# Kandji

SCEPman can be connected to [Kandji](https://www.kandji.io/) as an External CA via SCEPman's static interface, and a challenge password enrolled devices will be able to obtain certificates.

For more general information about other MDM solutions and SCEPman integration, please check [here](/certificate-management/static-certificates.md).

## Enable Kandji Integration

Integration of SCEPman can be easily enabled via the following environment variables on SCEPman App Service:

{% hint style="info" %}
You can differentiate between the SCEPman App Service and the Certificate Master by looking for the App Service **without** the "-cm" in its name
{% endhint %}

|                                                                                                Setting                                                                                                | Description                                                                                                                                                                                                                                                                       |                     Value                    |
| :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------: |
|                        [AppConfig:StaticValidation:Enabled](/scepman-configuration/application-settings/scep-endpoints/static-validation.md#appconfig-staticvalidation-enabled)                       | Enable 3rd-party validation                                                                                                                                                                                                                                                       | ***true*** to enable, ***false*** to disable |
|                [AppConfig:StaticValidation:RequestPassword](/scepman-configuration/application-settings/scep-endpoints/static-validation.md#appconfig-staticvalidation-requestpassword)               | <p>Certificate signing requests sent to SCEPman for signing are authenticated with this secure static password<br><br><strong>Recommendation</strong>: Store this secret in <a href="/pages/rsEGq388ayX5Juymh0JX#secure-configuration-in-azure-key-vault">Azure KeyVault</a>.</p> |      *generate a 32 character password*      |
|       [AppConfig:StaticValidation:ValidityPeriodDays](/scepman-configuration/application-settings/scep-endpoints/static-validation.md#appconfig-staticvalidation-validityperioddays) (optional)       | Days certificates issued via Kandji are valid                                                                                                                                                                                                                                     |                      365                     |
| [AppConfig:StaticValidation:EnableCertificateStorage](/scepman-configuration/application-settings/scep-endpoints/static-validation.md#appconfig-staticvalidation-enablecertificatestorage) (optional) | Store requested certificates in the Storage Account, in order to show them in SCEPman Certificate Master                                                                                                                                                                          | ***true*** to enable, ***false** to disable* |

{% hint style="warning" %}
After adding or editing SCEPman configuration parameters, you need to restart the App Service.
{% endhint %}

## Kandji Configuration

### SCEPman Root Certificate

As a first step, you must deploy SCEPman's root certificate. Download this CA certificate via the SCEPman website:

![SCEPman Website](/files/EfcGLtpCiY5X1RgElPgt)

In Kandji, navigate to **Library** on the left navigation bar and add a **Certificate Library Item** to your Blueprint.

<figure><img src="/files/PhPuIdtBB8OHzKVJcWpj" alt=""><figcaption><p>Configure a Certificate Payload</p></figcaption></figure>

To upload the certificate, first select **PKCS #1-formatted certificate** under **Certificate type**, secondly provide an optional name, upload your SCEPman CA certificate, and eventually save it.

<figure><img src="/files/s7kjAbuU6cNdhu7Yz29o" alt=""><figcaption><p>Adding the SCEPman Root CA Certificate</p></figcaption></figure>

### SCEP Profile

The second step is to add a **SCEP Profile** to your **Blueprint**. Therefore, add a new **SCEP Library Item** and configure it as below:

* **URL**: The static SCEP endpoint of SCEPman you configured [above](#enable-kandji-integration)
* **Name:** An optional SAN attribute
* **Challenge**: Is required to authenticate CSR requests sent to SCEPman's static SCEP interface. It must match the [value](/scepman-configuration/application-settings/scep-endpoints/static-validation.md#appconfig-staticvalidation-requestpassword) you have configured [above](#enable-kandji-integration).
* **Fingerprint:** Optional CA fingerprint. It is highly recommended to configure this value as it provides an additional level of security. You can find it on your SCEPman website as **CA Thumbprint**.
* **Subject:** Optional subject name. **CN=$PROFILE\_UUID** will be automatically added from Kandji as default common name. Kandji allows you to add multiple CNs.

{% hint style="warning" %}
We have seen cases where macOS and iOS had problems in auto-selecting client certificates for network authentication purposes where more than two CNs were added.
{% endhint %}

* **Key Size:** 2048
* **Key Usage:** Both, signing and encryption

For more information, please check [Kandji's documentation](https://support.kandji.io/support/solutions/articles/72000559782-scep-profile).

<figure><img src="/files/nTNaaMGEYMhmLJXKBSy8" alt=""><figcaption><p>Adding a SCEP Profile</p></figcaption></figure>

<figure><img src="/files/2EPPpeI6MvTm4c7yNBTq" alt=""><figcaption><p>SCEP Profile Configuration</p></figcaption></figure>

<figure><img src="/files/3YeHd6pl80yXLa9iGE2r" alt=""><figcaption><p>SCEP Profile Configuration</p></figcaption></figure>

<figure><img src="/files/I5qEZNi8OVt2LtZjVxqC" alt=""><figcaption><p>SCEP Profile Configuration</p></figcaption></figure>

### Deployment Status

After saving the certificate or SCEP profile, switch to **Status** to check the deployment status on **Blueprints** assigned devices.

<figure><img src="/files/2VaWZn0oJB7rqPmJgehu" alt=""><figcaption><p>Deployment Status</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.scepman.com/certificate-management/static-certificates/kandji-1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.