Android: SCEP profile settings
Android
: SCEP profile settingsFor devices with
Android Management
activation types, see Considerations for Android Management activation types.Android : SCEP profile setting | Description |
|---|---|
Use BlackBerry UEM as a proxy for SCEP requests | This setting specifies whether all SCEP requests from devices are sent through UEM . If the CA is behind your firewall, this setting allows you to enroll client certificates to devices without exposing the CA outside of the firewall. |
Hide certificate on Android Enterprise devices | This setting specifies whether the certificate is visible to Android Enterprise users. If the certificate is hidden, users can't select the certificate to use it for additional purposes. |
Use BlackBerry Connectivity Node for CA connectivity | This setting specifies whether SCEP requests should be routed through the BlackBerry Connectivity Node . This setting displays only in UEM Cloud . |
Encryption algorithm | This setting specifies the encryption algorithm that Android devices use for the certificate enrollment request. |
Hash function | This setting specifies the hash function that Android devices use for the certificate enrollment request. |
Certificate thumbprint | This setting specifies the hexadecimal-encoded hash of the root certificate for the CA. You can use the following algorithms to specify the thumbprint: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. You must set a value for this setting to activate Android Enterprise or Samsung Knox devices. |
Automatic renewal | This setting specifies how many days before a certificate expires that automatic certificate renewal occurs. |
Android work profiles and Samsung KNOX | |
Subject | This setting specifies the subject for the certificate, if required for your organization's SCEP configuration. Type the subject in the format "/CN= <common_name> /O=<domain_name> " If the profile is for multiple users, you can use a variable, for example: %UserDistinguishedName%. |
SAN type | This setting specifies the subject alternative name type for the certificate, if it is required. |
SAN value | This setting specifies the subject alternative representation of the certificate subject. The value must be an email address, the DNS name of the CA server, the fully qualified URL of the server, or principal name. The "SAN type" setting determines the appropriate value to specify. If set to "RFC822 name," the value must be a valid email address. If set to "URI," the value must be a valid URL that includes the protocol and FQDN or IP address. If set to "NT principal name," the value must be a valid principal name. If set to "DNS name," the value must be a valid FQDN. |
Key algorithm | This setting specifies the algorithm that devices use to generate the client key pair. You must select an algorithm that is supported by your CA. |
RSA strength | This setting specifies the RSA strength that devices use to generate the client key pair. You must enter a key strength that is supported by your CA.This setting is valid only if the "Key algorithm" setting is set to " RSA ". |
Key usage | This setting specifies the cryptographic operations that can be performed using the public key that is contained in the certificate. |
Extended key usage | This setting specifies the purpose of the key that is contained in the certificate. |