Jamf Nation Community

sdiver · ‎11-04-2016

We are looking at rolling out SCEP Configuration Profiles for our iOS devices (and macOS devices...but for now, we're focusing on iOS). There is a definite lack of information out there on doing this, so I am curious if anyone has been able to successfully implement it?

We have created an iOS Configuration Profile, with the SCEP payload configured as follows...

URL
The base URL for the SCEP Server
http://scepserver.domain.org/certsrv/mscep/mscep.dll

Name
The name of the instance: CA-IDENT
NAME-NDES-MSCEP-RA

Display "Redistribute Profile" setting for this profile
*Display a setting in the General payload that allows you to choose when you want to automatically redistribute this profile
Unchecked

Subject
Representation of a X.500 name (e.g. O=CompanyName, CN=Foo)
CN=$DEVICENAME,O=Organization Name

Subject Alternative Name Type
The type of a subject alternative name
DNS Name

Subject Alternative Name Value
The value of a subject alternative name
Blank

NT Principal Name
An NT principal name for use in the certificate request
Blank

Retries
Number of times to retry after PENDING response
0

Retry Delay
Number of seconds to wait before each retry
0 Seconds

Challenge Type
Type of challenge password to use
Dynamic-Microsoft CA

URL to SCEP Admin
The URL of the page to use to retrieve the SCEP challenge
http://scepserver.domain.org/certsrv/mscep_admin/

Username
The username to use to log in to the SCEP Admin page
DOMAINSCEPAdminUsername

Password
The password to use to log in to the SCEP Admin page
SCEPAdminUsername_Password

Verify Password
SCEPAdminUsername_Password

Key Size
Key size in bits
2048

Use as digital signature
Checked

Use for key encipherment
Checked

Fingerprint
Enter hex string to be used as a fingerprint or use button to create fingerprint from certificate
Blank

However, with those settings (and whatever settings we have used...we have tested variations on the Subject name, Subject Alternative Name Value, Challenge Type, Key Size, etc.), when deploying the Configuration Profile to a iOS device, the JSS (Jamf Pro?) gives us the following error message...

The Registration Authority’s response is invalid.

So, has anyone been able to successfully deploy a SCEP payload to iOS devices? And if so, how the heck are you doing it!?

Thanks,
Steve

sdiver · ‎11-15-2016

Okay, after messing around with this for over a week, we finally appear to have things working. When creating the Configuration Profile to be pushed to iOS devices, the Wi-Fi, Certificate, and SCEP payloads need to be configured. Here is a basic outline of what worked for us...

On our Microsoft Internal CA, we had a make and deploy a new Certificate Template, so that macOS and iOS devices got a certificate that worked with them. I forget the exact settings we changed…but I can dig those up if necessary. There are a lot of articles on this out there though.

As for the Jamf portion though…create a Configuration Profile, and fill out the General section. We did find that having the name of the SSID in the Configuration Profile name field gave us headaches. Or it was the underscore in the SSID name. Not sure why. But once we removed that, all was happy. So, just a heads up. Once the General section is complete, we'll move on to the Certificate payload...

Certificate Payload
We are using a Microsoft CA, so from a web browser, visit your CA. The URL will be something similar to the following...

http://your-internal-ca.domain.com/certsrv/

Download the CA Certificate. For what it's worth, we chose Base64 as the encoding method. Save the CA Certificate somewhere, and maybe rename it to something that has meaning to you.

Go to the Certificate payload, and enter a name/description for the certificate, and upload your CA Certificate.

SCEP Payload
The SCEP payload was the biggest headache to get right. Your mileage may vary on these settings, but here is what worked for us…

URL
The base URL for the SCEP Server
http://scepserver.domain.org/certsrv/mscep/mscep.dll

Name
The name of the instance: CA-IDENT
INTERNALCANAME-CA

Display "Redistribute Profile" setting for this profile
*Display a setting in the General payload that allows you to choose when you want to automatically redistribute this profile
Unchecked

Subject
Representation of a X.500 name (e.g. O=CompanyName, CN=Foo)
CN=$USERNAME

Subject Alternative Name Type
The type of a subject alternative name
RFC 822 Name

Subject Alternative Name Value
The value of a subject alternative name
$EMAIL

NT Principal Name
An NT principal name for use in the certificate request
Blank

Retries
Number of times to retry after PENDING response
0

Retry Delay
Number of seconds to wait before each retry
0 Seconds

Challenge Type
Type of challenge password to use
Dynamic-Microsoft CA

URL to SCEP Admin
The URL of the page to use to retrieve the SCEP challenge
http://scepserver.domain.org/certsrv/mscep_admin/

Username
The username to use to log in to the SCEP Admin page
DOMAINSCEPAdminUsername

Password
The password to use to log in to the SCEP Admin page
SCEPAdminUsername_Password

Verify Password
SCEPAdminUsername_Password

Key Size
Key size in bits
2048

Use as digital signature
Checked

Use for key encipherment
Checked

Fingerprint
Enter hex string to be used as a fingerprint or use button to create fingerprint from certificate
Blank

Wi-Fi Payload
The WiFi payload was the final one to configure, as you need information from the other 2 payloads to complete…

Service Set Identifier (SSID)
Identification of the wireless network to connect to
<Your SSID Name>

Auto Join
Automatically join this wireless network
Checked

Security Type
Wireless network encryption to use when connecting
WPA / WPA2 Personal

Network Security Settings
Configuration options for 802.1X network authentication

Protocols Button
TLS - Checked

Identity Certificate
Credentials for connection to the network
Select the SCEP configuration from the dropdown

Trust Button
Trusted Certificates
Certificates trusted/expected for authentication

Check the box next to the CA Certificate

View solution in original post

TreviñoL · ‎11-04-2016

Are you using a MS Server with the NDES service running for iOS certificate deployment?

We are looking at IBM's steps for deploying certificate: https://www.ibm.com/support/knowledgecenter/SS54PL_2.4.0/com.ibm.maas.doc/CloudExtender/t_microsoft_ndes_installation.html

2

https://blogs.technet.microsoft.com/askds/2010/11/22/ipad-iphone-certificate-issuance/

3

http://www.scconfigmgr.com/2016/04/12/prepare-your-environment-for-scep-certificate-enrollment-with-microsoft-intune/

TreviñoL · ‎11-04-2016

there a way to use Microsoft payload through a test script to connection to the NDES server and attempt to get a certificate, outside of JAMF.

Go to https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html for instructions on how to write profiles. Save the text/xml file with a ".mobileconfig" file name extension. You can open that on an Apple device and the OS will install it. There is a SCEP example at the bottom of the page.

Sharing something we got from JAMF SE:

Usually I go low-level and work through it step by step when we run into trouble. Like first I'll do it on Windows like this... https://blogs.technet.microsoft.com/configmgrdogs/2015/08/24/so-you-want-to-test-your-ndesscep-certificate-enrollment/. Then I'll do it with a Microsoft cert payload deployed to a MacOS computer so we're using the template to get the cert. That way I can see what the right cert subject is. Then I'll go to configure the SCEP/iOS payload for iOS if needed.

TreviñoL · ‎11-14-2016

We finally got it working in our test environment.

Here is what we had to change in the profile setup.

URL
The base URL for the SCEP Server - UPDATED
http://scepserver.domain.org/certsrv/mscep/

Name
The name of the instance: CA-IDENT - UPDATED - Just enter the HOST name of the Window Server
NAME-NDES-MSCEP-RA

Subject Alternative Name Type - UPDATED
The type of a subject alternative name
NONE

Use as digital signature - Updated
unChecked

Use for key encipherment - Updated
unChecked

sdiver · ‎11-15-2016

Okay, after messing around with this for over a week, we finally appear to have things working. When creating the Configuration Profile to be pushed to iOS devices, the Wi-Fi, Certificate, and SCEP payloads need to be configured. Here is a basic outline of what worked for us...

On our Microsoft Internal CA, we had a make and deploy a new Certificate Template, so that macOS and iOS devices got a certificate that worked with them. I forget the exact settings we changed…but I can dig those up if necessary. There are a lot of articles on this out there though.

As for the Jamf portion though…create a Configuration Profile, and fill out the General section. We did find that having the name of the SSID in the Configuration Profile name field gave us headaches. Or it was the underscore in the SSID name. Not sure why. But once we removed that, all was happy. So, just a heads up. Once the General section is complete, we'll move on to the Certificate payload...

Certificate Payload
We are using a Microsoft CA, so from a web browser, visit your CA. The URL will be something similar to the following...

http://your-internal-ca.domain.com/certsrv/

Download the CA Certificate. For what it's worth, we chose Base64 as the encoding method. Save the CA Certificate somewhere, and maybe rename it to something that has meaning to you.

Go to the Certificate payload, and enter a name/description for the certificate, and upload your CA Certificate.

SCEP Payload
The SCEP payload was the biggest headache to get right. Your mileage may vary on these settings, but here is what worked for us…

URL
The base URL for the SCEP Server
http://scepserver.domain.org/certsrv/mscep/mscep.dll

Name
The name of the instance: CA-IDENT
INTERNALCANAME-CA

Display "Redistribute Profile" setting for this profile
*Display a setting in the General payload that allows you to choose when you want to automatically redistribute this profile
Unchecked

Subject
Representation of a X.500 name (e.g. O=CompanyName, CN=Foo)
CN=$USERNAME

Subject Alternative Name Type
The type of a subject alternative name
RFC 822 Name

Subject Alternative Name Value
The value of a subject alternative name
$EMAIL

NT Principal Name
An NT principal name for use in the certificate request
Blank

Retries
Number of times to retry after PENDING response
0

Retry Delay
Number of seconds to wait before each retry
0 Seconds

Challenge Type
Type of challenge password to use
Dynamic-Microsoft CA

URL to SCEP Admin
The URL of the page to use to retrieve the SCEP challenge
http://scepserver.domain.org/certsrv/mscep_admin/

Username
The username to use to log in to the SCEP Admin page
DOMAINSCEPAdminUsername

Password
The password to use to log in to the SCEP Admin page
SCEPAdminUsername_Password

Verify Password
SCEPAdminUsername_Password

Key Size
Key size in bits
2048

Use as digital signature
Checked

Use for key encipherment
Checked

Fingerprint
Enter hex string to be used as a fingerprint or use button to create fingerprint from certificate
Blank

Wi-Fi Payload
The WiFi payload was the final one to configure, as you need information from the other 2 payloads to complete…

Service Set Identifier (SSID)
Identification of the wireless network to connect to
<Your SSID Name>

Auto Join
Automatically join this wireless network
Checked

Security Type
Wireless network encryption to use when connecting
WPA / WPA2 Personal

Network Security Settings
Configuration options for 802.1X network authentication

Protocols Button
TLS - Checked

Identity Certificate
Credentials for connection to the network
Select the SCEP configuration from the dropdown

Trust Button
Trusted Certificates
Certificates trusted/expected for authentication

Check the box next to the CA Certificate

TreviñoL · ‎11-16-2016

Good job!

We are going to be testing Wi-Fi payload and Exchange 2013 ActiveSync payload with Certificate Authentication in a few days.

mike_pinto · ‎03-15-2017

Forgive me if this is a dumb question as this is out of my wheelhouse. Is there a way to automate the mapping of the user cert to the AD record it corresponds with? I feel like I'm missing something as having to do this manually a few thousands times doesn't seem right.

Tigerhaven · ‎03-15-2017

We just started working on this to but for Mac's . thanks for sharing this.

Kunal V

mclinde · ‎04-24-2017

Was there a way to test that the JSS was talking to the MS/NDES server? I'm not sure that communication is even happening on our end, can't for the life of me find a way to test the SCEP setting to determine if the configuration even will request a certificate.

In MobileIron there's a clear button to "Issue Test Certificate" - that would be nice, but any other option to confirm the configuration of the SCEP works from the JSS. It won't push to the client, which suggests there is a failure in the certificate request, but I get no IIS logs on the NDES server showing any NDES requests or rejects, and no certificate request (or success) on the CA.

Jamf Nation Community

iOS SCEP Configuration Profile

2

3