Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.20
  3. Managing secure connections
  4. Using PKI certificates with devices or apps
  5. Sending certificates to devices and apps using profiles
  6. Sending client certificates to devices and apps using SCEP
  7. Common: SCEP profile settings

Common: SCEP profile settings

Common: SCEP profile setting
Description
Certificate authority connection
This setting specifies whether the CA is
Entrust
,
OpenTrust
, or another CA.
URL
This setting specifies the URL of the SCEP service. The URL should include the protocol, FQDN, port number, and SCEP path (CGI path that is defined in the SCEP specification). You must set a value for this setting to activate a device successfully.
SCEP HTTPS URLs are supported by
iOS
 devices.
Instance name
This setting specifies the name of the CA instance.
The value can be any string that is understood by the SCEP service. For example, it could be a domain name like example.org. If a CA has multiple CA certificates, this field can be used to distinguish which one is required.
Verify SCEP server connection trust chain
This setting specifies whether
BlackBerry UEM
 verifies that the root CA of the SCEP server is stored in the
UEM
 certificate store to allow
UEM
 to trust the SCEP server when testing connections, retrieving challenge passwords, and acting as a proxy for SCEP requests from devices.
SCEP challenge type
This setting specifies whether the SCEP challenge password is dynamically generated or provided as a static password. If this setting is set to "Static," every device uses the same challenge password.
For
Windows
 devices, only "static" passwords are supported.
Challenge password generation URL
This setting specifies the URL that devices use to obtain a dynamically generated challenge password from the SCEP service. The URL should include the protocol, domain, port, and SCEP path (CGI path that is defined in the SCEP specification).
This setting is valid only if the "SCEP challenge type" setting is set to "Dynamic."
Authentication type
This setting specifies the authentication type devices use to connect to the SCEP service and obtain a challenge password.
This setting is valid only if the "SCEP challenge type" setting is set to "Dynamic."
Domain
This setting specifies the domain used for NTLM authentication when devices connect to the SCEP service to obtain a challenge password.
This setting is valid only if the "Authentication type" setting is set to "NTLM."
Username
This setting specifies the username required to obtain a challenge password from the SCEP service.
This setting is valid only if the "SCEP challenge type" setting is set to "Dynamic."
Password
This setting specifies the password required to obtain the challenge password from the SCEP service.
This setting is valid only if the "SCEP challenge type" setting is set to "Dynamic."
Challenge password
This setting specifies the challenge password that a device uses for certificate enrollment.
This setting is valid only if the "SCEP challenge type" setting is set to "Static."