Product Documentation

To add a SCEP device policy for iOS

Jul 16, 2015
This policy allows you to configure iOS devices to retrieve a certificate using Simple Certificate Enrollment Protocol (SCEP) from an external SCEP server. If you want to deliver a certificate to the device using SCEP from a PKI that is connected to XenMobile, you should create a PKI entity and a PKI provider in distributed mode. For details, see PKI Entities.
  1. In the XenMobile console, click Configure > Device Policies.

    The Device Policies page appears.


    Device policies page


  2. Click Add.

    The Add a New Policy page appears.


    Select SCEP


  3. On the Add a New Policy page, click More and then under Security, click SCEP.

    The SCEP Policy information page appears.


    SCEP device policy information page


  4. In the Policy Information pane, enter the following information:
    1. Policy Name: Type a descriptive name for the policy.
    2. Description: Optionally, type a description for the policy.
  5. Click Next.

    The iOS Platform Information page appears.


    iOS SCEP policy information page


  6. On the iOS Platform Information page, enter the following information:
    1. URL base: Type the address of the SCEP server to define where SCEP requests are sent, over HTTP or HTTPS. The private key isn’t sent with the Certificate Signing Request (CSR), so it may be safe to send the request unencrypted. If, however, the one-time password is allowed to be reused, you should use HTTPS to protect the password. This step is required.
    2. Instance name: Type any string that the SCEP server recognizes. For example, it could be a domain name like If a CA has multiple CA certificates, you can use this field to distinguish the required domain. This step is required.
    3. Subject X.500 name (RFC 2253): Type the representation of a X.500 name represented as an array of Object Identifier (OID) and value. For example, /C=US/O=Apple Inc./CN=foo/, which would translate to: [ [ ["C", "US"] ], [ ["O", "Apple Inc."] ], ..., [ ["", "bar" ] ] ]. You can represent OIDs as dotted numbers with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN).
    4. Subject alternative names type: In the list, click an alternative name type. The SCEP policy can specify an optional alternative name type that provides values required by the CA for issuing a certificate. You can specify None, RFC 822 name, DNS name, or URI.
    5. Maximum retries: Type the number of retries allowed when a user enters an incorrect password. The default is 3.
    6. Retry delay: Type a time interval after which users exceed the maximum number of retries and a lockout is enforced. The default is 10.
    7. Challenge password: Enter a pre-shared secret. This step is required.
    8. Key size (bits): In the list, click the key size in bits, either 1024 or 2048. The default is 1024.
    9. Use as digital signature: Specify whether you want the certificate to be used as a digital signature. If someone is using the certificate to verify a digital signature, such as verifying whether a certificate was issued by a CA, the SCEP server would verify that the certificate can be used in this manner prior to using the public key to decrypt the hash.
    10. Use for key encipherment: Specify whether you want the certificate to be used for key encipherment. If a server is using the public key in a certificate provided by a client to verify that a piece of data was encrypted using the private key, the server would first check to see whether the certificate can be used for key encipherment. If not, the operation fails.
    11. SHA1/MD5 fingerprint (hexadecimal string): If your CA uses HTTP, use this field to provide the fingerprint of the CA certificate, which the device uses to confirm authenticity of the CA response during enrollment. You can enter a SHA1 or MD5 fingerprint, or you can select a certificate to import its signature.
  7. Under Policy Settings, next to Remove policy, click either Select date or Duration until removal (in days).
  8. If you click Select date, click the calendar to select the specific date for removal.
  9. In the Allow user to remove policy list, click Always, Password required, or Never.
  10. If you click Password required, next to Removal password, type the necessary password.


    Policy removal settings


  11. Expand Deployment Rules and then configure the following settings: The Base tab appears by default.


    Deployment rules


    1. In the lists, click options to determine when the policy should be deployed.
      1. You can choose to deploy the policy when all conditions are met or when any conditions are met. The default option is All.
      2. Click New Rule to define the conditions.
      3. In the lists, click the conditions, such as Device ownership and BYOD, as shown in the preceding figure.
      4. Click New Rule again if you want to add more conditions. You can add as many conditions as you would like.
    2. Click the Advanced tab to combine the rules with Boolean options.


      Advanced deployment rules with base rules


      The conditions you chose on the Base tab appear.
    3. You can use more advanced Boolean logic to combine, edit, or add rules.
      1. Click AND, OR, or NOT.
      2. In the lists that appear, choose the conditions that you want to add to the rule and then click the Plus sign (+) on the right-hand side to add the condition to the rule.

        At any time, you can click to select a condition and then click EDIT to change the condition or Delete to remove the condition.

      3. Click New Rule again if you want to add more conditions.

        In this example, the device ownership must be BYOD, the device local encryption must be True, and the device mobile country code cannot be only Andorra.

        Advanced deployment rules complete


  12. Click Next. The SCEP Policy assignment page appears.
  13. Next to Choose delivery groups, type to find a delivery group or select a group or groups in the list to which you want to assign the policy. The groups you select appear in the right-hand Delivery groups to receive app assignment list.


    Policy assignment page


  14. Expand Deployment Schedule and then configure the following settings:
    1. Next to Deploy, click ON to schedule deployment or click OFF to prevent deployment. The default option is ON. If you choose OFF, no other options need to be configured.
    2. Next to Deployment schedule, click Now or Later. The default option is Now.
    3. If you click Later, click the calendar icon and then select the date and time for deployment.
    4. Next to Deployment condition, click On every connection or click Only when previous deployment has failed. The default option is On every connection.
    5. Next to Deploy for always-on connection, click ON or OFF. The default option is OFF.
      Note: This option applies when you have configured the scheduling background deployment key in Settings > Server Properties. The always-on option is not available for iOS devices.
    Note: The deployment schedule you configure is the same for all platforms. Any changes you make apply to all platforms, except for Deploy for always on connection, which does not apply to iOS.


    Deployment schedule


  15. Click Save to save the policy.