Standard Guide

This will guide you through all steps necessary to set up SCEPman in your PoC or Production environment based on our best practices.

Azure Deployment

Let's start with the requirements and a resource overview. Keep in mind that you need to plan a useful Azure resource design.

Prerequisites

Mandatory

• Azure subscription (at least Contributor rights on that subscription).

• Azure owner rights (at least on Resource Group level).

• Microsoft Entra ID (Azure AD) "Global administrator" (Consent to access Graph API).

• Make sure to define your Azure policies according to SCEPman requirements (e.g. do not enforce TLS).

Optional

• Public Domain CNAME (scepman.yourdomain.com), if a custom domain is used.

• SSL (Wildcard-) Certificate (or use App Service Managed Certificate), if a custom domain is used.

Overview Azure Resource

All these resources are recommended for a production environment.

Additionally, if you are using Private Endpoints, you have seven more Azure Resources.

Configuration Steps

Step 1: Deploy SCEPman Base Services

To start with the deployment, please follow our deployment instructions:

Step 2: Perform Post-Deployment Steps (Permission Assignments)

To properly link all components of SCEPman 2.X, several permissions need to be assigned. Please follow these steps to establish the relevant connections:

Step 3: Create Root certificate

After the deployment and permission assignment is complete, you need to create the root certificate for SCEPman:

Step 4: Configure a Custom Domain and SSL Certificate

To have your SCEPman available under your specific domain you need to create a Custom Domain in the App Service.

Step 5: Manual Updates

By default, SCEPman's update strategy is configured to the Evergreen approach / auto-updates. In case you require full control over your SCEPman updates, please configure a deployment slot as described in the following guide under section Deployment Slot Configuration.

Step 6: Deploy Application Insights

The Application Insights can be used to get an overview of the App Service performance and to get deeper insights of the request processing of SCEPman. We recommend to always configure Application Insights to monitor, maintain and optimize the App Service.

Step 7: Configure Health Check

We can configure a Health Check for the App Service to get direct notifications in case that the SCEPman stops working.

Step 8: Ensure that SCEPman has sufficient Resources

Once you move SCEPman into a production environment, you should ensure that SCEPman is equipped with sufficient computing power. Therefore, please review our Azure Sizing guide and upgrade your App Service Plan tier if need be. You may postpone this until after your PoC or trial phase.

Step 9: Configure your MDM Deployment Profiles

With the completion of the above steps, we have a working SCEPman implementation and can now deploy certificates to the devices.

Please use one (or more) of the following articles, to deploy certificates with your preferred MDM solution:

Step 10: Manually issue Certificates or sign CSRs using Cert Master

Please follow below link, to learn how to issue TLS server or other certificates or how to sign any CSR using the Cert Master component.