# iOS/iPadOS
The following article describes how to deploy a device and/or user certificates for iOS and iPadOS devices. The deployment of the SCEPman Root Certificate is mandatory. Afterward, you can choose between deploying only the device, user, or even both certificate types.
{% hint style="warning" %}
Please note that iOS and iPadOS enroll a separate client authentication certificate(s) for each device configuration profile in which a SCEP profile is referenced, in addition to the actual SCEP certificate profile. See [here](https://learn.microsoft.com/en-us/intune/intune-service/protect/certificates-profile-scep#assign-the-certificate-profile)
{% endhint %}
## Root Certificate
The basis for deploying SCEP certificates is to trust the root certificate of SCEPman. Therefore, you have to download the CA Root certificate and deploy it as a **Trusted certificate** profile via Microsoft Intune:
* [ ] Download the CA Certificate from SCEPman portal:
* [ ] Create a profile for iOS/iPadOS with type **Trusted certificate** in Microsoft Intune:
* [ ] Upload your previously downloaded **.cer file**.
* [ ] Now you can deploy this profile to your devices. Please choose All Users and/or All Devices or a dedicated group for assignment.
{% hint style="info" %}
Note that you have to use the **same group for assigning** the **Trusted certificate** and **SCEP profile**. Otherwise, the Intune deployment might fail.
{% endhint %}
## Device certificates
* [ ] Open the SCEPman portal and copy the URL under **Intune MDM**:
* [ ] Create a profile for iOS/iPadOS with type **SCEP certificate** in Microsoft Intune:
* [ ] Configure the profile as described:
Certificate type: Device
In this section we are setting up a device certificate.
Subject name format: CN={{DeviceId}} or CN={{AAD_Device_ID}}
SCEPman uses the CN field of the subject to identify the device and as a seed for the certificate serial number generation. Microsoft Entra ID (Azure AD) and Intune offer two different IDs:
* {{DeviceId}}: This ID is generated and used by Intune **(Recommended)**\
\
(requires SCEPman 2.0 or higher and [#appconfig-intunevalidation-devicedirectory](https://docs.scepman.com/scepman-configuration/application-settings/scep-endpoints/intune-validation#appconfig-intunevalidation-devicedirectory "mention") to be set to **Intune** or **AADAndIntune**)
* {{AAD\_Device\_ID}}: This ID is generated and used by Microsoft Entra ID (Azure AD).\
\
(Note: When using Automated Device Enrollment via Apple Business Manager, this ID might change during device setup. If so, SCEPman might not be able to identify the device afterwards. The certificate would become invalid in that case.)
You can add other RDNs if needed (e.g.: `CN={{DeviceId}}, O=Contoso, CN={{WiFiMacAddress}}`). Supported variables are listed in the [Microsoft docs](https://docs.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep#create-a-scep-certificate-profile).
Subject alternative name: URI Value:IntuneDeviceId://{{DeviceId}}
The URI field is [recommended by Microsoft](https://techcommunity.microsoft.com/t5/intune-customer-success/new-microsoft-intune-service-for-network-access-control/ba-p/2544696) for NAC solutions to identify the devices based on their Intune Device ID.
Other SAN values like DNS can be added if needed.
Certificate validity period: 1 years
**Important:** iOS/iPadOS devices ignore the configuration of the validity period via Intune. Please make sure, to configure [#appconfig-validityperioddays](https://docs.scepman.com/scepman-configuration/application-settings/certificates#appconfig-validityperioddays "mention") to a fixed value. We recommend 2 years, so you have to set this variable in SCEPman configuration to 730 days. But you can leave the certificate validity period setting to 1 year because Intune ignores it anyway.\
\
**I****mportant:** Also note, that **certificates on iOS/iPadOS are only renewed** by Intune when the device is **unlocked, online, syncing and in scope of the renewal threshold**. If certificates are expired (e.g.: device was offline and/or locked for a long time), they won't be renewed any more. Therefore, we recommend to choose an higher value here.
Key usage: Digital signature and key encipherment
Please activate both cryptographic actions.
Key size (bits): 2048
SCEPman supports 2048 bits.
Root Certificate: Profile from previous step
Please select the Intune profile from [#root-certificate](#root-certificate "mention").
Extended key usage: Client Authentication, 1.3.6.1.5.5.7.3.2
Please choose **Client Authentication (1.3.6.1.5.5.7.3.2)** under **Predefined values**. The other fields will be filled out automatically.
**Important:** iOS/iPadOS devices do not support any Extended Key Usages (EKUs) other than `Client Authentication` . This means that any other EKUs configured in this profile will be ignored.
Renewal threshold (%): 50
This value defines when the device is allowed to renew its certificate (based on remaining lifetime of existing certificate). Please read the note under **Certificate validity period** and select a suitable value that allows the device the renew the certificate over a long period. A value of 50% would allow the device with a 1 years valid certificate to start renewal 182 days before expiration.
SCEP Server URLs: Open the SCEPman portal and copy the URL of Intune MDM
**Example**
```
https://scepman.contoso.com/certsrv/mscep/mscep.dll
```
{% hint style="info" %}
With our stated settings, we fulfill [Apples certificate requirements](https://support.apple.com/en-us/HT210176).
{% endhint %}
### Example
* [ ] Now you can deploy this profile to your devices. Please choose the same group/s for assignment as for the Trusted certificate profile.
## User Certificates
Please follow the instructions of [#device-certificates](#device-certificates "mention") and take care of the following differences:
Certificate type: User
In this section we are setting up a user certificate.
Subject name format: CN={{UserName}},E={{EmailAddress}}
You can define RDNs based on your needs. Supported variables are listed in the [Microsoft docs](https://docs.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep#create-a-scep-certificate-profile). We recommend to include the username (e.g.: janedoe) and email address (e.g.: ) as baseline setting.
Subject alternative name: UPN Value: {{UserPrincipalName}}
SCEPman uses the UPN in the SAN to identify the user and as a seed for the certificate serial number generation (e.g.: ).\
\
Other SAN values like Email address can be added if needed.
{% hint style="info" %}
With our stated settings, we fulfill [Apples certificate requirements](https://support.apple.com/en-us/HT210176)
{% endhint %}
### Example
