Skip Navigation

Android
: SCEP profile settings

To see an example of a SCEP profile for
Android
devices, visit support.blackberry.com/community to read article 38248.
Android
: SCEP profile setting
Description
Use
BlackBerry UEM
as a proxy for SCEP requests
This setting specifies whether all SCEP requests from devices are sent through
BlackBerry UEM
. If the CA is behind your firewall, this setting allows you to enroll client certificates to devices without exposing the CA outside of the firewall.
Hide certificate on
Android Enterprise
devices
This setting specifies whether the certificate is visible to users on
Android
9.0 and later
Android Enterprise
. If the certificate is hidden, users can't select the certificate to use it for additional purposes.
Use
BlackBerry Connectivity Node
for CA connectivity
This setting specifies whether SCEP requests should be routed through the
BlackBerry Connectivity Node
. This setting displays only in
BlackBerry UEM Cloud
.
Encryption algorithm
This setting specifies the encryption algorithm that
Android
devices use for the certificate enrollment request.
Possible values:
  • None
  • Triple DES
  • AES (128-bit)
  • AES (196-bit)
  • AES (256-bit)
The default value is "Triple DES."
Hash function
This setting specifies the hash function that
Android
devices use for the certificate enrollment request.
Possible values:
  • None
  • SHA-1
  • SHA-224
  • SHA-256
  • SHA-384
  • SHA-512
The default value is "SHA-1."
Certificate thumbprint
This setting specifies the hexadecimal-encoded hash of the root certificate for the CA. You can use the following algorithms to specify the thumbprint: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. You must set a value for this setting to activate
Android Enterprise
or
Samsung Knox
devices.
Automatic renewal
This setting specifies how many days before a certificate expires that automatic certificate renewal occurs.
The possible values are 1 to 365.
The default value is "30."
Android Enterprise / Samsung KNOX
Subject
This setting specifies the subject for the certificate, if required for your organization's SCEP configuration. Type the subject in the format "/CN=
<common_name>
/O=
<domain_name>
" If the profile is for multiple users, you can use a variable, for example: %UserDistinguishedName%.
SAN type
This setting specifies the subject alternative name type for the certificate, if it is required.
Possible values:
  • RFC 822 name
  • Uniform resource identifier
  • NT principal name
  • DNS name
The default value is "RFC 822 name."
SAN value
This setting specifies the subject alternative representation of the certificate subject. The value must be an email address, the DNS name of the CA server, the fully qualified URL of the server, or principal name.
The "SAN type" setting determines the appropriate value to specify. If set to "RFC822 name," the value must be a valid email address. If set to "URI," the value must be a valid URL that includes the protocol and FQDN or IP address. If set to "NT principal name," the value must be a valid principal name. If set to "DNS name," the value must be a valid FQDN.
Key algorithm
This setting specifies the algorithm that
Android Enterprise
and
Samsung Knox
devices use to generate the client key pair. You must select an algorithm that is supported by your CA.
Possible values:
  • None
  • RSA
  • ECC
The default value is "
RSA
."
RSA
strength
This setting specifies the
RSA
strength that
Android Enterprise
and
Samsung Knox
devices use to generate the client key pair. You must enter a key strength that is supported by your CA.
This setting is valid only if the "Key algorithm" setting is set to "
RSA
.".
Possible values:
  • 1024
  • 2048
  • 4096
  • 8192
  • 16384
The default value is "1024."
Key usage
This setting specifies the cryptographic operations that can be performed using the public key that is contained in the certificate.
Possible selections:
  • Digital signature
  • Non-repudiation
  • Key encipherment
  • Data encipherment
  • Key agreement
  • Key certificate signing
  • CRL signing
  • Encipher only
  • Decipher only
The default selections are "Digital signature," "Key encipherment," and "Key agreement."
Extended key usage
This setting specifies the purpose of the key that is contained in the certificate.
Possible selections:
  • Server authentication
  • Client authentication
  • Code signing
  • Email protection
  • Time stamping
  • OCSP signing
  • Secure shell client
  • Secure shell server
The default selection is "Client authentication."