Simple Certificate Enrollment Protocol(SCEP)

Simple Certificate Enrollment Protocol (SCEP) is a certificate management protocol which is predominantly used for enabling certificate-based authentication. With SCEP, Mobile Device Manager Plus lets you enforce certificate-based authentication for Wi-Fi, VPN, and E-mail configurations on your managed Android devices.

Generally, in large scale organizations, it becomes a cumbersome task for the IT administrator to manually issue client certificates for all the Android devices within the organizational network. SCEP simplifies certificate configuration and distribution by providing a simple and scalable method for handling certificates within organizations.

The major advantages of certificate-based authentication using SCEP are as follows:

• Zero user intervention since users are automatically authenticated using certificates.
• Removes the burden of manually configuring user-specific client certificates.
• Secure network communication as the data is encrypted and authenticated using certificates.
• Client certificates also function as an additional layer of security by providing two-factor authentication; security threats caused by using unauthorized devices to access business data, or to connect to work related Wi-Fi or VPN networks can be avoided.

Pre-requisites

• NDES must be installed in a Windows Server machine
• Configure Certificate Template
1. Click on Start Menu, select Run, type mmc and click OK.
2. Click File and select Add/Remove Snap-in....Select Certificate Templates, click Add and then click OK.

    

3. Right click Certificate Template and select Manage.
4. Click on User and select Duplicate Template.



5. Specify a Template display name and save it by clicking OK.



6. Click on Extensions,select Application Policies. Click Edit and select Client Authentication, to add it to Application Policies.

      

7. Click on Cryptography and specify the Minimum key size. The recommended key size is 2048, as it enhances the security. This key size is to be specified while configuring SCEP in MDM.



8. Click on Security and select the Group(s), to which the policy is to be applied. Ensure Enroll is an allowed permission for the selected domain(s).



9. Click on Subject Name and select Supply in the request, for subject names to be specified in the certificate request.



• Map Certificate Template to SCEP
1. Add Certificate Authority as a snap-in in the Microsoft Management Console(MMC).

    

2. Expand Certification Authority and right-click on Certificate Templates. Click New and select Certificate Template to Issue.



3. Select the Certificate Template created before and click OK.

    

To change the default certificate template used by Microsoft NDES, windows registry values are to be changed.

4. Click on Start Menu, select Run, type regedit and click OK.
5. Expand HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Cryptography -> MSCEP.
6. Right-click on Encryption Template and click Modify.



7. Specify the name of the created Certificate Template for Value date. Repeat the same for GeneralPurposeTemplate and SignatureTemplate. Restart the server machine once for the changes to take place
.



• Prevent challenge password expiry
If you're using Challenge password(recommended), then registry values must be modified to prevent expiry of Challenge password.

1. Open regedit and expand HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Cryptography -> MSCEP -> UseSinglePassword.
2. Right-click UseSinglePassword and change the value of data as 1.



After configuration is complete, restart the NDES Server.

Configuring SCEP in MDM