macOS
Deploy certificates to MacOS devices via SCEP in Intune using SCEPman.
Last updated
Was this helpful?
Deploy certificates to MacOS devices via SCEP in Intune using SCEPman.
Last updated
Was this helpful?
The following article describes how to deploy a device or/and user certificates for macOS devices. The deployment of the SCEPman Root Certificate is mandatory. Afterward, you can choose between deploying only device, user or even both certificate types.
The basis for deploying SCEP certificates is to trust the root certificate of SCEPman. Therefore, you have to download the CA Root certificate and deploy it as a Trusted certificate profile via Microsoft Intune:
The following section will show you how you can deploy user certificates via Intune Certificate profile on macOS X 10.12 (or later) devices.
Please note: Certificates provisioned through the SCEP protocol - regardless of the type (user or device) - are always placed in the system keychain (System store) of the device.
In case a 3rd party application requires access to such a certificate (e.g. 3rd party VPN client), the slider to Allow all apps access to private key in the keychain must be set to enabled.
{{DeviceId}}
: This ID is generated and used by Intune.
(requires SCEPman 2.0 or higher and to be set to Intune or AADAndIntune)
Important: The choice of the CN field affects the of certificates issued to your Intune-managed devices.
You can add other RDNs if needed (e.g.: CN={{DeviceId}}, O=Contoso, CN={{WiFiMacAddress}}
). Supported variables are listed in the .
The URI field is for NAC solutions to identify the devices based on their Intune Device ID.
Important: macOS devices ignore the configuration of the validity period via Intune. Please make sure, to configure to a fixed value. You can leave the certificate validity period setting to 1 year because it will be ignored anyway. Important: Also note, that certificates on macOS are only renewed by Intune when the device is unlocked, online, syncing and in scope of the renewal threshold. If certificates are expired (e.g.: device was offline and/or locked for a long time), they won't be renewed any more. Therefore, we recommend to choose an higher value here.
Please select the Intune profile from
With our stated settings, we fulfill .
Please follow the instructions of and take care of the following differences:
You can define RDNs based on your needs. Supported variables are listed in the . We recommend to include the username (e.g.: janedoe) and email address (e.g.: janedoe@contoso.com) as baseline setting.
With our stated settings, we fulfill