diff --git a/it-and-security/teams/workstations.yml b/it-and-security/teams/workstations.yml
index 49a6a476a0..95ca009dc3 100644
--- a/it-and-security/teams/workstations.yml
+++ b/it-and-security/teams/workstations.yml
@@ -61,3 +61,11 @@ queries:
   - path: ../lib/collect-failed-login-attempts.queries.yml
   - path: ../lib/collect-usb-devices.queries.yml
   - path: ../lib/collect-vs-code-extensions.queries.yml
+  - name: Collect expiration date for MDM SCEP certificates
+    description: "For the following issue: https://github.com/fleetdm/confidential/issues/4518. Returns expiration date for macOS hosts's MDM SCEP certs."
+    query: "SELECT common_name, datetime(not_valid_after,'unixepoch') AS expires FROM certificates WHERE 'common_name' LIKE '%FleetDM Identity%';"
+    platform: darwin
+    interval: 300
+    automations_enabled: false
+    observer_can_run: true
+