Kandji

This feature requires version 1.6 or above.
SCEPman can be connected to Kandji as External CA. Via SCEPman's static interface and a challenge password enrolled devices will be able to obtain certificates.
For more general information about 3rd-party MDM solutions and SCEPman integration please check here.
Enable Kandji Integration
Kandji integration of SCEPman can be easily enabled via the following app configurations:
Setting
Description
Value
​AppConfig:StaticValidation:Enabled​
Enable the 3rd-party validation
true to enable, false to disable
​AppConfig:StaticValidation:RequestPassword​
Certificate signing requests sent to SCEPman for signing are authenticated with this secure static password

Recommendation: Store this secret in Azure KeyVault.
generate a 32 character password
​AppConfig:StaticValidation:ValidityPeriodDays (optional)
How many days shall certificates issued via Mosyle be valid
365
​AppConfig:StaticValidation:EnableCertificateStorage (optional)
Store requested certificates in the Storage Account, in order to show them in SCEPman Certificate Master
true to enable, false to disable
After adding or editing SCEPman configuration parameters, you need to restart the Aapp Service.
Kandji Configuration
SCEPman Root Certificate
As a first step, you need to deploy SCEPman root certificate. Download this CA certificate via the SCEPman website:
SCEPman Website
In Kandji, navigate to Library on the left navigation bar and add a Certificate Library Item to your Blueprint.
Configure a Certificate Payload
To upload the certificate, first select PKCS #1-formatted certificate under Certificate type, secondly provide an optional name, upload your SCEPman CA certificate and eventually save it.
Adding the SCEPman Root CA Certificate
SCEP Profile
The second step is to add a SCEP Profile to your Blueprint. Therefore, add a new SCEP Library Item and configure it as below:
URL: **** The static SCEP endpoint of SCEPman you configured above​
Name: An optional SAN attribute
Challenge: Is required to authenticate CSR requests sent to SCEPman's static SCEP interface. It must match the value you have configured above.
Fingerprint: Optional CA fingerprint. It is highly recommended to configure this value as it provides an additional level of security. You can find it on your SCEPman website as CA Thumbprint.
Subject: Optional subject name. CN=$PROFILE_UUID will be automatically added from Kandji as default common name. Kandji allows you to add multiple CNs.
We have seen cases where macOS and iOS had problems in auto-selecting client certificates for network authentication purposes where more than two CNs were added.
Key Size: 2048
Key Usage: Both, signing and encryption
For more information please check Kandji's documentation.
Adding a SCEP Profile
SCEP Profile Configuration
SCEP Profile Configuration
SCEP Profile Configuration
Deployment Status
After saving the certificate or SCEP profile, switch to Status to check the deployment status on Blueprints assigned devices.
Deployment Status

Setting	Description	Value
AppConfig:StaticValidation:Enabled	Enable the 3rd-party validation	*true* to enable, *false* to disable
AppConfig:StaticValidation:RequestPassword	Certificate signing requests sent to SCEPman for signing are authenticated with this secure static password Recommendation: Store this secret in Azure KeyVault.	generate a 32 character password
AppConfig:StaticValidation:ValidityPeriodDays (optional)	How many days shall certificates issued via Mosyle be valid	365
AppConfig:StaticValidation:EnableCertificateStorage (optional)	Store requested certificates in the Storage Account, in order to show them in SCEPman Certificate Master	*true* to enable, *false* to disable

Last modified 12d ago