MobileIron SCEP Configuration Settings Defined

You are here:
< Back



Name Enter text that identifies this group of SCEP settings
Description Enter additional text that clarifies the purpose of this group of SCEP settings
Enable Proxy Select Enable Proxy. The following proxy options are available:
Cache locally generated keys—leaves the certificate in the VSP certificate store for reuse.
User Certificate—User-based certificates are used for all devices. If you select
this option, revoking the certificate renders all the associated user’s devices as unauthorized.
Device Certificate—For device-based certificates, an individual certificate is
created per device. If you select this option, revoking the certificate renders
only the specific device associated with the certificate as unauthorized.
If you choose to disable the proxy functionality, the certificate will be
generated by the device. This configuration is not supported.

Setting Type

SCEP—select this option if you are using standard certificate-based authenti- cation using a separate CA.

Local—select this option if you are using the MobileIron VSP as the CA. Symantec Managed PKI—select if you are using Symantec’s SCEP solution.


Provide the URL necessary to access your SCEP server. Typically, http://<your_ndes_server>/certsrv/mscep/mscep.dll

For iOS: Note that iOS does not support https with self-signed certificates. Therefore, should you choose to use https, you must have a trusted certificate installed for the portal certificate in order for provisioning to function properly.


Enter an X.509 name represented as an array of OIDs and values. Typically, set this to the user’s fully qualified domain name. For ease of configuration you can use the $USER_DN$ variable to populate the Subject with the user’s FQDN.

Subject Common Name Type

Select the CN type specified in the certificate template

Subject Alternative Name Type

Select NT Principal Name

Subject Alternative Name Value

Select $USER_UPN$

Key Size

Select the key size (1024, 2048, or 4096)

Key Usage

Specify acceptable use of the key (signing and/or encryption)

Finger Print

Leave this field blank

Challenge Type

Select None, Microsoft SCEP, or Manual to specify the type of challenge to use


For a Manual challenge type, enter the pre-shared secret the SCEP server can use to identify the request or user.

Challenge URL

For a Microsoft SCEP challenge type, enter the URL of the trust point defined for your Microsoft SCEP CA.

User Name

Enter the user name for the Microsoft SCEP CA.


Enter the password for the Microsoft SCEP CA.


Last Updated On October 24, 2017