Standard Guide

Search…

Standard Guide

This will guide you through all steps necessary to set up SCEPman in your PoC or Production environemt based on our best practices.
Azure Deployment
Let's start with the requirements and a resource overview.
Keep in mind that you need to plan a useful Azure resource design.
Checklist pre-requirements
Azure resource naming convention
Azure subscription
Azure owner rights (at least on Resource Group level)
Azure AD "Global administrator" (Consent to access Graph API)
[Optional] Public Domain CNAME (scepman.yourdomain.com)
[Optional] SSL (Wildcard-) Certificate (or use App Service Managed Certificate)
Overview Azure Resource
All these resources are recommended for a production environment.
Type
Description
App Service(s)
A virtual Azure environment to run the SCEPman Core and Cert Master applications and provides a UI to configure different
application specific settings like CNAME, SSL certificate and App Settings.
App Service Plan
A virtual set of compute resources and configurations for the "App Service(s)".
Here you can configure the pricing tier and resource scaling.
Key Vault
Tool to securely store secrets and certificates. The SCEPman application
will generate and save the root certificate in your Key Vault.
Application Insights
Application Performance Management (APM) tool to get insights of the
SCEPman applications and requests. Needed to measure performance
and good for service optimization.
Storage account
Storage platform used by SCEPman's Cert Master component to store certain attributes of the manually issued TLS server certificates for revocation purposes.

Optional:
Storage platform to upload the SCEPman artifacts and save log files.
The "App Service" will load the artifacts from a public blob store URI and
save all the application and web server logs in a blob container.
Log Analytics workspace
A centralized and cloud-based log storage. The "App Service" will save all
platform logs and metrics into this workspace.
Configuration Steps
Step 1: Deploy SCEPman Base Services
This is a mandatory step.
To start with the deployment, please follow our deployment instructions:
Marketplace deployment
Step 2: Perform Post-Deployment Steps (Permission Assignments)
This is a mandatory step.
To properly link all components of SCEPman 2.X, several permissions need to be assigned. Please follow these steps to establish the relevant connections:
🆕
V2.x: Managed Identities
Step 3: Create Root certificate
This is a mandatory step.
After the deployment and persmission assignment is complete, you need to create the root certificate for SCEPman:
Root Certificate
Step 4: Configure a Custom Domain and SSL Certificate
This is an optional step.
To have your SCEPman available under your specific domain you need to create a Custom Domain in the App Service.
Custom Domain
Step 5: Configure an Update Strategy
This is a recommended step.
By default, when you deploy SCEPman from Azure Marketplace, SCEPman will not update automatically. To always stay up to date, we recommend to re-configure SCEPman to adapt our evergreen update strategy. In case you need full control over your updates, configure a custom artifact location.
Update Strategy
Step 6: Configure Log Collection
This is recommended step.
You can configure two different logging parts in your App Service, to retain your log data. The one part is the App Service Logs, which will save all application and IIS server-based log data. The other part is the Diagnostic settings, this contains platform logs and metrics data.
Log configuration
Use the storage account we created in Step 4 and create two new blob containers. This blob containers can be selected in the App Service Logs instructions. In the Diagnostic settings you can directly choose the storage account and blob containers will be created automatically.
Step 7: Deploy Application Insights
This is recommended step.
The Application Insights can be used to get an overview of the App Service performance and to get deeper insights of the request processing of SCEPman. We recommend to always configure Application Insights to monitor, maintain and optimize the App Service.
Application Insights
Step 8: Configure Health Check
This is recommended step.
We can configure a Health Check for the App Service to get direct notifications in case that the SCEPman stops working.
Health Check
Step 9: Configure your MDM Deployment Profiles
This is a mandatory step.
With the completion of the above steps, we have a working SCEPman implementation and can now deploy certificates to the devices.
Please use one (or more) of the following articles, to deploy certificates with your preferred MDM solution:
Microsoft Intune
Jamf
Step 10: Issue TLS Server Certificates or sign CSRs using Cert Master
This is an optional step.
Please follow below link, to learn how to issue TLS server certificates based on a list of FQDNs or sign any CSR using the Cert Master component.
🆕
Certificate Master

SCEPMAN Deployment - Previous

Getting Started

Extended Guide

Last modified 3mo ago

Copy link

Edit on GitHub

Outline

Azure Deployment

Checklist pre-requirements

Overview Azure Resource

Configuration Steps

Step 1: Deploy SCEPman Base Services

Step 2: Perform Post-Deployment Steps (Permission Assignments)

Step 3: Create Root certificate

Step 4: Configure a Custom Domain and SSL Certificate

Step 5: Configure an Update Strategy

Step 6: Configure Log Collection

Step 7: Deploy Application Insights

Step 8: Configure Health Check

Step 9: Configure your MDM Deployment Profiles

Step 10: Issue TLS Server Certificates or sign CSRs using Cert Master