and click `Mobile device management (MDM)`. Scroll down to `Simple Certificate Enrollment Protocol (SCEP)` and click `Add SCEP`.
![Add SCEP](../website/assets/images/articles/add-scep.png)
### 2. Configure NDES SCEP settings
You will need to provide the SCEP URL that accepts the SCEP protocol. You'll also need to give the admin URL with the associated username and password to get the one-time challenge passwords for SCEP enrollment.
![Configure NDES SCEP settings](../website/assets/images/articles/ndes-scep-config.png)
Note:
* The example paths end with `/certsrv/mscep/mscep.dll` and `/certsrv/mscep_admin/` respectively. These path suffixes are the default paths for NDES on Windows Server 2022 and should only be changed if you have customized the paths on your server.
* When saving the configuration, Fleet will attempt to connect to the SCEP server to verify the connection, including retrieving a one-time challenge password. This validation also occurs when adding a new SCEP configuration or updating an existing one via API and GitOps, including dry runs. Please ensure the NDES password cache size is large enough to accommodate this validation.
### 3. Create a SCEP configuration profile
Create a configuration profile in Fleet that includes the SCEP payload. In the profile, you will need to set `$FLEET_VAR_NDES_SCEP_CHALLENGE` as the `Challenge` and `$FLEET_VAR_NDES_SCEP_PROXY_URL` as the `URL`.
Adjust the `Subject` values according to your organization's needs. You may set `$FLEET_VAR_HOST_END_USER_EMAIL_IDP` if the hosts were enrolled into Fleet MDM using an IdP (Identity Provider). You can also use any of the [Apple profile variables](https://support.apple.com/en-my/guide/deployment/dep04666af94/1/web/1.0) to uniquely identify your device.
Example profile:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>Challenge</key>
<string>$FLEET_VAR_NDES_SCEP_CHALLENGE</string>
<key>Key Type</key>
<string>RSA</string>
<key>Key Usage</key>
<integer>5</integer>
<key>Keysize</key>
<integer>2048</integer>
<key>Subject</key>
<array>
<array>
<array>
<string>CN</string>
<string>%SerialNumber% WIFI $FLEET_VAR_HOST_END_USER_EMAIL_IDP</string>
</array>
</array>
<array>
<array>
<string>OU</string>
<string>FLEET DEVICE MANAGEMENT</string>
</array>
</array>
</array>
<key>URL</key>
<string>$FLEET_VAR_NDES_SCEP_PROXY_URL</string>
</dict>
<key>PayloadDisplayName</key>
<string>WIFI SCEP</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.scep.9DCC35A5-72F9-42B7-9A98-7AD9A9CCA3AC</string>
<key>PayloadType</key>
<string>com.apple.security.scep</string>
<key>PayloadUUID</key>
<string>9DCC35A5-72F9-42B7-9A98-7AD9A9CCA3AC</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>SCEP proxy cert</string>
<key>PayloadIdentifier</key>
<string>Fleet.WiFi</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>4CD1BD65-1D2C-4E9E-9E18-9BCD400CDEDC</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
```
Upload the profile to Fleet in **Controls** > **OS Settings** > **Custom settings**.
When sending the profile to hosts, Fleet will replace the `$FLEET_VAR_NDES_SCEP_CHALLENGE`, `$FLEET_VAR_NDES_SCEP_PROXY_URL`, and `$FLEET_VAR_HOST_END_USER_EMAIL_IDP` variables with the proper values. Any errors will appear as a `Failed` status in the host's `OS settings`.
![NDES SCEP failed profile](../website/assets/images/articles/ndes-scep-failed-profile.png)
> Note: If the uploaded profile is signed, Fleet will replace the variables and invalidate the signature.
## How does it work?
The SCEP proxy in Fleet acts as a middleman between the device and the NDES server. When a device requests a certificate, the SCEP proxy forwards the request to the NDES server, retrieves the certificate, and sends it back to the device. In addition, the SCEP proxy:
- Retrieves the one-time challenge password from the NDES server.
The NDES admin password is encrypted in Fleet's database by the [server private key](https://fleetdm.com/docs/configuration/fleet-server-configuration#server-private-key). It cannot be retrieved via the API or the web interface.
Retrieving passwords for many devices may cause a bottleneck. To avoid long wait times, we recommend a gradual rollout of SCEP profiles.
- Restarting the NDES service will clear the password cache and may cause outstanding SCEP profiles to fail.
- Resend the profile to the device if the one-time challenge password has expired.
- If the device has been offline and the one-time challenge password is more than 60 minutes old, the SCEP proxy assumes the password has expired and will resend the profile to the device with a new one-time challenge password.
The issued certificate will appear in the System Keychain on macOS. During the profile installation, the OS generates several temporary certificates needed for the SCEP protocol. These certificates may be briefly visible in the Keychain Access app on macOS. The CA certificate must also be installed and marked as trusted on the device for the issued certificate to appear as trusted. The IT admin can send the CA certificate in a separate [CertificateRoot profile](https://developer.apple.com/documentation/devicemanagement/certificateroot?language=objc).
## Use case: connecting to a corporate WiFi network
A common use case for SCEP is connecting devices to a corporate WiFi network. This involves creating a profile with SCEP and WiFi payloads and linking them together. Here's how you can use Fleet's SCEP proxy to achieve this:
1. Send the root CA certificate to the device using a [CertificateRoot profile](https://developer.apple.com/documentation/devicemanagement/certificateroot?language=objc).
2. Create a profile with a SCEP payload and a [WiFi payload](https://developer.apple.com/documentation/devicemanagement/wifi?language=objc), and send it to the device.
- The `PayloadCertificateUUID` in the WiFi payload should reference the `PayloadUUID` of the SCEP payload.
- For more information on connecting your Apple devices to 802.1X networks, see [this guide from Apple](https://support.apple.com/en-my/guide/deployment/depabc994b84/web).
## Assumptions and limitations
* NDES SCEP proxy is currently supported for macOS devices via Apple config profiles. Support for DDM (Declarative Device Management) is coming soon, as is support for iOS, iPadOS, Windows, and Linux.
* Certificate renewal is coming soon.
* Fleet server assumes a one-time challenge password expiration time of 60 minutes.
## Conclusion
Fleet's NDES SCEP proxy feature allows your devices to receive certificates from your certificate authority's NDES service. This feature simplifies managing certificates on your devices and enables a secure and efficient way to connect them to your corporate network.
<meta name="articleTitle" value="Connect end users to Wi-Fi with Simple Certificate Enrollment Protocol (SCEP)">
<meta name="authorFullName" value="Victor Lyuboslavsky">
<meta name="authorGitHubUsername" value="getvictor">
<meta name="category" value="guides">
<meta name="publishedOn" value="2024-10-30">
<meta name="description" value="Learn how to help your end users connect to Wi-Fi by adding your SCEP server">

BIN
website/assets/images/articles/ndes-scep-config.png vendored
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 24 KiB

BIN
website/assets/images/articles/ndes-scep-failed-profile.png vendored
View file

Binary file not shown.
Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 12 KiB

After

Width:  |  Height:  |  Size: 20 KiB