macOS: SCEP profile settings Skip Navigation

: SCEP profile settings

applies profiles to user accounts or devices. You can configure SCEP profiles to apply to one or the other.
: SCEP profile setting
BlackBerry UEM
as a proxy for SCEP requests
This setting specifies whether all SCEP requests from devices are sent through
BlackBerry UEM
. If the CA is behind your firewall, this setting allows you to enroll client certificates to devices without exposing the CA outside of the firewall.
BlackBerry Connectivity Node
for CA connectivity
This setting specifies whether SCEP requests should be routed through the
BlackBerry Connectivity Node
. This setting displays only in
BlackBerry UEM Cloud
Apply profile to
This setting specifies whether the SCEP profile is applied to the user account or the device.
Possible values:
  • User
  • Device
This setting specifies the subject for the certificate, if required for your organization's SCEP configuration. Type the subject in the format "/CN=
" If the profile is for multiple users, you can use a variable, for example: %UserDistinguishedName%.
This setting specifies how many times to retry connecting to the SCEP service if the connection attempt fails.
The possible values are from 1 to 999.
The default value is "3."
Retry delay
This setting specifies the time in seconds to wait before retrying to connect to the SCEP service.
The possible values are from 1 to 999.
The default value is "10" seconds.
Key size
This setting specifies the key size for the certificate.
Possible values:
  • 1024
  • 2048
The default value is "1024."
This setting specifies the fingerprint for enrolling a SCEP certificate. If your CA uses HTTP instead of HTTPS, devices use the fingerprint to confirm the identity of the CA during the enrollment process. The fingerprint can't contain spaces.
SAN type
This setting specifies the subject alternative name type for the certificate, if it is required.
Possible values:
  • None
  • RFC822 name
  • DNS name
  • Uniform Resource Identifier
The default value is "None."
SAN value
This setting specifies the alternative representation of the certificate subject. The value must be an email address, the DNS name of the CA server, or the fully qualified URL of the server.
The "SAN type" setting determines the appropriate value to specify. If set to "RFC822 name," the value must be a valid email address. If set to "URI," the value must be a valid URL that includes the protocol and FQDN or IP address. If set to "NT principal name," the value must be a valid principal name. If set to "DNS name," the value must be a valid FQDN.
NT principal name
This setting specifies the NT principal name for certificate generation.
This setting is valid only if the "SAN type" setting is set to something other than "None."