SCEP
Click SCEP on the Options tab and configure the following settings.
URL
Paste the SCEP URL value obtained when Getting Certificate Enrollment Gateway settings for MDM.
Mandatory: Yes.
Name
Enter the name of the SCEP service to display on the device.
Mandatory: Yes.
Redistribute Profile
Select Never.
Mandatory: Yes.
Subject
Enter the Subject Distinguished Name to include in the Certificate Signing Requests (CSRs). The enrollment process will ignore this dummy value and use the digital identifier.
See Adding digital identifiers to a Certificate Enrollment Gateway for MDM for details on digital identifiers.
Mandatory: Yes.
Subject Alternative Name Type
Select the type of Subject Alternative Name.
Mandatory: No.
Retries
Select the maximum number of retries after a PENDING response.
Mandatory: No.
Retry delay
Select the period between retries.
Mandatory: No.
Challenge type
Select Dynamic Entrust.
Mandatory: Yes.
Entrust Web Service URL
Paste the MDM-WS-URL value obtained when Getting Certificate Enrollment Gateway settings for MDM.
Mandatory: Yes.
Administrator Username
Paste the User ID value obtained when Getting Certificate Enrollment Gateway settings for MDM.
Mandatory: Yes.
Administrator Password
Paste the Password value obtained when Getting Certificate Enrollment Gateway settings for MDM.
Mandatory: Yes.
Verify Password
Paste the Password value obtained when Getting Certificate Enrollment Gateway settings for MDM.
Mandatory: Yes.
Digital ID Configuration Name
Paste the Name value obtained when Getting Certificate Enrollment Gateway settings for MDM.
Mandatory: Yes.
Group Name
Enter a name for the group.
Mandatory: When the RDN Format of the digital identifier includes the <iggroup> variable. In this case, Jamf will automatically map this Group Name to the <iggroup> variable.
See Adding digital identifiers to a Certificate Enrollment Gateway for MDM for details on digital identifiers.
RDN Variables
Enter a value for each variable evaluated by the RDN Format of the digital identifier.
See Adding digital identifiers to a Certificate Enrollment Gateway for MDM for details on digital identifiers.
To use Jamf dynamic values, insert the following variables:
Omit the following variables from the list of RDN Variables.
<igusername>
<devicetype>
These two variables do not need to be added because Jamf always provides values for these variables.
Mandatory: Yes.
Key Size
Select one of the following values.
2048
4096
Entrust PKIaaS does not support key sizes below 2048.
Mandatory: Yes.
Use as digital signature
Check to use the enrolled certificates for signing data.
Mandatory: No.
Use for key encipherment
Check to use the enrolled certificates for ciphering keys.
Mandatory: No.
Fingerprint
Paste the SHA-256 fingerprint (in hexadecimal format) of the whole root CA certificate in DER binary encoding (not in PEM). You can obtain this value from the certificate properties or run the following commands.
certutil -hashfile rootca.der SHA256
openssl x509 -fingerprint -sha256 -noout -in rootca.crt | sed "s/[:]//g"
Mandatory: Yes. It is recommended to always configure this field when possible.