Skip to content

SCEP Certificate Enrollment

What is SCEP

SCEP (Simple Certificate Enrollment Protocol) is a standardized protocol for automated certificate issuance and management. It allows devices to request, receive, and renew digital certificates from a Certificate Authority (CA) without manual intervention. SCEP is defined in RFC 8894 and is widely supported across mobile device management platforms, including Apple's MDM protocol.

A SCEP request works as follows:

  1. The device generates a public-private key pair locally
  2. The device sends a certificate signing request (CSR) to the SCEP server, along with a one-time challenge
  3. The SCEP server validates the challenge and signs the certificate
  4. The device receives the signed certificate and stores it in the device keychain
  5. The certificate is used for TLS client authentication and identity verification

Why SCEP is Used

Manual certificate installation on each device does not scale beyond a handful of machines. SCEP solves this by providing:

  • Automated issuance — Devices request certificates as part of the enrollment flow, with no administrator needing to generate or distribute individual certificates
  • Device identity — Each device receives a unique certificate tied to its identity, enabling the MDM server to authenticate the device on subsequent check-ins
  • Trust chain — The issued certificate chains back to a trusted root, so the MDM server and other enterprise services can verify the device's identity cryptographically
  • Scalability — SCEP handles fleets of any size, from tens to hundreds of thousands of devices, without per-device manual work

Without SCEP, every device would need a certificate installed by hand — impractical for any organization with more than a handful of devices.

How GuardMDM Uses SCEP During Enrollment

GuardMDM integrates SCEP into the enrollment flow automatically. When a device enrolls:

  1. The MDM profile delivered to the device includes a SCEP payload
  2. The device generates a key pair and sends a CSR to GuardMDM's SCEP endpoint
  3. GuardMDM validates the enrollment challenge and requests a certificate from the internal CA
  4. The signed certificate is returned to the device and stored in its keychain
  5. The device uses this certificate for all subsequent MDM commands and check-ins

This certificate serves as the device's identity credential. Every MDM command from GuardMDM to the device, and every check-in from the device to GuardMDM, is authenticated using this certificate. It replaces the need for shared secrets or per-device passwords.

Certificate Lifecycle and Renewal

Certificates issued via SCEP have a finite lifetime. GuardMDM handles the full lifecycle:

PhaseDescription
IssuanceCertificate is created during enrollment with a configurable validity period
ActiveDevice uses the certificate for MDM authentication. GuardMDM monitors expiration dates.
RenewalBefore expiration, GuardMDM triggers a SCEP renewal. The device generates a new key pair and requests a fresh certificate.
RevocationIf a device is unenrolled or marked as lost, GuardMDM revokes its certificate so it can no longer authenticate.

Renewal is automatic and transparent. GuardMDM initiates renewal when the certificate approaches its expiration date, and the device re-enrolls through the same SCEP flow. No user interaction is required.

SCEP is Automatic

GuardMDM configures SCEP automatically during enrollment. There is no need to:

  • Set up or manage a SCEP server
  • Configure SCEP URLs or challenges manually
  • Distribute root certificates to devices
  • Track certificate expiration dates

The built-in CA handles issuance, renewal, and revocation as part of the standard enrollment workflow. Devices receive their identity certificates without any manual configuration from the administrator or end user.

For organizations that require integration with an external CA, GuardMDM supports custom SCEP configurations through the Enrollment > SCEP settings. In most deployments, however, the default automatic configuration is sufficient.

Released under the MIT License