# Kandji SCEPman can be connected to [Kandji](https://www.kandji.io/) as an External CA via SCEPman's static interface, and a challenge password enrolled devices will be able to obtain certificates. For more general information about other MDM solutions and SCEPman integration, please check [here](https://docs.scepman.com/certificate-management/static-certificates). ## Enable Kandji Integration Integration of SCEPman can be easily enabled via the following environment variables on SCEPman App Service: {% hint style="info" %} You can differentiate between the SCEPman App Service and the Certificate Master by looking for the App Service **without** the "-cm" in its name {% endhint %} | Setting | Description | Value | | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------: | | [AppConfig:StaticValidation:Enabled](https://docs.scepman.com/scepman-configuration/application-settings/scep-endpoints/static-validation#appconfig-staticvalidation-enabled) | Enable 3rd-party validation | ***true*** to enable, ***false*** to disable | | [AppConfig:StaticValidation:RequestPassword](https://docs.scepman.com/scepman-configuration/application-settings/scep-endpoints/static-validation#appconfig-staticvalidation-requestpassword) |

Certificate signing requests sent to SCEPman for signing are authenticated with this secure static password

Recommendation: Store this secret in Azure KeyVault.

| *generate a 32 character password* | | [AppConfig:StaticValidation:ValidityPeriodDays](https://docs.scepman.com/scepman-configuration/application-settings/scep-endpoints/static-validation#appconfig-staticvalidation-validityperioddays) (optional) | Days certificates issued via Kandji are valid | 365 | | [AppConfig:StaticValidation:EnableCertificateStorage](https://docs.scepman.com/scepman-configuration/application-settings/scep-endpoints/static-validation#appconfig-staticvalidation-enablecertificatestorage) (optional) | Store requested certificates in the Storage Account, in order to show them in SCEPman Certificate Master | ***true*** to enable, ***false** to disable* | {% hint style="warning" %} After adding or editing SCEPman configuration parameters, you need to restart the App Service. {% endhint %} ## Kandji Configuration ### SCEPman Root Certificate As a first step, you must deploy SCEPman's root certificate. Download this CA certificate via the SCEPman website: ![SCEPman Website](https://2535731700-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LoGejQeUQcw7lqnQ3WX%2Fuploads%2Fgit-blob-9170eb0435726398eb43f6fac8abd0d5f35e8cc4%2FSCEPmanHomePage.png?alt=media) In Kandji, navigate to **Library** on the left navigation bar and add a **Certificate Library Item** to your Blueprint.

To upload the certificate, first select **PKCS #1-formatted certificate** under **Certificate type**, secondly provide an optional name, upload your SCEPman CA certificate, and eventually save it.

### SCEP Profile The second step is to add a **SCEP Profile** to your **Blueprint**. Therefore, add a new **SCEP Library Item** and configure it as below: * **URL**: The static SCEP endpoint of SCEPman you configured [above](#enable-kandji-integration) * **Name:** An optional SAN attribute * **Challenge**: Is required to authenticate CSR requests sent to SCEPman's static SCEP interface. It must match the [value](https://docs.scepman.com/scepman-configuration/application-settings/scep-endpoints/static-validation#appconfig-staticvalidation-requestpassword) you have configured [above](#enable-kandji-integration). * **Fingerprint:** Optional CA fingerprint. It is highly recommended to configure this value as it provides an additional level of security. You can find it on your SCEPman website as **CA Thumbprint**. * **Subject:** Optional subject name. **CN=$PROFILE\_UUID** will be automatically added from Kandji as default common name. Kandji allows you to add multiple CNs. {% hint style="warning" %} We have seen cases where macOS and iOS had problems in auto-selecting client certificates for network authentication purposes where more than two CNs were added. {% endhint %} * **Key Size:** 2048 * **Key Usage:** Both, signing and encryption For more information, please check [Kandji's documentation](https://support.kandji.io/support/solutions/articles/72000559782-scep-profile).

### Deployment Status After saving the certificate or SCEP profile, switch to **Status** to check the deployment status on **Blueprints** assigned devices.