# Use Cases
This page is intended to give you an **overview** of **common use cases** and scenarios our clients leverage SCEPman for. While we cannot provide support for the intricacies of every vendor solution, we hope this overview helps you to quickly assess whether SCEPman could be a fit for your scenario, too - without overwhelming you with less common or even exotic use-cases. If you are unsure, just [drop us a question](https://www.scepman.com/drop-a-question).
## Secure WiFi and Network Access
Certificates issued by SCEPman are widely used for the purpose of certificate-based network authentication (802.1X / EAP-TLS) for WiFi, Wired/LAN and VPN, typically along with a network access control (NAC) service that speaks the RADIUS or RadSec protocol. Such services commonly are
* [RADIUSaaS](https://www.radius-as-a-service.com/)
* Aruba ClearPass
* Cisco ISE / Cisco ASA
* Azure VPN Gateway / Azure AlwaysOn VPN
* Fortinet FortiGate
* Palo Alto GlobalProtect
In addition to typical user-centric client devices such as laptops, PCs or Macs, **kiosk devices** such as point of sales or self-checkout systems, scanner/barcode guns or customer terminals are often equipped with certificates from SCEPman for secure network authentication.
## Certificate-based Authentication
You can enrol user authentication certificates with SCEPman for TLS client authentication. This allows authentication to web sites or services such as
* Internal web applications
* [Windows](https://docs.scepman.com/certificate-management/api-certificates/api-enrollment/windows-server) or [Linux](https://docs.scepman.com/certificate-management/api-certificates/api-enrollment/linux-server) servers
* Microsoft 365
* Exchange Online
* Azure Active Directory (AAD) / Azure CBA (including [CRL support](https://docs.scepman.com/scepman-configuration/application-settings/crl)) as, e.g. required by [NIST 800-63, Rev. 4](https://www.nist.gov/identity-access-management/roadmap-nist-special-publication-800-63-4-digital-identity-guidelines)
* Other cloud services
* Remote Desktop (RDP) connections
* AVD
* Windows server administration / PAWs
## TLS Inspection
SCEPman can [issue sub CA certificates](https://docs.scepman.com/certificate-management/certificate-master/sub-ca-certificate) for TLS inspection on firewall appliances and services such as
* [Azure Firewall](https://learn.microsoft.com/en-us/azure/firewall/premium-certificates)
* Global Secure Access (GSA) ([Microsoft Entra Internet Access](https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-transport-layer-security))
* Other firewall appliances
## MDM Solutions
To automate the deployment of relevant configuration profiles and to keep certificates up to date (auto-renewal), we recommend to use SCEPman along with an MDM solution. While SCEPman natively integrates with Microsoft Endpoint Manager/Intune and Jamf Pro, our customers have successfully deployed SCEPman along with other MDM solutions.
Below table provides an overview of the most commonly used MDM solutions and indicates how/if certificate revocation is possible.
| MDM Solution | Supported Platforms | Issuance & Auto-renewal | Automatic Revocation | Manual Revocation | Links |
| --------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------- | ---------------------------- | ---------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Intune /
Endpoint Manager
| Windows
macOS
iOS
iPadOS
Android
Linux
| :ballot\_box\_with\_check: | :ballot\_box\_with\_check: | ☑️
| [Microsoft Docs](https://docs.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep) |
| [Active Directory / Group Policy (GPO)](https://docs.scepman.com/certificate-management/active-directory) | Windows | :ballot\_box\_with\_check: | | | |
| [Jamf Pro](https://docs.scepman.com/certificate-management/jamf) | macOS
iOS
iPadOS
| :ballot\_box\_with\_check: | :ballot\_box\_with\_check: | :ballot\_box\_with\_check: | [Jamf Technical Paper](https://docs.jamf.com/technical-papers/jamf-pro/scep-proxy/10.0.0/Introduction.html) |
| [GSuite / Google Workspace](https://docs.scepman.com/certificate-management/static-certificates) | ChromeOS
Android
| :ballot\_box\_with\_check: | :ballot\_box\_with\_check:\* | :ballot\_box\_with\_check: | [Google Support Docs](https://support.google.com/chrome/a/answer/11053129?hl=en) |
| [Airwatch / WorkspaceONE UEM](https://docs.scepman.com/certificate-management/static-certificates) | macOS
iOS
| :ballot\_box\_with\_check: (no auto-renewal) | | :ballot\_box\_with\_check: | [VMware Support Docs](https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2011/Certificate_Authority_Integrations/GUID-EF7C4D44-9480-4AD1-91E3-EA4F02448F5A.html) |
| [Mosyle](https://docs.scepman.com/certificate-management/static-certificates/mosyle) | macOS
iOS
iPadOS
| :ballot\_box\_with\_check: | | :ballot\_box\_with\_check: | |
| [SOTI MobiControl](https://docs.scepman.com/certificate-management/static-certificates) | Windows
macOS
iOS
iPadOS
Android
Ubuntu
| :ballot\_box\_with\_check: | | :ballot\_box\_with\_check: | Soti Docs - External CA
Soti Docs - SCEP Profile
|
| [Kandji](https://docs.scepman.com/certificate-management/static-certificates/kandji-1) | macOS
iOS
iPadOS
| :ballot\_box\_with\_check: | :ballot\_box\_with\_check:\* | :ballot\_box\_with\_check: | [Kandji Docs](https://support.kandji.io/support/solutions/articles/72000559782-scep-profile) |
| [ManageEngine](https://docs.scepman.com/certificate-management/static-certificates) | Windows
macOS
iOS
iPadOS
Android
| :ballot\_box\_with\_check: | | :ballot\_box\_with\_check: | [ManageEngine Docs](https://www.manageengine.com/mobile-device-management/help/certificate_management/mdm_integrating_generic_scep.html) |
\*: Only works with user-type certificates if the user-objects are synced from Microsoft Entra ID (Azure AD).
## On-premises to Cloud Migration
Since SCEPman is a cloud-native and general purpose PKI, many of our clients who migrate their on-premises infrastructure to the cloud, use SCEPman to fully replace their on-premises Microsoft PKI (ADCS and NDES). With SCEPman, this is possible for endpoint devices that are
* Domain-joined,
* Hybrid-joined, or
* Entra ID-joined.
## IoT Devices
SCEPman can be utilized to supply certificates to IoT devices. Therefore, SCEPman supports an ECC CA allowing performance- and energy-optimized cryptographic algorithms on devices with limited computational resources or on devices relying on battery power. SCEPman's flexibility supports issuing certificates with long validity periods allowing a long-term offline operation without the need to renew certificates regularly. Furthermore, certificates can be enrolled on an assembly line in a convenient way by leveraging SCEPman's REST API with Microsoft Entra ID (Azure AD)-based authentication.