This will guide you through all steps necessary to set up SCEPman in your PoC or Production environemt based on our best practices.
Let's start with the requirements and a resource overview. Keep in mind that you need to plan a useful Azure resource design.
- Azure subscription (at least Contributor rights on that subscription)
- Azure owner rights (at least on Resource Group level)
- Azure AD "Global administrator" (Consent to access Graph API)
- [Optional] Public Domain CNAME (scepman.yourdomain.com)
All these resources are recommended for a production environment.
To start with the deployment, please follow our deployment instructions:
To properly link all components of SCEPman 2.X, several permissions need to be assigned. Please follow these steps to establish the relevant connections:
After the deployment and persmission assignment is complete, you need to create the root certificate for SCEPman:
To have your SCEPman available under your specific domain you need to create a Custom Domain in the App Service.
By default, SCEPman's update strategy is configured to the Evergreen approach / auto-updates. In case you require full control over your SCEPman updates, please configure a deployment slot as described in the following guide under section Deployment Slot Configuration.
You can configure two different logging parts in your App Service, to retain your log data. The one part is the App Service Logs, which will save all application and IIS server-based log data. The other part is the Diagnostic settings, this contains platform logs and metrics data.
The Application Insights can be used to get an overview of the App Service performance and to get deeper insights of the request processing of SCEPman. We recommend to always configure Application Insights to monitor, maintain and optimize the App Service.
We can configure a Health Check for the App Service to get direct notifications in case that the SCEPman stops working.
With the completion of the above steps, we have a working SCEPman implementation and can now deploy certificates to the devices.
Please use one (or more) of the following articles, to deploy certificates with your preferred MDM solution:
Please follow below link, to learn how to issue TLS server certificates based on a list of FQDNs or sign any CSR using the Cert Master component.