From 346da470b80639ae675c28fd91a93a7b5170af4c Mon Sep 17 00:00:00 2001
From: Harrison Ravazzolo <38767391+harrisonravazzolo@users.noreply.github.com>
Date: Wed, 22 Oct 2025 18:30:54 -0700
Subject: [PATCH] Refactor SCEP configuration for Okta certificate (#34674)

Updated SCEP configuration for Okta attestation certificate
installation, including placeholders for various parameters.
---
 ...kta attestation certificate - [Bundle].xml | 206 ++++++++++--------
 1 file changed, 117 insertions(+), 89 deletions(-)

diff --git a/docs/solutions/Windows/configuration-profiles/install Okta attestation certificate - [Bundle].xml b/docs/solutions/Windows/configuration-profiles/install Okta attestation certificate - [Bundle].xml
index eadc58d7df..c94e47d870 100644
--- a/docs/solutions/Windows/configuration-profiles/install Okta attestation certificate - [Bundle].xml	
+++ b/docs/solutions/Windows/configuration-profiles/install Okta attestation certificate - [Bundle].xml	
@@ -1,103 +1,131 @@
-<Replace>
-  <!-- Set Node here -->
-  <CmdID>1</CmdID>
-  <Item>
-    <Target>
-      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify</LocURI>
-    </Target>
-    <Meta>
-      <Format xmlns="syncml:metinf">node</Format>
-    </Meta>
-  </Item>
-</Replace>
 <Add>
-  <!-- SCEP URL -->
-  <CmdID>2</CmdID>
-  <Item>
-    <Target>
-      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/ServerURL</LocURI>
-    </Target>
-    <Meta>
-      <Format xmlns="syncml:metinf">chr</Format>
-    </Meta>
-    <Data>yourUrlHere</Data>
-  </Item>
+        <!-- Name of SCEP node -->
+<Item>
+<Target>
+<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}</LocURI>
+</Target>
+<Meta>
+<Format xmlns="syncml:metinf">node</Format>
+</Meta>
+</Item>
 </Add>
-<!-- SCEP Challenge -->
 <Add>
-  <CmdID>3</CmdID>
-  <Item>
-    <Target>
-      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/Challenge</LocURI>
-    </Target>
-    <Meta>
-      <Format xmlns="syncml:metinf">chr</Format>
-    </Meta>
-    <Data>yourChallengeHere</Data>
-  </Item>
+        <!-- Retry count for SCEP installation -->
+<Item>
+<Target>
+<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/RetryCount</LocURI>
+</Target>
+<Meta>
+<Format xmlns="syncml:metinf">int</Format>
+</Meta>
+<Data>3</Data>
+</Item>
 </Add>
-<!-- CN - check Okta doc for required values (https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/devices-client-certificates-faqs.htm) -->
 <Add>
-  <CmdID>4</CmdID>
-  <Item>
-    <Target>
-      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/SubjectName</LocURI>
-    </Target>
-    <Meta>
-      <Format xmlns="syncml:metinf">chr</Format>
-    </Meta>
-    <Data>$FLEET_VAR_HOST_UUID </Data>
-  </Item>
+        <!-- Retry delay for SCEP installation -->
+<Item>
+<Target>
+<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/RetryDelay</LocURI>
+</Target>
+<Meta>
+<Format xmlns="syncml:metinf">int</Format>
+</Meta>
+<Data>10</Data>
+</Item>
 </Add>
-<!-- Key Length -->
 <Add>
-  <CmdID>5</CmdID>
-  <Item>
-    <Target>
-      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/KeyLength</LocURI>
-    </Target>
-    <Meta>
-      <Format xmlns="syncml:metinf">int</Format>
-    </Meta>
-    <Data>2048</Data>
-  </Item>
+        <!-- Key Usage - keep default for Okta -->
+<Item>
+<Target>
+<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/KeyUsage</LocURI>
+</Target>
+<Meta>
+<Format xmlns="syncml:metinf">int</Format>
+</Meta>
+<Data>160</Data>
+</Item>
 </Add>
-<!-- Hash Algorithm -->
 <Add>
-  <CmdID>6</CmdID>
-  <Item>
-    <Target>
-      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/HashAlgorithm</LocURI>
-    </Target>
-    <Meta>
-      <Format xmlns="syncml:metinf">chr</Format>
-    </Meta>
-    <Data>SHA256</Data>
-  </Item>
+        <!-- Key Length - min 2048 for Okta -->
+<Item>
+<Target>
+<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/KeyLength</LocURI>
+</Target>
+<Meta>
+<Format xmlns="syncml:metinf">int</Format>
+</Meta>
+<Data>2048</Data>
+</Item>
 </Add>
-<!-- Key Usage -->
 <Add>
-  <CmdID>7</CmdID>
-  <Item>
-    <Target>
-      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/KeyUsage</LocURI>
-    </Target>
-    <Meta>
-      <Format xmlns="syncml:metinf">int</Format>
-    </Meta>
-    <Data>160</Data>
-  </Item>
+        <!-- Hash Algorithm - keep default for Okta -->
+<Item>
+<Target>
+<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/HashAlgorithm</LocURI>
+</Target>
+<Meta>
+<Format xmlns="syncml:metinf">chr</Format>
+</Meta>
+<Data>SHA-1</Data>
+</Item>
 </Add>
-<!-- Extended Key Usage -->
 <Add>
-  <CmdID>8</CmdID>
-  <Item>
-    <Target>
-      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/EKUMapping</LocURI>
-    </Target>
-    <Meta>
-      <Format xmlns="syncml:metinf">chr</Format>
-    </Meta>
-    <Data>1.3.6.1.5.5.7.3.2</Data>
-  </Item>
+        <!-- CN - keep default for Okta -->
+<Item>
+<Target>
+<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/SubjectName</LocURI>
+</Target>
+<Meta>
+<Format xmlns="syncml:metinf">chr</Format>
+</Meta>
+<Data>CN=$FLEET_VAR_HOST_UUID managementAttestation</Data>
+</Item>
+</Add>
+<Add>
+        <!-- Extended Key Usage - keep default for Okta -->
+<Item>
+<Target>
+<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/EKUMapping</LocURI>
+</Target>
+<Meta>
+<Format xmlns="syncml:metinf">chr</Format>
+</Meta>
+<Data>1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2+1.3.6.1.5.5.7.3.2</Data>
+</Item>
+</Add>
+<Add>
+        <!-- SCEP Server URL -->
+<Item>
+<Target>
+<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/ServerURL</LocURI>
+</Target>
+<Meta>
+<Format xmlns="syncml:metinf">chr</Format>
+</Meta>
+<Data>{{yourScepUrl}}</Data>
+</Item>
+</Add>
+<Add>
+        <!-- SCEP Challenge - Does not need to be b64 -->
+<Item>
+<Target>
+<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/Challenge</LocURI>
+</Target>
+<Meta>
+<Format xmlns="syncml:metinf">chr</Format>
+</Meta>
+<Data>{{yourScepChallenge}}</Data>
+</Item>
+</Add>
+<Add>
+        <!-- SCEP CA Thumbprint - Download Okta CA (if using) and specify thumbprint here -->
+<Item>
+<Target>
+<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/CAThumbprint</LocURI>
+</Target>
+<Meta>
+<Format xmlns="syncml:metinf">chr</Format>
+</Meta>
+<Data>{{yourScepCAThumbprint}}</Data>
+</Item>
 </Add>