search

Standard Guide

This will guide you through all steps necessary to set up SCEPman in your PoC or Production environment based on our best practices.

hashtag
Azure Deployment

Let's start with the requirements and a resource overview. Keep in mind that you need to plan a useful Azure resource design.

hashtag
Prerequisites

hashtag
Mandatory

hashtag
Optional

hashtag
Overview Azure Resource

All these resources are recommended for a production environment.

Type
Description

App Service (x2)

A virtual Azure environment to run the SCEPman Core and Cert Master applications and provides a UI to configure different application specific settings like CNAME, SSL certificate and App Settings.

App Service Plan

A virtual set of compute resources and configurations for the "App Service(s)".

Here you can configure the pricing tier and resource scaling.

Key Vault

Tool to securely store secrets and certificates. The SCEPman application

will generate and save the root certificate in your Key Vault.

Application Insights

Application Performance Management (APM) tool to get insights of the

SCEPman applications and requests. Needed to measure performance

and good for service optimization.

Storage account

Storage platform used by SCEPman's Certificate Master component to store certain attributes of the manually issued TLS server certificates for revocation purposes. Optional:

The "App Service" will load the artifacts from a blob storage URI if manual updates are configured.

Log Analytics workspace

A centralized and cloud-based log storage. The "App Service" will save all

platform logs and metrics into this workspace.

Data Collection Rule

Since v 3.0 to allow SCEPman to write logs to the Log Analytics Workspace using Microsofts Log Ingestion API

Additionally, if you are using Private Endpoints, you have seven more Azure Resources.

Type
Description

Virtual Network

The SCEPman App Services, the Key Vault, and the Storage Account connect over this VNET.

Private Endpoint (×2)

One for the Key Vault and one for the Storage Account. It makes them accessible over the VNET.

Private DNS zone (×2)

One for the Key Vault and one for the Storage Account. They both have an internal IP address in the VNET, for which they have a name in their respective Private DNS zone.

Network Interface (×2)

One for the Key Vault and one for the Storage Account. It connects the Private Endpoint to the VNET.

hashtag
Configuration Steps

1

hashtag
Deploy SCEPman Base Services

circle-exclamation

This is a mandatory step.

To start with the deployment, please follow our deployment instructions:

Marketplace deploymentchevron-right

2

hashtag
Perform Post-Deployment Steps (Permission Assignments)

circle-exclamation

This is a mandatory step.

To properly link all components of SCEPman 2, several permissions need to be assigned. Please follow these steps to establish the relevant connections:

Managed Identitieschevron-right

3

hashtag
Add Certificate Master Permissions

circle-check

This is a mandatory step for Enterprise Edition customers. Community Edition users may skip this step.

The Certificate Master is an Enterprise Edition feature that allows administrators to manually generate and revoke certificates. Please follow these steps to provide access to the Certificate Master.

Certificate Master RBACchevron-right

4

hashtag
Create Root certificate

circle-exclamation

This is a mandatory step.

After the deployment and permission assignment is complete, you need to create the root certificate for SCEPman:

Root CAchevron-right

5

hashtag
Configure a Custom Domain and SSL Certificate

circle-info

This is an optional step.

To have your SCEPman available under your specific domain you need to create a Custom Domain in the App Service.

Custom Domainchevron-right

6

hashtag
Manual Updates

circle-info

This is an optional step.

By default, SCEPman adopts an evergreen approach towards updates. In case you require full control over your SCEPman updates, please configure a deployment slot as described in the following guide under section Deployment Slot Configuration.

Update Strategychevron-right

7

hashtag
Deploy Application Insights

circle-check

This is recommended step.

The Application Insights can be used to get an overview of the App Service performance and to get deeper insights of the request processing of SCEPman. We recommend to always configure Application Insights to monitor, maintain and optimize the App Service.

Application Insightschevron-right

8

hashtag
Configure Health Check

circle-check

This is recommended step.

We can configure a Health Check for the App Service to get direct notifications in case that the SCEPman stops working.

Health Checkchevron-right

9

hashtag
Ensure that SCEPman has sufficient Resources

circle-exclamation

This is a mandatory step.

Once you move SCEPman into a production environment, you should ensure that SCEPman is equipped with sufficient computing power. Therefore, please review our Azure Sizing guide and upgrade your App Service Plan tier if need be. You may postpone this until after your PoC or trial phase.

App Service Sizingchevron-right

10

hashtag
Configure your MDM Deployment Profiles

circle-check

This is a recommended step.

With the completion of the above steps, we have a working SCEPman implementation and can now deploy certificates to the devices.

Please use one (or more) of the following articles, to deploy certificates with your preferred MDM solution:

Microsoft Intunechevron-rightJamf Prochevron-rightOther MDM Solutionschevron-right

11

hashtag
Manually Issue Certificates or sign CSRs using the Certificate Master

circle-info

This is an optional step.

Please follow below link, to learn how to issue TLS server or other certificates or how to sign any CSR using the Certificate Master component.

Certificate Masterchevron-right

Last updated

Was this helpful?