Using a SCEP Gateway to Distribute Certificates to Managed Devices

Efficiency is at the core of business technology, and requiring IT to manually onboard managed devices for secure network access significantly hinders progress. A solution to this inefficient process would be to automatically distribute network settings and a secure certificate to protect the device from a wide array of credential theft attacks.

SCEP Gateways for Managed Device Management (MDM)

SCEP GatewayThe key to accomplishing this is to use a SCEP Gateway to push profile configuration to managed devices that enables it to request a certificate with no end user interaction. If this method is used, it avoids the risk of the devices being configured incorrectly and ensures that all MDM users are on the secure SSID. But the primary benefit is the rapid enrollment process that gets your managed devices securely onboarded to the network with no interaction on the client side.

Certificates as a security measure are miles ahead of credentials when it comes to securing a wireless network. When an organization with a WPA2-Enterprise network uses certificate-based authentication, their end users immediately notice that the authentication process is faster and simpler. The user is rapidly connected as the device performs a TLS handshake when it is in range of the network.

On the administrative side, certificates vastly improve network visibility by enabling DPI SSL and offering a more comprehensive identity context. When a certificate is distributed to a user, it is encoded with the device identity and user identity, allowing for accurate identification in the management portal. This provides a name and device to a monitored network connection, as well as easier troubleshooting as the management portal will identify and diagnose any connection issues that may occur.

If an organization decides to deploy a network secured by certificates, why do they need to enroll managed devices for certificates automatically, without the end user? Despite their numerous security, efficiency, and visibility benefits, many have avoided certificates due to their complex configuration process. The process requires high level IT knowledge that an average user would not understand and could easily configure incorrectly. If this is happens, all the benefits go out the window.

Using a SCEP Gateway to enable managed devices to request certificates automatically is also much faster than requiring IT to configure devices. Especially if it’s a large volume of devices, the option of using IT to configure is far too inefficient to be viable.

What’s a SCEP Gateway?

As stated previously, if the goal is to distribute certificates to managed devices with no end user interaction, the key is the use of a SCEP Gateway; but what is a SCEP Gateway and how does it work? Simply put, a SCEP Gateway is a communication protocol that pulls certificates from a unique certificate authority (CA) and distributes them. The SCEP Gateway is comprised of an access token, a shared secret, an API URL, and a certificate authority.

SCEP works with managed device vendors such as JAMF and Airwatch, and other customers such as Microsoft GPO and Active Directory can utilize Microsoft WSTEP protocol.

Outline for Congifuring SCEP Gateways

The configuration process for setting up a SCEP Gateway to distribute certificates follows this outline:

  1. Configure the SCEP Gateway API in SecureW2.
    • Begin in the SecureW2 Management Portal and configure the SCEP Gateway that will be used to distribute certificates.
  2. Generate the Shared Secret and Access Token.
    • Here you will use SecureW2’s API token wizard to generate a Shared Secret and Access Token that will be used to assemble the SCEP Gateway.
  3. Build the SCEP URL.
    • The SCEP URL is the avenue to be used to communicate with the SCEP Gateway and is built by connecting the Shared Secret and Access Token.
  4. Configure the managed devices to use a SCEP-Enabled external CA.
    • Managed devices typically have a certificate template that you can configure to use a SCEP Gateway. Insert the API URL, which connects the managed devices to the CA and allows MDMs to request client certificates be generated by SecureW2 for them.
  5. Configure the “Payload”, or Configuration profiles, to include certificates.
    • The managed devices have been configured to use the SCEP Gateway to generate certificates, so the next command is to get the devices to initiate the enrollment process. This is accomplished by pushing a configuration profile of network settings, or Payload, to the devices that directs them to enroll for certificates using the SCEP Gateway.
  6. Troubleshooting and Managing Certificates with SecureW2.
    • Once the devices have enrolled for certificates and are connected to the network, the final step begins; maintaining the network. SecureW2’s management portal improves network visibility, identifying each device and tying it to a network connection. Also, if any connection errors occur, the management portal will diagnose the issue remotely, allowing for an efficient solution to be implemented.

Using a SCEP Gateway for certificate distribution to managed devices demonstrates a commitment to creating a more efficient and secure wireless network. Once the configuration is complete and certificates have been distributed, the network is protected against a wide array of hacking attacks.

Without a SCEP Gateway, distributing certificates to managed devices can be a difficult and complex process, often resulting in incorrect configurations and the loss of security benefits. To keep your network secure and ensure that only approved devices gain access, distributing certificates through a SCEP Gateway is a reliable approach to improving network safety.

SecureW2 offers affordable options for organizations of all shapes and sizes. Click here to inquire about pricing.

Learn about this author

Jake Ludin

Jake is an experienced Marketing professional who studied at University of Wisconsin – La Crosse. Besides the Wisconsin staples of eating cheese and wearing t-shirts in winter, he is often quoting from obscure 80s movies and longboarding along Lake Michigan.

Jake Ludin

Using a SCEP Gateway to Distribute Certificates to Managed Devices