# Configure your MDM system for Connector for SCEP Configure your MDM system Simple Certificate Enrollment Protocol (SCEP) is a standard protocol used for certificate enrollment and renewal. Connector for SCEP is a [RFC 8894](https://www.rfc-editor.org/rfc/rfc8894.html)-based SCEP server that automatically issues certificates from AWS Private Certificate Authority to your SCEP clients. When you create a connector, Connector for SCEP provides an HTTPS endpoint for SCEP clients to request certificates from. The clients authenticate using a challenge password that's included as part of their certificate signing request (CSR) to the service. You can use Connector for SCEP with popular mobile device management (MDM) systems, including Microsoft Intune, Omnissa Workspace ONE and Jamf Pro, to enroll mobile devices. It's designed to work with any client or endpoint that supports SCEP. Connector for SCEP offers two types of connectors—general-purpose and Connector for SCEP for Microsoft Intune. The following sections describe how they work, and how to configure your MDM system to use them. ## General-purpose connector A general-purpose connector is designed to work with mobile device endpoints that support SCEP, except for Microsoft Intune, which has a dedicated connector. With general-purpose connectors, such as Jamf Pro or Omnissa Workspace ONE, you manage the SCEP challenge passwords. The following diagram uses a mobile device management (MDM) system as an example, but the same functionality applies to other SCEP-enabled systems or devices. ![\[Describes how a Connector for SCEP general-purpose connector works.\]](http://docs.aws.amazon.com/privateca/latest/userguide/images/GenPurpose.jpg) 1. The MDM system (or other device or system) sends a SCEP profile to the mobile client. A SCEP profile contains configuration parameters that define the certificate profile, such as certificate validity period, challenge password, and other information relevant to the issuance of certificates. 1. The mobile client requests a certificate and also sends a certificate signing request (CSR) that includes a challenge password. 1. Connector for SCEP validates the challenge password. If it's valid, then the service requests a certificate from AWS Private CA on behalf of the mobile client. 1. AWS Private CA issues the certificate and sends it to Connector for SCEP. 1. Connector for SCEP sends the issued certificate to the mobile client. ## AWS Private CA Connector for SCEP for Microsoft Intune AWS Private CA Connector for SCEP for Microsoft Intune is designed for use with Microsoft Intune. With the Connector for SCEP for Microsoft Intune connector type, you'll use Microsoft Intune to manage your SCEP challenge passwords. For more information about using Connector for SCEP with Microsoft Intune, see [Configure Microsoft Intune for Connector for SCEPConfigure Microsoft Intune](connector-for-scep-intune.md). To use Connector for SCEP with Microsoft Intune, you must enable specific functionalities using the Microsoft Intune API, and possess a valid Microsoft Intune license. You should also review the [Microsoft Intune® App Protection Policies](https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy). ![\[How a Connector for SCEP for Microsoft Intune works.\]](http://docs.aws.amazon.com/privateca/latest/userguide/images/Intune.jpg) 1. Microsoft Intune sends a SCEP profile to the mobile client. The profile contains an encrypted challenge password that the mobile client places into the CSR. 1. The mobile client requests a certificate and sends the CSR to Connector for SCEP. 1. Connector for SCEP sends the CSR to Microsoft Intune for authorization. 1. Microsoft Intune decrypts the challenge password in the CSR. If it's valid, Microsoft Intune sends approval to Connector for SCEP to issue the certificate to the mobile client. 1. Connector for SCEP requests a certificate from AWS Private CA on behalf of the mobile client. 1. AWS Private CA issues the certificate and sends it to Connector for SCEP. 1. Connector for SCEP sends the issued certificate to the mobile client. **Topics** + [ ## General-purpose connector ](#connector-for-scep-how-it-works-general-purpose) + [ ## AWS Private CA Connector for SCEP for Microsoft Intune ](#connector-for-scep-how-it-works-intune) + [ # Configure Jamf Pro for Connector for SCEP ](connector-for-scep-general-purpose.md) + [ # Configure Microsoft Intune for Connector for SCEP ](connector-for-scep-intune.md) + [ # Configure Omnissa Workspace ONE for Connector for SCEP ](connector-for-scep-omnissa.md) # Configure Jamf Pro for Connector for SCEP Configure Jamf Pro You can use AWS Private CA as an external certificate authority (CA) with the Jamf Pro mobile device management (MDM) system. This guide provides instructions on how to configure Jamf Pro after you create a general-purpose connector. ## Configure Jamf Pro for Connector for SCEP Jamf Pro This guide provides instructions on how to configure Jamf Pro for use with Connector for SCEP. After you successfully configure Jamf Pro and Connector for SCEP, you'll be able to issue AWS Private CA certificates to your managed devices. ### Jamf Pro requirements Jamf Pro requirements Your implementation of Jamf Pro must meet the following requirements. + You must enable the **Enable certificate-based authentication** setting in Jamf Pro. You can find details on this setting on the Jamf Pro [Security Settings](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Security_Settings.html) page in the Jamf Pro documentation. ### Step 1: (Optional - recommended) Obtain your private CA's fingerprint Step 1: (Optional - recommended) Obtain your private CA's fingerprint A fingerprint is a unique identifier for your private CA that can be used to verify the identity of your CA when establishing trust with other systems or applications. Incorporating a certificate authority (CA) fingerprint allows managed devices to authenticate the CA they are connecting to and request certificates solely from the anticipated CA. We recommend using a CA fingerprint with Jamf Pro. **To generate a fingerprint for your private CA** 1. Obtain the private CA certificate from either AWS Private CA console or by using the [GetCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCertificate.html). Save it as `ca.pem` file. 1. Install the [OpenSSL Command Line Utilities](https://wiki.openssl.org/index.php/Command_Line_Utilities). 1. In OpenSSL, run the following command to generate the fingerprint: ``` openssl x509 -in ca.pem -sha256 -fingerprint ``` ### Step 2: Configure AWS Private CA as an external CA in Jamf Pro Step 2: Configure AWS Private CA as an external CA in Jamf Pro After you create a connector for SCEP, you must set AWS Private CA as an external certificate authority (CA) in Jamf Pro. You can set AWS Private CA as a global, external CA. Alternatively, you can use a Jamf Pro configuration profile to issue different certificates from AWS Private CA for different use cases, such as issuing certificates to a subset of devices in your organization. Guidance on implementing Jamf Pro configuration profiles is beyond the scope of this document. **To configure AWS Private CA as an external certificate authority (CA) in Jamf Pro** 1. In the Jamf Pro console, go to the **PKI certificates settings** page by going to **Settings** > **Global** > **PKI certificates**. 1. Select the **Management Certificate Template** tab. 1. Select **External CA**. 1. Select **Edit**. 1. (Optional) Select **Enable Jamf Pro as SCEP Proxy for configuration profiles**. You can use Jamf Pro configuration profiles to issue different certificates tailored to specific use-cases. For guidance on how to use configuration profiles in Jamf Pro, see [Enabling Jamf Pro as SCEP Proxy for Configuration Profiles](https://learn.jamf.com/en-US/bundle/technical-paper-scep-proxy-current/page/Enabling_as_SCEP_Proxy_for_Configuration_Profiles.html#ariaid-title2) in the Jamf Pro documentation. 1. Select **Use a SCEP-enabled external CA for computer and mobile device enrollment**. 1. (Optional) Select **Use Jamf Pro as SCEP Proxy for computer and mobile device enrollment**. If you experience profile installation failures, see [Troubleshoot profile installation failures](#connector-for-scep-jamf-pro-user-initiated-enrollment-troubleshoot). 1. Copy and paste the Connector for SCEP **SCEP URL** from the connector's details to the **URL** field in Jamf Pro. To view a connector's details, choose the connector from the [Connectors for SCEP](https://console.aws.amazon.com/pca-connector-scep/home#/connectors) list. Alternatively, you can get the URL by calling [GetConnector](https://docs.aws.amazon.com/pca-connector-scep/latest/APIReference/API_GetConnector.html) and copy the `Endpoint` value from the response. 1. (Optional) Enter the name of the instance in the **Name** field. For example, you can name it **AWS Private CA**. 1. Select **Static** for the challenge type. 1. Copy a challenge password from your connector, and paste it into the **Challenge** field. A connector can have multiple challenge passwords. To view your connector's challenge passwords, navigate to your connector's details page in the AWS console and select the **View password** button. Alternatively, you can get a connector's challenge password(s) by calling [GetChallengePassword](https://docs.aws.amazon.com/pca-connector-scep/latest/APIReference/API_GetChallengePassword.html) and copy a `Password` value from the response. For information about using challenge passwords, see [Understand Connector for SCEP considerations and limitationsConsiderations and limitations](c4scep-considerations-limitations.md). 1. Paste the challenge password into the **Verify Challenge** field. 1. Choose a **Key Size**. We recommend a key size of 2048 or higher. 1. (Optional) Select **Use as digital signature**. Select this for authentication purposes to grant devices secure access to resources like Wi-Fi and VPN. 1. (Optional) Select **Use for key encipherment**. 1. (Optional - recommended) Enter a hex string in the **Fingerprint** field. We recommend that you add a CA fingerprint to allow managed devices to verify the CA, and only request certificates from the CA. For instructions on how to generate a fingerprint for your private CA, see [Step 1: (Optional - recommended) Obtain your private CA's fingerprint](#connector-for-scep-jamf-pro-ca-fingerprint). 1. Select **Save**. ### Step 3: Set up a configuration profile signing certificate Step 3: Set up a configuration profile signing certificate To use Jamf Pro with Connector for SCEP, you must provide the signing and CA certificates for the private CA that's associated with your connector. You can do this by uploading a profile signing certificate keystore to Jamf Pro that contains both certificates. Here are the steps to create a certificate keystore and upload it into Jamf Pro: + Generate a certificate signing request (CSR) using your internal processes. + Get the CSR signed by the private CA associated with your connector. + Create a profile signing certificate keystore that contains both the profile signing and CA certificates. + Upload the certificate keystore to Jamf Pro. By following these steps, you can make sure that your devices can validate and authenticate the configuration profile signed by your private CA, enabling the use of Connector for SCEP with Jamf Pro. 1. The following example uses OpenSSL and AWS Certificate Manager, but you can generate a certificate signing request using your preferred method. ------ #### [ AWS Certificate Manager console ] **To create a profile signing certificate using the ACM console** 1. Use ACM to [request a private PKI certificate](). Include the following: + **Type** - Use the same private CA type that's serving as the SCEP certificate authority for your MDM system. + In the **Certificate authority details** section, select the **Certificate authority** menu and choose the private CA that serves as the CA for Jamf Pro. + **Domain name** - Provide a domain name to be embedded into the certificate. You can use a fully qualified domain name (FQDN), such as `www.example.com`, or a bare or apex domain name such as `example.com` (which excludes `www.`). 1. Use ACM to [export the private certificate](https://docs.aws.amazon.com/acm/latest/userguide/export-private.html) you created in the preceding step. Choose **Export a file** for the certificate, certificate chain, and encrypted key. Keep the **Passphrase** handy because you'll need it in the next step. 1. In a terminal, run the following command in a folder containing the exported files to write the PKCS\$112 bundle into the `output.p12` file encoded by the passphrase you created in the previous step. ``` openssl pkcs12 -export \ -in "Exported Certificate.txt" \ -certfile "Certificate Chain.txt" \ -inkey "Exported Certificate Private Key.txt" \ -name example \ -out output.p12 \ -passin pass:your-passphrase \ -passout pass:your-passphrase ``` ------ #### [ AWS Certificate Manager CLI ] **To create a profile signing certificate using the ACM CLI** + The following command shows how to create a certificate in ACM, and then export the files as a PKCS\$112 bundle. ``` PCA= CERTIFICATE=$(aws acm request-certificate \ --certificate-authority-arn $PCA \ --domain-name \ | jq -r '.CertificateArn') while [[ $(aws acm describe-certificate \ --certificate-arn $CERTIFICATE \ | jq -r '.Certificate.Status') != "ISSUED" ]] do sleep 1; done aws acm export-certificate \ --certificate-arn $CERTIFICATE \ --passphrase password | jq -r '.Certificate' > Certificate.pem aws acm export-certificate \ --certificate-arn $CERTIFICATE \ --passphrase password | jq -r '.CertificateChain' > CertificateChain.pem aws acm export-certificate \ --certificate-arn $CERTIFICATE \ --passphrase password | jq -r '.PrivateKey' > PrivateKey.pem openssl pkcs12 -export \ -in "Certificate.pem" \ -certfile "CertificateChain.pem" \ -inkey "PrivateKey.pem" \ -name example \ -out output.p12 \ -passin pass:passphrase \ -passout pass:passphrase ``` ------ #### [ OpenSSL CLI ] **To create a profile signing certificate using OpenSSL CLI** 1. Using OpenSSL, generate a private key by running the following command. ``` openssl genrsa -out local.key 2048 ``` 1. Generate a certificate signing request (CSR): ``` openssl req -new -key local.key -sha512 -out local.csr -subj "/CN=MySigningCertificate/O=MyOrganization" -addext keyUsage=critical,digitalSignature,nonRepudiation ``` 1. Using the AWS CLI, issue the signing certificate using the CSR you generated in the previous step. Run the following command, and note the certificate ARN in the response. ``` aws acm-pca issue-certificate --certificate-authority-arn --csr fileb://local.csr --signing-algorithm SHA512WITHRSA --validity Value=365,Type=DAYS ``` 1. Get the signing certificate by running the following command. Specify the certificate ARN from the previous step. ``` aws acm-pca get-certificate --certificate-authority-arn --certificate-arn | jq -r '.Certificate' >local.crt ``` 1. Get the CA certificate by running the following command. ``` aws acm-pca get-certificate-authority-certificate --certificate-authority-arn | jq -r '.Certificate' > ca.crt ``` 1. Using OpenSSL, output the signing certificate keystore in p12 format. Use the CRT files that you generated in steps four and five. ``` openssl pkcs12 -export -in local.crt -inkey local.key -certfile ca.crt -name "CA Chain" -out local.p12 ``` 1. When prompted, enter an export password. This password is your keystore password to provide to Jamf Pro. ------ 1. In Jamf Pro, navigate to the **Management Certificate Template** and go to the **External CA** pane. 1. At the bottom of the **External CA** pane, select **Change Signing and CA Certificates**. 1. Follow the onscreen instructions to upload the signing and CA certificates for the external CA. ### Step 4: (Optional) Install certificate during user-initiated enrollment Step 4: (Optional) Install certificate during user-initiated enrollment To establish trust between your client devices and your private CA, you must ensure your devices trust the certificates issued by Jamf Pro. You can use Jamf Pro's [User-Initiated Enrollment Settings](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/User-Initiated_Enrollment_Settings.html#:~:text=In%20Jamf%20Pro%2C%20click%20Settings,to%20be%20used%20during%20enrollment.) to automatically install your AWS Private CA's CA certificate on the client devices when they request a certificate during the enrolllment process. ### Troubleshoot profile installation failures Troubleshoot profile installation failures If you're experiencing profile installation failures after enabling **Use Jamf Pro as SCEP Proxy for computer and mobile device enrollment**, consult your device logs and try the following. | Device log error message | Mitigation | | --- |--- | | `Profile installation failed. Unable to obtain certificate from SCEP server at ".jamfcloud.com". ` | If you receive this error message while trying to enroll, retry the enrollment. It can take several tries before enrollment succeeds. | | `Profile installation failed. Unable to obtain certificate from SCEP server at ".jamfcloud.com". ` | Your challenge password might be misconfigured. Verify that the challenge password in Jamf Pro matches your connector’s challenge password. | # Configure Microsoft Intune for Connector for SCEP Configure Microsoft Intune You can use AWS Private CA as an external certificate authority (CA) with the Microsoft Intune mobile device management (MDM) system. This guide provides instructions on how to configure Microsoft Intune after you create a Connector for SCEP for Microsoft Intune. ## Prerequisites Prerequisites Before you create a Connector for SCEP for Microsoft Intune, you must complete the following prerequisites. + Create an Entra ID. + Create a Microsoft Intune Tenant. + Create an App Registration in your Microsoft Entra ID. See [Update an app's requested permissions in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal#grant-admin-consent-in-app-registrations-pane) in the Microsoft Entra documentation for information about how to manage application-level permissions for your App Registration. The App Registration must have the following permissions: + Under **Intune** set **scep\$1challenge\$1provider**. + For **Microsoft Graph** set **Application.Read.All** and **User.Read**. + You must grant the application in your App Registration admin consent. For information, see [Grant tenant-wide admin consent to an application](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal) in the Microsoft Entra documentation. **Tip** When you create the App Registration, take note of the **Application (client) ID** and **Directory (tenant) ID or primary domain**. When you create your Connector for SCEP for Microsoft Intune, you'll enter these values. For information about how to get these values, see [Create a Microsoft Entra application and service principal that can access resources](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) in the Microsoft Entra documentation. ## Step 1: Grant AWS Private CA permission to use your Microsoft Entra ID Application Step 1: Grant AWS Private CA permission to use your Microsoft Entra ID Application After you create a Connector for SCEP for Microsoft Intune, you must create a federated credential under the Microsoft App Registration so that Connector for SCEP can communicate with Microsoft Intune. **To configure AWS Private CA as an external CA in Microsoft Intune** 1. In the Microsoft Entra ID console, navigate to the **App registrations**. 1. Choose the application that you created to use with Connector for SCEP. The application (client) ID of the application you click must match the ID you specified when you created the connector. 1. Select **Certificates & secrets** from the **Managed** drop-down menu. 1. Select the **Federated credentials** tab. 1. Select **Add a credential**. 1. From the **Federated credential scenario** drop down menu, choose **Other issuer**. 1. Copy and paste the **OpenID issuer** value from your Connector for SCEP for Microsoft Intune details into the **Issuer** field. To view a connector's details, choose the connector from the [Connectors for SCEP](https://console.aws.amazon.com/pca-connector-scep/home#/connectors) list in the AWS console. Alternatively, you can get the URL by calling [GetConnector](https://docs.aws.amazon.com/pca-connector-scep/latest/APIReference/API_GetConnector.html) and then copy the `Issuer` value from the response. 1. For **Type**, select **Explicit subject identifier**. 1. Copy and paste **OpenID subject** value from your connector into the **Value** field. You can view the OpenID issuer value in the connector details page in the AWS console. Alternatively, you can get the URL by calling [GetConnector](https://docs.aws.amazon.com/pca-connector-scep/latest/APIReference/API_GetConnector.html) and then copy the `Audience` value from the response. 1. (Optional) Enter the name of the instance in the **Name** field. For example, you can name it **AWS Private CA**. 1. (Optional) Enter a description into the **Description** field. 1. Copy and paste the **OpenID Audience** value from your Connector for SCEP for Microsoft Intune details into the **Audience** field. To view a connector's details, choose the connector from the [Connectors for SCEP](https://console.aws.amazon.com/pca-connector-scep/home#/connectors) list in the AWS console. Alternatively, you can get the URL by calling [GetConnector](https://docs.aws.amazon.com/pca-connector-scep/latest/APIReference/API_GetConnector.html) and then copy the `Subject` value from the response. 1. Select **Add**. ## Step 2: Set up a Microsoft Intune configuration profile Step 2: Set up a Microsoft Intune configuration profile After you give AWS Private CA the permission to call Microsoft Intune, you must use Microsoft Intune to create a Microsoft Intune configuration profile that instructs devices to reach out to Connector for SCEP for certificate issuance. 1. Create a trusted certificate configuration profile. You must upload the root CA certificate of the chain that you're using with Connector for SCEP into Microsoft Intune to establish trust. For information on how to create a trusted certificate configuration profile, see [Trusted root certificate profiles for Microsoft Intune](https://learn.microsoft.com/en-us/mem/intune/protect/certificates-trusted-root) in the Microsoft Intune documentation. 1. Create a SCEP certificate configuration profile that points your devices to the connector when they require a new certificate. The configuration profile's **Profile type** should be **SCEP Certificate**. For the configuration profile's root certificate, make sure that you use the trusted certificate that you created in the previous step. For **SCEP Server URLs**, copy and paste the **SCEP URL** from your connector's details into the **SCEP Server URLs** field. To view a connector's details, choose the connector from the [Connectors for SCEP](https://console.aws.amazon.com/pca-connector-scep/home#/connectors) list. Alternatively, you can get the URL by calling [ListConnectors](https://docs.aws.amazon.com/pca-connector-scep/latest/APIReference/API_ListConnectors.html), and then copy the `Endpoint` value from the response. For guidance on creating configuration profiles in Microsoft Intune, see [Create and assign SCEP certificate profiles in Microsoft Intune](https://learn.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep) in the Microsoft Intune documentation. **Note** For non-mac OS and iOS devices, if you don't set a validity period in the configuration profile, Connector for SCEP issues a certificate with a validity of one year. If you don't set an Extended Key Usage (EKU) value in the configuration profile, Connector for SCEP issues a certificate with the EKU set with `Client Authentication (Object Identifier: 1.3.6.1.5.5.7.3.2)`. For macOS or iOS devices, Microsoft Intune doesn't respect `ExtendedKeyUsage` or `Validity` parameters in your configuration profiles. For these devices, Connector for SCEP issues a certificate with a one-year validity period to these devices through client authentication. ## Step 3: Verify the connection to Connector for SCEP Step 3: Verify connection After you've created a Microsoft Intune configuration profile that points to the Connector for SCEP endpoint, confirm that an enrolled device can request a certificate. To confirm, make sure that there aren't any policy assignment failures. To confirm, in the Intune portal navigate to **Devices** > **Manage Devices** > **Configuration** and verify that there's nothing listed under **Configuration Policy Assignment Failures**. If there is, confirm your set up with the information from the preceding procedures. If your set up is correct and there still are failures, then consult [Collect available data from mobile device](https://learn.microsoft.com/en-us/mem/intune/fundamentals/help-desk-operators#collect-available-data-from-mobile-device). For information about device enrollment, see [What is device enrollment?](https://learn.microsoft.com/en-us/mem/intune/user-help/use-managed-devices-to-get-work-done) in the Microsoft Intune documentation. # Configure Omnissa Workspace ONE for Connector for SCEP Configure Omnissa Workspace ONEConnector for SCEP for Omnissa Workspace ONE is now generally available[https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-scep-omnissa.html](https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-scep-omnissa.html) Connector for SCEP for Omnissa Workspace ONE is now generally available. You can use AWS Private CA as an external certificate authority (CA) with the Omnissa Workspace ONE UEM (Unified Endpoint Management) system. This guide provides instructions on how to configure Omnissa Workspace ONE after you create a SCEP connector in AWS. ## Prerequisites Before you create a SCEP connector for Omnissa Workspace ONE, you must complete the following prerequisites: + Create a private CA in the AWS console. For more information, see [Create a private CA in AWS Private CA](create-CA.md). + Create a general purpose SCEP connector. For more information, see [Create a connector](connector-for-scep-getting-started.md#gs-create-connector-for-scep-console). + Have an active Omnissa Workspace ONE environment admin account with an Organization Group ID. + If you are enrolling an Apple device, configure the Apple Push Notification Service (APNs) for MDM. For more information, see [APNs Certificates](https://docs.omnissa.com/bundle/WorkspaceONE-UEM-Console-BasicsVSaaS/page/APNsCertificates.html) in the Omnissa documentation. ## Step 1: Define a certificate authority and template in Omnissa Workspace ONE After creating a private CA and SCEP connector in the AWS console, define the certificate authority and template in Omnissa Workspace ONE. **Add AWS Private CA as a certificate authority** 1. From the **System** menu, choose **Enterprise Integration** and then choose **Certificate Authorities**. 1. Choose **\$1 ADD** and provide the following information: + **Name**: AWS-Private-CA. + **Description**: AWS Private CA for device certificate issuance. + **Authority Type**: Select **Generic SCEP**. + **SCEP URL**: Enter the SCEP URL from AWS Private CA. + **Challenge Type**: Select **STATIC**. + **Static Challenge**: Enter the SCEP static challenge password from the Connector for SCEP configuration in the AWS console. + Enter the **Retry Timeout** and **Max Retries** values. 1. Save the configuration. **Create a certificate template** 1. From the **System** menu, choose **Enterprise Integration**, choose **Certificate Authorities**, and then choose **Templates**. 1. Choose **Add Templates** and provide the following information: + **Template Name**: Device-Cert-Template. + **Certificate Authority**: Choose **AWS-Private-CA**. + **Subject Name**: This is a customizable field. You can choose variable values from a list of attributes. For example, CN=\$1DeviceReportedName\$1, O=\$1DevicePlatform\$1, OU=\$1CustomAttribute1\$1 + **Private Key Length**: 2048 bits. + **Private Key Type**: Select **Signing** and **Encryption** as required + **Automatic Renewal**: Enabled/Disabled (Based on your needs). 1. Save the template. ## Step 2: Set up an Omnissa Workspace ONE UEM profile configuration Create a profile in Omnissa Workspace ONE UEM that directs devices to Connector for SCEP to issue a certificate. **Create a SCEP device profile for certificate distribution** 1. From the **Resources** menu, choose **Profiles & Baselines**, and then choose **Profiles**. 1. Choose **Add** then **Add Profile** 1. Select the device platform (**Android**, **iOS**, **macOS**, **Windows**). 1. Set the **Management type** and **Context** as appropriate. 1. Set the **Name**: Device-Cert-Profile. 1. Scroll to **SCEP Payload**. 1. Select **SCEP** and then choose **\$1Add**. 1. Use the following configuration: + **SCEP**: + For **Credential Source** select **Defined Certificate Authority** (Default). + For **Certificate Authority** select **AWS-Private-CA** + For **Certificate Template** select the **Device-Cert-Template** defined in Step 1. 1. Choose **Next** and in the **Assignment** section select the right smart group from the list (assignment group for the device). 1. Select **Assignment type** as **Auto** to enable auto-renewal. 1. Save and publish the profile. **Note** For more information, see [SCEP](https://docs.omnissa.com/bundle/CertificateAuthorityIntegrationsV2302/page/SCEP.html) in the Omnissa documentation. ## Step 3: Enroll devices in Omnissa Workspace ONE **Create or verify a smart group** 1. From **Groups & Settings** choose **Groups** and then choose **Assignment Groups**. 1. Create or edit the POC-Devices smart group: + **Name**: POC-Devices. + **Device Type**: Select **All** or a specific platform (Android or iOS, for example). + **Criteria**: Use **UserGroup**, **Platform and OS**, **OEM and Model** to specify the criteria to group the target devices. + **Ownership**: Select **Any** for personal or corporate devices. 1. Save and verify the target devices appear in the **Preview** tab. ### Manual device enrollment Android + Download the **Workspace ONE Intelligent Hub** app from Google Play. + Open the app and enter the enrollment URL or scan a QR code. + Log in and follow the prompts to enroll as an MDM-managed device. iOS/macOS + On the device, open **Safari** and navigate to the enrollment URL (https:///enroll, for example). + Log in with user credentials. + Download and install the **Workspace ONE Intelligent Hub** app from the App Store. + Follow prompts to install the MDM profile in **Settings** > **General** > **VPN & Device Management** > **Profile** > **Install**. Windows + Download the **Workspace ONE Intelligent Hub** from the Workspace ONE server or Microsoft Store. + Enroll via the Hub using the enrollment URL and credentials. Assign enrolled devices to the POC-Devices Smart Group in **Devices** > **List View** > **More Actions** > **Assign to Smart Group**. For more information, see [Automated Device Enrollment](https://docs.omnissa.com/bundle/Apple-Business-ManagerVSaaS/page/AppleBusinessManagerDeviceEnrollment.html) in the Omnissa documentation. **Verify enrollment** 1. In the Omnissa Workspace ONE UEM Console, go to **Devices** and then **List View**. 1. Confirm that your enrolled devices appear with the status set to **Enrolled**. 1. Verify devices are in the POC-Devices smart group in the **Groups** tab of the **Device Details**. ## Step 4: Issue a certificate **Trigger issuing a certificate** 1. In **Devices** **List View**, select the enrolled device. 1. Choose on the **Query** button to prompt a check-in. 1. The Device-Cert-Profile should issue a certifcate via AWS Private CA. **Verify certificate installation** Android Choose **Settings**, then **Security**, then **Trusted Credentials**, and then **User** to verify the certificate. iOS Go to **Settings**, then choose **General**, then **VPN & Device Management**, and then **Configuration Profile**. Verify that the certificate from AWS-Private-CA is present. macOS Open **Keychain Access** and then **System Keychain** and verify the certificate. Windows Open **certmgr.msc**, then **Personal**, and then **Certificates** to verify the certificate. ## Troubleshooting SCEP Errors ("22013 - The SCEP server returned an invalid response" for example) + Verify the SCEP URL and static challenge password in Workspace ONE match AWS Private CA. + Test SCEP endpoint connectivity: curl . + Check AWS CloudTrail logs for AWS Private CA errors (`IssueCertificate` failures, for example). APNs issues (iOS/macOS) + Make sure the APNs certificate is valid and assigned to the correct Organization Group. + Test APNs connectivity: telnet [gateway.push.apple.com](http://gateway.push.apple.com/) 2195. Profile installation failures + Confirm devices are in the correct Smart Group (**Devices**, then **List View**, and then **Groups**). + Force a profile sync: **More Actions**, then **Send**, and then **Profile List**. Logs + Android: Use **Logcat** or Workspace ONE logs. + iOS/macOS: log show --predicate 'process == "mdmclient"' --last 1h (via Xcode/Apple Configurator). + Windows: **Event Viewer**, then **Applications and Services Logs** and then **Microsoft-Windows-DeviceManagement**. + Workspace ONE UEM: **Monitor**, then **Reports & Analytics**, then **Events**, and then **Device Events**. For detailed Connector for SCEP monitoring in AWS, see [https://docs.aws.amazon.com/privateca/latest/userguide/c4scep-monitoring-overview.html](https://docs.aws.amazon.com/privateca/latest/userguide/c4scep-monitoring-overview.html). ## Security considerations + Store SCEP URLs and secrets securely. For more information, see the [AWS Secrets Manager service](https://docs.aws.amazon.com/secretsmanager/). + Restrict smart group criteria to target devices only. + Regularly renew Apple Push Notifications (APNs) certificates (valid for 1 year). + Set short certificate validity periods for proof of concept projects to minimize risk. + For personal devices, make sure cleanup removes all profiles and certificates. For information about how to configure Omnissa Workspace ONE UEM and CA integration using a SCEP connector, see the [SCEP in Omnissa Workspace ONE](https://docs.omnissa.com/bundle/CertificateAuthorityIntegrationsV2302/page/SCEP.html#:~:text=The%20exception%20to%20this%20requirement,Enable%20or%20disable%20the%20proxy.) documentation.