The Simple Certificate Enrollment Protocol (SCEP) automates the distribution of certificates at scale. Instead of manual provisioning, SCEP allows devices to request certificates directly from a Certificate Authority (CA) using a secure protocol. Only trusted endpoints can connect to a network, as devices without valid certificates are automatically denied access.
Microsoft Intune and Jamf utilize SCEP to manage certificates for managed devices, including laptops, mobile devices, network hardware, and applications. By deploying SCEP, organizations can automate certificate lifecycle management, reduce human error, and enforce strong authentication for Wi-Fi, VPN, and other critical services.
What Is a SCEP Gateway
An SCEP Gateway is a communication protocol that pulls certificates from a unique CA and distributes them. The SCEP Gateway comprises an access token, a shared secret, an API URL, and a certificate authority. SCEP works with managed device vendors, such as JAMF and AirWatch, and other customers, including Microsoft GPO and Active Directory, can utilize the Microsoft WSTEP protocol.
SCEP Gateway Components
SCEP defines how a device communicates with a PKI through a Gateway API URL. With our Managed Gateway API, you can generate a URL in the MDM and send the payload to devices to enable self-enrollment for client certificates.
CA and Certificate Template
A CA is a crucial component of a PKI, as it validates the identity of a user, device, or website before it issues certificates. Before issuing any certificate to a device, SCEP requests the CA’s certificate to verify its authenticity. This is a critical checkpoint because the entire certificate chain becomes vulnerable if the CA itself isn’t trusted.
During this process, several key attributes are examined:
- CA Name – Confirms the issuing authority’s identity.
- Public Key – Used to verify the CA’s digital signature and ensure secure encryption.
- Digital Signature – Confirms the certificate hasn’t been tampered with and comes from a legitimate source.
- Serial Number – Identifies the certificate uniquely within the CA system.
- Validity Period – Ensures the certificate is active and has not expired or been revoked.
Certificate Template
A certificate template is a foundational element in the passwordless 802.1X authentication framework. It contains the framework that a CA uses when issuing digital certificates, including cryptographic algorithms, validity periods, and access policies. Templates enforce device-based trust by embedding role-based attributes that determine the level of access granted to a device or user.
For example:
- A corporate-managed laptop enrolled via Microsoft Intune might use a template that grants complete VPN and Wi-Fi access, with an extended key usage (EKU) field for client authentication.
- A personal device could receive a certificate from a restricted template, allowing access only to guests or limited VLANs.
SCEP Shared Secret
A shared secret is a case-sensitive password to authenticate the connection between the SCEP server and the CA. It ensures that only authorized devices can request certificate signing from the CA, acting as a basic verification mechanism.
With our Managed PKI, the device presents this shared secret during the SCEP enrollment process. Once authenticated, the CA issues a certificate directly to the device, enabling secure, policy-backed access to network resources.
SCEP Certificate Request
After configuring the SCEP Gateway, a secure shared secret is established between the SCEP server and the CA. Now, you can create and deploy a configuration profile via your MDM (e.g., Intune, Jamf). This profile enables managed devices to enroll for certificates automatically.
The device sends a certificate request through the SCEP Gateway to the CA during enrollment. After validating the request using the shared secret and policy parameters, the CA issues a signed certificate, which is then installed on the device. This enables secure access to Wi-Fi, VPN, web applications, emails, and code signing without user intervention.
SCEP Signing Certificate
The SCEP signing certificate is issued by the same CA that signs device certificates and includes the entire certificate chain, comprising the signing certificate, Intermediate CA, and Root CA. Select the issuing CA within the SecureW2 management portal to generate a PKCS12 file containing the complete chain, which you can then upload into your MDM for seamless SCEP integration.
HOW TO CONFIGURE SCEP GATEWAYS
Here is the configuration process for setting up an SCEP Gateway to distribute certificates:
- Configure the SCEP Gateway API in SecureW2.
- Start in the SecureW2 Management Portal and configure the SCEP Gateway to distribute certificates.
- Generate the Shared Secret and Access Token.
- Here, you will use SecureW2’s API token wizard to generate a Shared Secret and Access Token that will be used to assemble the SCEP Gateway.
- Build the SCEP URL.
- The SCEP URL is the means of communication with the SCEP Gateway and is constructed by combining the Shared Secret and Access Token.
- Configure the managed devices to use a SCEP-enabled external CA.
- Managed devices typically have a certificate template you can configure to use a SCEP Gateway. Insert the API URL, which connects the managed devices to the CA and enables MDMs to request that SecureW2 generate client certificates for them.
- Configure the “Payload”, or Configuration profiles, to include certificates.
- The managed devices have been configured to use the SCEP Gateway to generate certificates; therefore, the following command is used to initiate the enrollment process on the devices. You can accomplish this by pushing a configuration profile of network settings, or Payload, to the devices. The configuration profile directs them to enroll for certificates using the SCEP Gateway.
- Troubleshooting and Managing Certificates with SecureW2.
- Once the devices have enrolled for certificates and are connected to the network, the final step begins: maintaining the network. SecureW2’s management portal enhances network visibility by identifying each device and associating it with a specific network connection. Additionally, if any connection errors occur, the management portal will remotely diagnose the issue, enabling an efficient solution to be implemented.
How To Configure SCEP with JAMF and Intune
802.1x Certificate Via SCEP for Jamf Managed Devices
Jamf takes a unique approach to SCEP deployment. It supports both SCEP as a wi-fi profile configuration and SCEP Proxy configurations. To configure a device for Wi-fi, the device communicates directly with the SCEP Gateway. In contrast, the SCEP Proxy model routes the request through Jamf, adding an extra layer of security that prevents the exposure of the SCEP URL and Shared Secret and reduces the risk of unauthorized certificate issuance.
The proxy model is generally preferred, as it keeps sensitive SCEP parameters hidden from the device. Additionally, Jamf supports automatic certificate re-enrollment, making managing expiring certificates at scale easier.
Beyond these features, Jamf’s SCEP implementation aligns with standard MDM practices. Click here to read how to configure Jamf with SecureW2.
SCEP Certificate Deployment with Intune
Microsoft Intune stands out for supporting both traditional SCEP workflows and Intune Third-Party CA SCEP. While generic SCEP is still supported, the Third-Party CA configuration introduces a key feature. After receiving the SCEP URL and Shared Secret, Intune verifies device identity against Microsoft Entra ID. This additional validation step ensures that only enrolled, active devices can receive certificates, significantly reducing the risk of certificate issuance through URL or secret compromise.
This integration also supports automatic certificate revocation when a device is disabled, deleted, or fails to maintain real-time network security.
SecureW2 fully supports Intune’s Third-Party CA SCEP configuration, providing the automation, visibility, and control needed for secure certificate lifecycle management at scale.
Common SCEP Issues And Troubleshooting Methods
Some common SCEP configuration issues that arise while certificate configuration are:
- Misconfigured SCEP Profiles.
- Encoding an attribute
- Error Codes Audit
Misconfigured SCEP Profiles
In SCEP certificate deployment in Intune, the SCEP certificate profile and the trusted certificate profile must be assigned to a user or a device in the same order. The table below shows the outcome of a misassignment of the SCEP and the trusted certificate profiles.
| Trusted certificate profile assignment includes the User | Trusted certificate profile assignment includes User | Trusted certificate profile assignment includes Device | Trusted certificate profile assignment includes User and Device |
| SCEP certificate profile assignment includes the User | Success | Failure | Success |
| SCEP certificate profile assignment includes the Device | Failure | Success | Success |
| SCEP certificate profile assignment includes User and Device | Success | Success | Success |
To troubleshoot profile assignment issues, (Note: The Troubleshooting employs the same method for Android and iOS. )
- On the Microsoft Intune Admin Center, go to Troubleshooting + Support > Troubleshoot.
- On the Troubleshoot option, set the Assignments to Configuration profiles and validate:
Once done, the user receives their SCEP profile. The user must ensure they have received the accurate profile per their network group only. The user must also examine the last checked device with Intune.
Encoding An Attribute Accurately
SCEP profiles rely on correctly configured attributes such as the Subject Name (CN), Subject Alternative Name (SAN), Key Storage Provider (KSP), and other certificate fields. If any of these parameters are misconfigured or improperly encoded, the certificate request may fail silently without triggering obvious errors.
Always cross-verify these fields and their formatting during configuration to avoid unnecessary troubleshooting. Ensuring accuracy at this stage can prevent enrollment failures and streamline the issuance of certificates.
Error Codes Audit
Your MDM should provide detailed logs or error codes for failed certificate deployments. Here’s how to analyze and troubleshoot common issues in Microsoft Intune and Jamf Pro environments:
Microsoft Intune
Common error messages:
- “Device Creation Failed”
- “SCEP Enrollment Failed”
To troubleshoot these issues, follow these steps:
- Validate SAN Attribute Configuration
Include values in the Subject Alternative Name (SAN) field, typically using Email address (RFC822) format to ensure the SCEP profile is configured correctly. Common attributes include:
- {{DeviceName}}
- {{AAD_Device_ID}}
- {{DeviceName}}
- Check Policy Engine Mapping
Confirm that the Policy Engine Workflow is linked to the Intune API Token as the Identity Provider. Also, verify that:
- The Enrollment Policy is mapped to the correct User Role.
- The default Device Role is applied appropriately.
- The Enrollment Policy is mapped to the correct User Role.
- Verify Trusted Root Mapping
Ensure the Trusted Root CA (used by the RADIUS server certificate) is correctly mapped in the corresponding Wi-Fi profile. - Isolate the Issue
Temporarily remove the SCEP profile and push another profile (e.g., Trusted Root CA profile) to validate basic MDM profile deployment functionality.
Jamf Pro
Jamf offers a Debug Logging option to help troubleshoot SCEP or certificate-related issues. However, enabling it may temporarily affect Jamf Pro server performance.
To Enable Debug Mode:
- Navigate to:
Settings → Jamf Pro Information → Jamf Pro Server Logs → Edit - Select the Enable Debug Mode checkbox.
- Review logs for SCEP or profile errors
- Disable Debug Mode once troubleshooting is complete
SCEP Is Not Enough To Secure Your Network Anymore
SCEP relies on outdated mechanisms, such as static shared secrets, and lacks native support for secure device validation and automatic certificate renewal. These limitations make SCEP brittle in today’s dynamic enterprise environments, especially when managing thousands of devices across Intune and Jamf.
Misconfigured profiles, silent failures, and manual revocation workflows add operational overhead and create security blind spots that modern IT teams can no longer ignore. With enhanced protocols like ACME and Dynamic SCEP, your network moves beyond static enrollment, adopting short-lived tokens and automated workflows to secure every connection.
What Is Automated Certificate Management Environment (ACME)
The Automated Certificate Management Environment (ACME) is an open protocol designed to automate X.509 certificate operations between clients and CAs over HTTPS. ACME handles the complete certificate lifecycle without manual intervention using standardized JSON-based messages.
It verifies identity through challenges such as domain control or device attestation, ensuring only authorized entities receive certificates. ACME is especially useful in modern deployments where short-lived certificates, automated renewal, and secure provisioning are critical for maintaining device trust.
What Is Dynamic SCEP
Dynamic SCEP enhances the static, shared challenge password used in traditional SCEP with a unique, per-request challenge token generated and signed by the MDM (e.g., Intune or Jamf). This token includes device identity, the token’s expiry time, and certificate template requirements, which are validated by the SCEP gateway.
When the device submits the Certificate Signing Request (CSR), the CA verifies that the token is generated upon request, correctly bound to the requester, and matches the expected context. Dynamic SCEP ensures that each enrollment is authenticated and time-bound, making it resistant to replay or credential theft attacks, thereby significantly improving security over static SCEP
ACME vs SCEP vs Dynamic SCEP: The Shift Toward Modern Certificate Management
Networks are evolving to support BYOD, mobile endpoints, and dynamic access policies, leaving legacy certificate protocols like SCEP inadequate.
ACME vs SCEP
SCEP depends on static shared secrets for authentication, lacks built-in mechanisms for validating device identity or posture, and does not natively support automated certificate renewal. These limitations introduce security risks and operational overhead, making it challenging to scale SCEP in modern, policy-driven environments.
ACME is purpose-built for secure, automated certificate lifecycle management, as it eliminates the need for static shared secrets by using HTTPS-based challenge-response validation. It supports seamless integration with modern MDMs and enables fully automated certificate issuance, renewal, and revocation.
ACME is also compatible with attestation workflows, such as Apple Managed Device Attestation (MDA), ensuring that certificates are only issued to verified, tamper-free devices. This reduces administrative overhead, enforces real-time trust, and minimizes the attack surface.
Dynamic SCEP vs SCEP
Traditional SCEP uses a static challenge password shared across all devices to authenticate certificate requests, making deployment straightforward. Attackers can impersonate devices and obtain valid certificates if that static challenge password is exposed, leaving your network exposed to attacks.
Dynamic SCEP addresses this weakness by generating a unique, short-lived challenge password for each certificate request, which is then bound to a verified device or session. This per-request validation not only prevents replay attacks and unauthorized certificate issuance but also adds contextual awareness to the enrollment process, making Dynamic SCEP significantly more secure and better suited for modern, MDM-driven environments.
SCEP and ACME Dynamic SCEP Compared
| Feature | SCEP | ACME | Dynamic SCEP (SecureW2) |
| Protocol | Legacy (designed for early PKI automation) | Modern (developed by ISRG for Let’s Encrypt) | Modernized SCEP with SecureW2 enhancements |
| Primary Use Case | Basic certificate enrollment for MDMs | Full certificate lifecycle automation | Certificate enrollment + real-time policy enforcement |
| Authentication | Static shared secret | HTTPS with challenge-response validation | Shared secret + identity & policy checks via IdP |
| Lifecycle Management | Manual certificate management | Fully automated issuance, renewal, and revocation | Automated issuance + policy-based renewal |
| Device Validation | None | Supports device attestation (e.g., Apple MDA) | Role & posture-based validation via IdP and MDM |
| Security Level | Vulnerable if the secret password is exposed | Uses TLS/HTTPS, domain/device validation) | Cloud-hosted, policy-driven access control |
| Renewal & Revocation | Manual or MDM-driven | Automatic, short-lived certificates | Automated with real-time revocation triggers |
| Unique Advantages | Simple, widely supported | Full automation + device attestation | Adds policy enforcement & IdP integration to SCEP |
How Can Organizations Use SCEP and ACME Together?
As an organization, you can combine SCEP and ACME for a flexible, secure approach to certificate management. Organizations can deploy Wi-Fi or VPN certificates to managed devices by configuring a SCEP profile in Intune and integrating with our SCEP Gateway API. Jamf Pro supports SCEP for older macOS devices, utilizing either a SCEP payload or proxy configuration, which enables the MDM to securely handle enrollment without exposing the SCEP secret directly to the device.
ACME is ideal for modern macOS/iOS devices managed by Jamf, where support for Apple MDA enables the issuance of cryptographically verifiable certificates.
SecureW2 integrates ACME into this workflow, allowing Jamf to push a profile that triggers the device to validate itself using the Secure Enclave before issuing a certificate. ACME enables certificate management in Intune environments for mobile devices where auto-renewal and short-lived certificates are preferred. By deploying both protocols in parallel, you can ensure each device is routed to the appropriate certificate issuance path.
Automate Certificate Management With SecureW2’s Managed Gateway APIs
Automating certificate management with a modern SCEP Gateway streamlines enrollment, renewal, and revocation, while reducing the risks of manual errors and the costs associated with maintaining legacy systems. Unlike traditional SCEP, which relies on static shared secrets, SecureW2’s Dynamic SCEP implementation issues unique, short-lived challenge tokens for each request. This ensures that every certificate is cryptographically validated and bound to a verified device.
Our SCEP Gateway integrates seamlessly with leading MDMs like Jamf and Intune, enabling secure, automated onboarding of managed devices. This policy-driven approach provides organizations with the visibility, control, and flexibility needed to enforce device trust at scale.
Explore effective SCEP options and automate your certificate infrastructure for enhanced security and efficiency.
Anusha Harish