Common: SCEP profile settings
Common: SCEP profile setting | Description |
|---|---|
Certificate authority connection | This setting specifies whether the CA is Entrust , OpenTrust , or another CA. If you configured one or more connections to your organization’s Entrust software or OpenTrust software, you can select one of the connections in the drop-down list. Select Generic if you are using any other CA.If you select an Entrust or OpenTrust connection, you must then select the appropriate PKI profile and specify the necessary values. The available profiles vary based on what the Entrust or OpenTrust administrator has configured in the PKI software.The default value is Generic. |
URL | This setting specifies the URL of the SCEP service. The URL should include the protocol, FQDN, port number, and SCEP path (CGI path that is defined in the SCEP specification). You must set a value for this setting to activate a device successfully. SCEP HTTPS URLs are supported by iOS devices. |
Instance name | This setting specifies the name of the CA instance. The value can be any string that is understood by the SCEP service. For example, it could be a domain name like example.org. If a CA has multiple CA certificates, this field can be used to distinguish which one is required. |
Verify SCEP server connection trust chain | This setting specifies whether BlackBerry UEM verifies that the root CA of the SCEP server is stored in the BlackBerry UEM certificate store to allow BlackBerry UEM to trust the SCEP server when testing connections, retrieving challenge passwords, and acting as a proxy for SCEP requests from devices. |
SCEP challenge type | This setting specifies whether the SCEP challenge password is dynamically generated or provided as a static password. If this setting is set to "Static," every device uses the same challenge password. If this setting is set to "Dynamic," every device receives a unique challenge password. Possible values:
The default value is Dynamic. For Windows devices, only "Static" passwords are supported. |
Challenge password generation URL | This setting specifies the URL that devices use to obtain a dynamically generated challenge password from the SCEP service. The URL should include the protocol, domain, port, and SCEP path (CGI path that is defined in the SCEP specification). This setting is valid only if the "SCEP challenge type" setting is set to "Dynamic." |
Authentication type | This setting specifies the authentication type devices use to connect to the SCEP service and obtain a challenge password. This setting is valid only if the "SCEP challenge type" setting is set to "Dynamic." Possible values:
The default value is Basic. |
Domain | This setting specifies the domain used for NTLM authentication when devices connect to the SCEP service to obtain a challenge password. This setting is valid only if the "Authentication type" setting is set to "NTLM." |
Username | This setting specifies the username required to obtain a challenge password from the SCEP service. This setting is valid only if the "SCEP challenge type" setting is set to "Dynamic." |
Password | This setting specifies the password required to obtain the challenge password from the SCEP service. This setting is valid only if the "SCEP challenge type" setting is set to "Dynamic." |
Challenge password | This setting specifies the challenge password that a device uses for certificate enrollment. This setting is valid only if the "SCEP challenge type" setting is set to "Static." |