Kaspersky Secure Mobility Management
5.0
English
Working in Kaspersky Security Center Web Console  >  Configuration and management  >  Protection  >  Adding a SCEP profile to iOS MDM devices

Adding a SCEP profile to iOS MDM devices

These settings apply to supervised devices and devices operating in basic control mode.

You have to add a SCEP profile to enable the iOS MDM device user to automatically receive certificates from the Certification Center via the internet. The SCEP profile enables support of the Simple Certificate Enrollment Protocol.

A SCEP profile with the following settings is added by default:

  • The alternative subject name is not used for registering certificates.
  • Three attempts are made at 10-second intervals to poll the SCEP server. If all attempts to sign the certificate fail, you have to generate a new certificate signing request.
  • The received certificate cannot be used for data signing or encryption.

You can edit the specified settings when adding the SCEP profile.

To add a SCEP profile:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select iOS and go to the Device configuration section.
  4. On the SCEP card, click Settings.

    The SCEP window opens.

  5. Enable the settings using the SCEP toggle switch.
  6. Click Add.

    The Add SCEP profile window opens.

  7. In the SCEP Server section, specify the following SCEP server settings:
    • In the Configuration name field, specify the name of the Certification Center deployed on the SCEP server. The Certification Center supplies the user of an iOS MDM device with certificates using the Simple Certificate Enrollment Protocol (SCEP).
    • In the Server URL field, enter the web address of the SCEP server on which the Certification Center is deployed.

      The URL can contain the IP address or the full domain name (FQDN). For example, http://10.10.10.10/certserver/companyscep.

    • In the Maximum number of polling attempts field, specify the maximum number of attempts to poll the SCEP server to get the certificate signed. By default, the value is 3 attempts.

      If all attempts to sign the certificate fail, you have to generate a new certificate signing request.

    • In the Polling interval (sec) field, specify the number of seconds between attempts to poll the SCEP server to get the certificate signed. By default, the value is 10 seconds.
    • In the Static challenge phrase field, enter a pre-published registration key.

      Before signing a certificate, the SCEP server prompts the mobile device user to enter the key. If this field is left blank, the SCEP does not request the key.

    • In the Method for uploading certificate thumbprint drop-down list, select how to add a certificate thumbprint. You can use certificate thumbprints based on the SHA-1 or MD5 hashing algorithm.
      • If you selected the Manually option, in the Certificate thumbprint field that appears, enter a unique certificate thumbprint for verifying the authenticity of the response from the Certification Center.
      • If you selected the From file option, upload a CER, KEY, or PEM file. The thumbprint will be generated and added automatically.

      The certificate thumbprint has to be specified if data exchange between the mobile device and the Certification Center takes place via the HTTP protocol.

  8. In the Subject section, specify the following settings:
    • In the Subject Name field, enter a string with the attributes of the iOS MDM device user that are contained in the X.500 certificate.

      Attributes can contain details of the country (C), locality (L), state (ST), organization (O), organization unit (OU), and common user name (CN). For example, /C=RU/O=MyCompany/CN=User/.

      You can also use other attributes specified in RFC 5280.

      Attributes are used by DNS services to validate the certificate issued by the Authentication Authority at the user's request.

    • Click the Add Subject Alternative Name button to add a field for specifying the subject alternative name:
      • In the Type of Subject Alternative Name drop-down list that appears, select the type of subject alternative name for the SCEP server. You can add only one alternative name of each type.

        You can use a subject alternative name to identify the user of the iOS MDM device. By default, identification based on the alternative name is not used.

        • DNS name. Identification using the domain name.
        • NT Principal Name. DNS name of the iOS MDM device user on the Windows NT network. The NT subject name is contained in the certificate request sent to the SCEP server. You can also use the name of the NT subject to identify the user of the iOS MDM device.
        • Email address. Identification using the email address. The email address must be specified according to RFC 822.
        • Uniform Resource Identifier (URI). Identification using the IP address or address in FQDN format.
      • In the Subject Alternative Name field, enter the alternative name of the subject of the X.500 certificate. The value of the subject alternative name depends on the selected subject type: the user's email address, domain, or web address.
  9. In the Key section, configure the encryption key settings:
    • In the Key size (bit) drop-down list, select the size of the registration key in bits: 1024, 2048, or 4096. The default value is 1024 bits.
    • If you want to allow the user to use a certificate received from the SCEP server as a signing certificate, select the Use as digital signature check box.

      Data signing protects data against modification. For example, Safari can validate the authenticity of the certificate and establish a safe data exchange session.

    • If you want to allow the user to use a certificate received from the SCEP server for data encryption, select the Use for encryption check box.

      Data encryption also protects confidential data during data exchange over a network. For example, Safari can establish a secure data exchange session using encryption. This guarantees website authenticity and confirms that the connection to the website is encrypted to prevent interception of personal and confidential data.

      You cannot simultaneously use the SCEP server certificate as a data signing certificate and a data encryption certificate.

    • If you want to allow all installed apps to access the private key from the SCEP server certificate, select the Allow all apps to access private key check box.
    • If you do not want the private key to be exported from the keychain, select the Prohibit exporting private key from the keychain check box.
  10. Click Add.

    The new SCEP profile appears in the list.

    You can modify or delete SCEP profiles in the list using the Edit and Delete buttons at the top of the list.

  11. Click OK.
  12. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, the user's mobile device is configured to automatically receive a certificate from the Certification Center via the internet.

Article ID: 274780, Last review: May 15, 2025
Page top