LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Azure Deployment
  • Prerequisites
  • Overview Azure Resource
  • Configuration Steps
  • Step 1: Deploy SCEPman Base Services
  • Step 2: Perform Post-Deployment Steps (Permission Assignments)
  • Step 3: Create Root Certificate
  • Step 4: Configure a Custom Domain and SSL Certificate
  • Step 5: Manual Updates
  • Step 6: Deploy Application Insights
  • Step 7: Configure Health Check
  • Step 8: Ensure that SCEPman has sufficient resources
  • Step 9: Configure Autoscaling
  • Step 10: Configure Geo-Redundancy
  • Step 11: Configure your MDM Deployment Profiles
  • Step 12: Issue TLS Server Certificates or sign CSRs using Cert Master
  • Step 13: Issue Certificates using the Enrollment REST API

Was this helpful?

  1. SCEPMAN Deployment
  2. Getting Started

Extended Guide

Last updated 20 days ago

Was this helpful?

SCEPman Enterprise Edition only

This will guide you through all steps to deploy SCEPman for an enterprise-grade environment with advanced requirements, e.g. naming conventions, redundancy or auto-scaling.

Azure Deployment

Let's start with the requirements and a resource overview. Keep in mind that you need to plan a useful Azure resource design.

Prerequisites

Mandatory

Optional

Overview Azure Resource

All these resources are recommended for a production environment.

Configuration Steps

Step 1: Deploy SCEPman Base Services

This is a mandatory step.

Make your choice on whether you'd like to deploy with a Windows or Linux App Service Plan. Both deployment methods will allow you to choose your Operating System.

To start with the deployment, you need to follow our setup instructions leveraging an ARM Template

or alternatively our Terraform script:

Step 2: Perform Post-Deployment Steps (Permission Assignments)

This is a mandatory step.

To properly link all components of SCEPman, several permissions need to be assigned. Please follow these steps to establish the relevant connections:

Step 3: Create Root Certificate

This is a mandatory step.

After the deployment and permission assignment is complete, you need to create the root certificate for SCEPman:

Step 4: Configure a Custom Domain and SSL Certificate

This is a recommended step. However, skip this step if you are implementing geo-redundancy / high-availability.

To have your SCEPman available under your specific domain you need to create a Custom Domain in the App Service.

Step 5: Manual Updates

This is an optional step.

Step 6: Deploy Application Insights

This is recommended step.

The Application Insights can be used to get an overview of the App Service performance and to get deeper insights of the request processing of SCEPman. We recommend to always configure Application Insights to monitor, maintain and optimize the App Service.

Step 7: Configure Health Check

This is recommended step.

Health Checks can be configured to notify administrators in the event the SCEPman App Service is unresponsive.

Step 8: Ensure that SCEPman has sufficient resources

This is a mandatory step.

Once you move SCEPman into a production environment, you should ensure that SCEPman is equipped with sufficient computing power. Therefore, please review our Azure Sizing guide and upgrade your App Service Plan tier if need be. You may postpone this until after your PoC or trial phase.

Step 9: Configure Autoscaling

This is an optional step.

The SCEPman solution has two different tasks and performance requirements. One task is the certificate issuance process: After the configuration of the SCEPman solution we need to deploy certificates to all devices (user and/or device certificates), but this is a one-time-task and after the initial deployment this only happens when a new device is enrolled, or the certificates needs to be renewed. In those situations, the SCEPman will face a peek of SCEP requests. The second task is the certificate validation: After we deployed certificates to devices, those certificates need to be validated each time we use them. For every certificated-based authentication the clients, gateways, or RADIUS system (depends on what you use) will send an OCSP request to the SCEPman App Service. This will cause a permanent request load on the App Service.

To have an optimized performance and take care of the costs we recommend to setup the Autoscaling functionality of the App Service. With this feature your application can scale-out and scale-in based on metrics.

Step 10: Configure Geo-Redundancy

This is an optional step.

Step 11: Configure your MDM Deployment Profiles

This is a recommended step.

With the completion of the above steps, we have a working SCEPman implementation and can now deploy certificates to the devices.

Please use one (or more) of the following articles, to deploy certificates with your preferred MDM solution:

Step 12: Issue TLS Server Certificates or sign CSRs using Cert Master

This is an optional step.

Please follow below link, to learn how to issue TLS server certificates based on a list of FQDNs or sign any CSR using the Cert Master component.

Step 13: Issue Certificates using the Enrollment REST API

This is an optional step.

SCEPman features a REST API to enroll certificates. This is an alternative to the SCEP endpoints that require the SCEP-style of authentication, while the REST API uses Microsoft Identities for authentication. The protocol is also much simpler than SCEP.

SSL (Wildcard-) Certificate (or use ), only if a custom domain is used.

Additionally, if you are using Private Endpoints, you have

By default, SCEPman adopts an towards updates. In case you require full control over your SCEPman updates, please configure a deployment slot as described in the following guide under section Deployment Slot Configuration.

App Service Managed Certificate
Enterprise deployment
Terraform deployment
Managed Identities
Root CA
Custom Domain
Update Strategy
Application Insights
Health Check
App Service Sizing
Autoscaling
Geo-Redundancy
Microsoft Intune
Jamf Pro
Other MDM Solutions
Certificate Master
Enrollment REST API
App Service Managed Certificate
evergreen approach
according to SCEPman requirements
seven more Azure Resources.
Type
Description

App Service (x2)

A virtual Azure environment to run the SCEPman Core and Cert Master applications and provides a UI to configure different application specific settings like CNAME, SSL certificate and App Settings.

App Service Plan

A virtual set of compute resources and configurations for the "App Service(s)".

Here you can configure the pricing tier and resource scaling.

Key Vault

Tool to securely store secrets and certificates. The SCEPman application

will generate and save the root certificate in your Key Vault.

Application Insights

Application Performance Management (APM) tool to get insights of the

SCEPman applications and requests. Needed to measure performance

and good for service optimization.

Storage account

Storage platform used by SCEPman's Certificate Master component to store certain attributes of the manually issued TLS server certificates for revocation purposes. Optional:

The "App Service" will load the artifacts from a blob storage URI if manual updates are configured.

Log Analytics workspace

A centralized and cloud-based log storage. The "App Service" will save all

platform logs and metrics into this workspace.

Type
Description

Virtual Network

The SCEPman App Services, the Key Vault, and the Storage Account connect over this VNET.

Private Endpoint (×2)

One for the Key Vault and one for the Storage Account. It makes them accessible over the VNET.

Private DNS zone (×2)

One for the Key Vault and one for the Storage Account. They both have an internal IP address in the VNET, for which they have a name in their respective Private DNS zone.

Network Interface (×2)

One for the Key Vault and one for the Storage Account. It connects the Private Endpoint to the VNET.