LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Secure WiFi and Network Access
  • Certificate-based Authentication
  • MDM Solutions
  • On-premises to Cloud Migration
  • IoT Devices

Was this helpful?

Use Cases

Last updated 1 month ago

Was this helpful?

This page is intended to give you an overview of common use cases and scenarios our clients leverage SCEPman for. While we cannot provide support for the intricacies of every vendor solution, we hope this overview helps you to quickly assess whether SCEPman could be a fit for your scenario, too - without overwhelming you with less common or even exotic use-cases. If you are unsure, just .

Secure WiFi and Network Access

Certificates issued by SCEPman are widely used for the purpose of certificate-based network authentication (802.1X / EAP-TLS) for WiFi, Wired/LAN and VPN, typically along with a network access control (NAC) service that speaks the RADIUS or RadSec protocol. Such services commonly are

  • Aruba ClearPass

  • Cisco ISE / Cisco ASA

  • Azure VPN Gateway / Azure AlwaysOn VPN

  • Fortinet FortiGate

  • Palo Alto GlobalProtect

In addition to typical user-centric client devices such as laptops, PCs or Macs, kiosk devices such as point of sales or self-checkout systems, scanner/barcode guns or customer terminals are often equipped with certificates from SCEPman for secure network authentication.

Certificate-based Authentication

You can enrol user authentication certificates with SCEPman for TLS client authentication. This allows authentication to web sites or services such as

  • Internal web applications

  • or servers

  • Microsoft 365

    • Exchange Online

    • Azure Active Directory (AAD) / Azure CBA (including ) as, e.g. required by

  • Other cloud services

  • Remote Desktop (RDP) connections

    • AVD

    • Windows server administration / PAWs

MDM Solutions

To automate the deployment of relevant configuration profiles and to keep certificates up to date (auto-renewal), we recommend to use SCEPman along with an MDM solution. While SCEPman natively integrates with Microsoft Endpoint Manager/Intune and Jamf Pro, our customers have successfully deployed SCEPman along with other MDM solutions.

Below table provides an overview of the most commonly used MDM solutions and indicates how/if certificate revocation is possible.

MDM Solution
Supported Platforms
Issuance & Auto-renewal
Automatic Revocation
Manual Revocation
Links

Windows macOS iOS

macOS iOS iPadOS

ChromeOS Android

macOS iOS

macOS

iOS iPadOS

Windows macOS iOS

iPadOS Android Ubuntu

macOS iOS iPadOS

Windows macOS iOS

iPadOS Android

*: Only works with user-type certificates if the user-objects are synced from Microsoft Entra ID (Azure AD).

On-premises to Cloud Migration

Since SCEPman is a cloud-native general purpose CA, many of our clients who migrate their infrastructure into the cloud use SCEPman to replace their on-prem Microsoft PKI/AD CS and NDES. Generally, this is possible, as long as the devices that shall receive certificates are hybrid- or full-Azure-AD-joined.

IoT Devices

SCEPman can be utilized to supply certificates to IoT devices. Therefore, SCEPman supports an ECC CA allowing performance- and energy-optimized cryptographic algorithms on devices with limited computational resources or on devices relying on battery power. SCEPman's flexibility supports issuing certificates with long validity periods allowing a long-term offline operation without the need to renew certificates regularly. Furthermore, certificates can be enrolled on an assembly line in a convenient way by leveraging SCEPman's REST API with Microsoft Entra ID (Azure AD)-based authentication.

iPadOS Android

*

(no auto-renewal)

*

drop us a question
RADIUSaaS
Windows
Linux
CRL support
NIST 800-63, Rev. 4
☑️
☑️
☑️
☑️
☑️
☑️
☑️
☑️
☑️
☑️
☑️
☑️
☑️
☑️
☑️
☑️
☑️
☑️
☑️
☑️
Intune / Endpoint Manager
Linux
Microsoft Docs
Jamf Pro
Jamf Technical Paper
GSuite / Google Workspace
Google Support Docs
Airwatch / WorkspaceONE UEM
VMware Support Docs
Mosyle
SOTI MobiControl
Soti Docs - External CA
Soti Docs - SCEP Profile
Kandji
Kandji Docs
ManageEngine
ManageEngine Docs