Skip Navigation

Common: SCEP profile settings

Common: SCEP profile setting
Description
Certificate authority connection
This setting specifies whether the CA is
Entrust
,
OpenTrust
, or another CA. If you configured one or more connections to your organization’s
Entrust
software or
OpenTrust
software, you can select one of the connections in the drop-down list. Select Generic if you are using any other CA.
If you select an
Entrust
or
OpenTrust
connection, you must then select the appropriate PKI profile and specify the necessary values. The available profiles vary based on what the
Entrust
or
OpenTrust
administrator has configured in the PKI software.
The default value is Generic.
URL
This setting specifies the URL of the SCEP service. The URL should include the protocol, FQDN, port number, and SCEP path (CGI path that is defined in the SCEP specification). You must set a value for this setting to activate a device successfully.
SCEP HTTPS URLs are supported by
iOS
devices.
Instance name
This setting specifies the name of the CA instance.
The value can be any string that is understood by the SCEP service. For example, it could be a domain name like example.org. If a CA has multiple CA certificates, this field can be used to distinguish which one is required.
Verify SCEP server connection trust chain
This setting specifies whether
BlackBerry UEM
verifies that the root CA of the SCEP server is stored in the
BlackBerry UEM
certificate store to allow
BlackBerry UEM
to trust the SCEP server when testing connections, retrieving challenge passwords, and acting as a proxy for SCEP requests from devices.
SCEP challenge type
This setting specifies whether the SCEP challenge password is dynamically generated or provided as a static password. If this setting is set to "Static," every device uses the same challenge password. If this setting is set to "Dynamic," every device receives a unique challenge password.
Possible values:
  • Static
  • Dynamic
The default value is Dynamic.
For
Windows
devices, only "Static" passwords are supported.
Challenge password generation URL
This setting specifies the URL that devices use to obtain a dynamically generated challenge password from the SCEP service. The URL should include the protocol, domain, port, and SCEP path (CGI path that is defined in the SCEP specification).
This setting is valid only if the "SCEP challenge type" setting is set to "Dynamic."
Authentication type
This setting specifies the authentication type devices use to connect to the SCEP service and obtain a challenge password.
This setting is valid only if the "SCEP challenge type" setting is set to "Dynamic."
Possible values:
  • Basic
  • NTLM
The default value is Basic.
Domain
This setting specifies the domain used for NTLM authentication when devices connect to the SCEP service to obtain a challenge password.
This setting is valid only if the "Authentication type" setting is set to "NTLM."
Username
This setting specifies the username required to obtain a challenge password from the SCEP service.
This setting is valid only if the "SCEP challenge type" setting is set to "Dynamic."
Password
This setting specifies the password required to obtain the challenge password from the SCEP service.
This setting is valid only if the "SCEP challenge type" setting is set to "Dynamic."
Challenge password
This setting specifies the challenge password that a device uses for certificate enrollment.
This setting is valid only if the "SCEP challenge type" setting is set to "Static."