I'm using a Jamf Pro Configuration profile with three payloads:
1. Certificate payload you should be installing all the root and intermediate certificates the client will need to connect to your Wi-Fi NAS and Certificate server and trust the connections.
2. SCEP payload where you put in the instance of your SCEP server. For me it's https://server name/certsrv/mscep/mscep.dll. Also include your SCEP server instance name and what the certificate common name will be. e.g. CN=$COMPUTERNAME. You may also need to put in credentials for your server or
3. Network payload to give the client the Wi-Fi profile. There are section you have to setup the security WPA2 Enterprise, EAP type to TLS, and in the trust section your link to your SCEP and certificates so the client will trust them.
So no integration or Netscaler. For Microsoft CA using SCEP it's just a URL. I have a wildcard certificate installed on the CA, so the client doesn't have any issues hitting it. This took me about a week or two to get right. lots of trial and error. Let me know if you want some screen shots of the settings I use. But then you will also need a CA with certificate templates available which is a whole new can of worms.
