LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
      • Scenarios
        • Certificate-based Network Authentication
        • Certificate-based Authentication for Entra ID
        • Certificate-based Authentication for RDP
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • TLS Inspection (Sub CA) Certificate
      • Code Signing Certificate
      • Device Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
      • cleverbridge
    • FAQs
      • General
      • Certificate Connector
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Enable Kandji Integration
  • Kandji Configuration
  • SCEPman Root Certificate
  • SCEP Profile
  • Deployment Status

Was this helpful?

  1. Certificate Management
  2. Other MDM Solutions

Kandji

Issue certificates in Kandji by connecting SCEPman as an External CA. Devices will be able to obtain certificates using SCEPman's static interface and a challenge password enrolled.

Last updated 2 months ago

Was this helpful?

SCEPman can be connected to Kandji as an External CA via SCEPman's static interface and a challenge password enrolled devices will be able to obtain certificates.

For more general information about other MDM solutions and SCEPman integration please check here.

Enable Kandji Integration

Integrating of SCEPman can be easily enabled via the following environment variables on SCEPman App Service:

You can differentiate between the SCEPman App Service and the Certificate Master by looking for the App Service without the "-cm" in its name

Setting
Description
Value

Enable 3rd-party validation

true to enable, false to disable

generate a 32 character password

Days certificates issued via Kandji are valid

365

Store requested certificates in the Storage Account, in order to show them in SCEPman Certificate Master

true to enable, false to disable

After adding or editing SCEPman configuration parameters, you need to restart the App Service.

Kandji Configuration

SCEPman Root Certificate

As a first step, you must deploy SCEPman's root certificate. Download this CA certificate via the SCEPman website:

In Kandji, navigate to Library on the left navigation bar and add a Certificate Library Item to your Blueprint.

To upload the certificate, first select PKCS #1-formatted certificate under Certificate type, secondly provide an optional name, upload your SCEPman CA certificate and eventually save it.

SCEP Profile

The second step is to add a SCEP Profile to your Blueprint. Therefore, add a new SCEP Library Item and configure it as below:

  • URL: The static SCEP endpoint of SCEPman you configured above

  • Name: An optional SAN attribute

  • Challenge: Is required to authenticate CSR requests sent to SCEPman's static SCEP interface. It must match the value you have configured above.

  • Fingerprint: Optional CA fingerprint. It is highly recommended to configure this value as it provides an additional level of security. You can find it on your SCEPman website as CA Thumbprint.

  • Subject: Optional subject name. CN=$PROFILE_UUID will be automatically added from Kandji as default common name. Kandji allows you to add multiple CNs.

We have seen cases where macOS and iOS had problems in auto-selecting client certificates for network authentication purposes where more than two CNs were added.

  • Key Size: 2048

  • Key Usage: Both, signing and encryption

For more information please check Kandji's documentation.

Deployment Status

After saving the certificate or SCEP profile, switch to Status to check the deployment status on Blueprints assigned devices.

Certificate signing requests sent to SCEPman for signing are authenticated with this secure static password Recommendation: Store this secret in .

(optional)

(optional)

AppConfig:StaticValidation:Enabled
AppConfig:StaticValidation:RequestPassword
Azure KeyVault
AppConfig:StaticValidation:ValidityPeriodDays
AppConfig:StaticValidation:EnableCertificateStorage
SCEPman Website
Configure a Certificate Payload
Adding the SCEPman Root CA Certificate
Adding a SCEP Profile
SCEP Profile Configuration
SCEP Profile Configuration
SCEP Profile Configuration
Deployment Status