Anyone using SCEP with OS X clients?

I am very interested in this as well as my customers are not liking the alternative of setting up an auto-enrolling web interface to their CAs. I will be experimenting with this as soon as they bring up a SCEP-enabled CA!

We are in this boat as well. We're working on a solution to use SCEP with User level certificates (Login.keychain) as well as the AD issued cert for the Machine level certificate (System.keychain).

SCEP is working well for us. We are using it for the computer cert issued from the domain.

We needed to upgrade the JSS from 8.43 to 8.52 to use the variables.

If you're interested in checking out there are some useful variables that you can use in configuration profiles, there is a table on page 314 of the Casper Admin's guide:

http://www.jamfsoftware.com/libraries/pdf/products/documentation/Casper_Suite_8.5_Documentation.pdf

Hey cem, are you creating your scep configuration profile on the jss or profile manager on a lion server?
How are you delivering the profiles to the client machines? Jss push or ?
Thanks!

We are using it as well with Windows 2008 SCEP servers. We create our profiles using Lion Server's Profile Manager

cem or ooshnoo- did either of you try user certificates or are you both doing computer certs?
also, how are you integrating this into your imaging/deployment workflow?

@nkalister
Simply using JSS SCEP config profile. It is now better with JSS6. As you get the dynamic Challenge option too.

We are using computer certs. But variables in JSS for SCEP should help for user certs too. But I didn't tried this.

When setting up the SCEP server in Global Management Frameworks, does the jss require the full path to the dll, or just the directory path for the Base URL for the SCEP server?

Option 1: https://ndesserver.corp.root/certsrv/mscep/mscep.dll Option 2: https://ndesserver.corp.root/certsrv/mscep/

I ask because I'm testing this with a Mac on 10.8.2, and the device doesn't appear to get a device certificate, but from a separate profile it does get our internal .p7b certificate chain.

"Use External Certificate Authority" in "Global Management Frameworks"
Base URL for the SCEP Server: http://ndesserver.corp.root/certsrv/mscep/mscep.dll

NO https

Hi cem. Are there logs anywhere on the jss that can track errors in this process? I can validate that configuration profiles come down, but I can't get SCEP or AD certs to process. I have SCEP working with MobileIron for my iOS devices, so I know the configuration is correct, but couldn't ever get an SCEP cert (even a request to the server). I tried AD certs since they should be simpler, but again my certsrv isn't even getting the request, which means the profile isn't getting processed to the Mac.

Any help/suggestions appreciated.

@mlinde ; sorry for the late reply... i am up to my eye balls at the minute... I am afraid no footprint for this in jamf.log. But you can try SCEP server logs and RADIUS Server logs.

Make sure put $COMPUTERNAME variable in to the SCEP payload as below (just replace "yourcompany.com" to your company domain). Also select "DNS Name" option under "Subject Alternative Name Type"

Subject:
CN=$COMPUTERNAME.yourcompany.com

Subject Alternative Name Value:
host/$COMPUTERNAME.yourcompany.com