macOS
The following article describes how to deploy a device or/and user certificates for macOS devices. The deployment of the SCEPman Root Certificate is mandatory. Afterward, you can choose between deploying only device, user or even both certificate types.
The basis for deploying SCEP certificates is to trust the public root certificate of SCEPman. Therefore, you have to download the CA Root certificate and deploy it as a Trusted certificate profile via Microsoft Intune:
- Download the CA Certificate from SCEPman portal:
%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1).png?alt=media)
- Create a profile for macOS with type Trusted certificate in Microsoft Intune:

- Upload your previously downloaded .cer file.
- Now you can deploy this profile to your devices. Please choose All Users and/or All Devices or a dedicated group for assignment.
Note, that you have to use the same group for assigning the Trusted certificate and SCEP profile. Otherwise, the Intune deployment might fail.
- Open the SCEPman portal and copy the URL under Intune MDM:

- Create a profile for macOS with type SCEP certificate in Microsoft Intune:

- Configure the profile as described:
SCEPman uses the CN field of the subject to identify the device and as a seed for the certificate serial number generation. Azure AD and Intune offer two different IDs:
- {{DeviceId}}: This ID is generated and used by Intune (Recommended) (requires SCEPman 2.0 or higher and AppConfig:IntuneValidation:DeviceDirectory to be set to Intune or AADAndIntune)
- {{AAD_Device_ID}}: This ID is generated and used by Azure AD. (Note: When using Automated Device Enrollment via Apple Business Manager, this ID might change during device setup. If so, SCEPman might not be able to identify the device afterwards. The certificate would become invalid in that case.)
You can add other RDNs if needed (e.g.:
CN={{DeviceId}}, O=Contoso, CN={{WiFiMacAddress}}
). Supported variables are listed in the Microsoft docs.The URI field is recommended by Microsoft for NAC solutions to identify the devices based on their Intune Device ID.
Other SAN values like DNS can be added if needed.
macOS devices ignore the configuration of the validity period via Intune. Please make sure, to configure AppConfig:ValidityPeriodDays to a fixed value. You can leave the certificate validity period setting to 1 year because Intune ignores it anyway.
Also note, that certificates on macOS are only renewed by Intune when the device is unlocked, online, syncing and in scope of the renewal threshold. If certificates are expired (e.g.: device was offline and/or locked for a long time), they won't be renewed any more. Therefore, we recommend to choose an higher value here.
This value defines when the device is allowed to renew its certificate (based on remaining lifetime of existing certificate). Please read the note under Certificate validity period and select a suitable value that allows the device the renew the certificate over a long period. A value of 50% would allow the device with a 1 years valid certificate to start renewal 182 days before expiration.
Example
https://scepman.contoso.com/certsrv/mscep/mscep.dll

- Now you can deploy this profile to your devices. Please choose the same group/s for assignment as for the Trusted certificate profile.
The following section will show you how you can deploy user certificates via Intune Certificate profile on macOS X 10.12 (or later) devices.
Please note: Certificates provisioned through the SCEP protocol - regardless of the type (user or device) - are always placed in the system keychain (System store) of the device.
In case a 3rd party application requires access to such a certificate (e.g. 3rd party VPN client), the slider to Allow all apps access to private key in the keychain must be set to enabled.
You can define RDNs based on your needs. Supported variables are listed in the Microsoft docs. We recommend to include the username (e.g.: janedoe) and email address (e.g.: [email protected]) as baseline setting.
SCEPman uses the UPN in the SAN to identify the user and as a seed for the certificate serial number generation (e.g.: [email protected]).
Other SAN values like Email address can be added if needed.

Last modified 11d ago