Skip to content

Configure SCEP

You can install and renew certificates on your devices using the Simple Certificate Enrollment Protocol (SCEP).

These instructions don’t apply to Chromebooks.


  • You have a SCEP-enabled Windows CA.
  • Your firewall allows inbound connections from Sophos Central. See IP addresses for AD and SCEP connections.
  • Sophos Central has HTTP or HTTPS access to <YOUR-SCEP-SERVER>/CertSrv/MSCEP_ADMIN and <YOUR-SCEP-SERVER>/CertSrv/MSCEP.

Configure SCEP

To configure SCEP, do as follows:

  1. On the menu sidebar, click Setup > Sophos setup, and then click the SCEP tab.
  2. Specify the following:

    1. In the SCEP server URL field, enter https://<YOUR-SCEP-SERVER>/CertSrv/MSCEP.
    2. In the Challenge URL field, enter https://<YOUR-SCEP-SERVER>/CertSrv/MSCEP_ADMIN.

      If you use a Windows 2003 server as the SCEP server, enter https://<YOUR-SCEP-SERVER>/CertSrv/MSCEP.

    3. In the User and Password fields, enter the user credentials of the user who can create a challenge code.

      In the User field, enter a user who has the necessary rights to enroll certificates. Use the logon format username@domain.

    4. In the Challenge characters field, select the character types that are used for the challenge password.

    5. In the Challenge length field, accept the default length.
    6. Optional: Clear the Use HTTP proxy option if you want Sophos Mobile to bypass the HTTP proxy when connecting to the SCEP server. This option is only available if the HTTP proxy is enabled.
  3. Click Save.

Sophos Mobile tests the connection to your SCEP server.


To install a certificate on your devices using SCEP, do as follows:

  1. Create a policy or edit an exiting policy. See Create policy.
  2. Add a Root certificate configuration for the SCEP server certificate to the policy.
  3. Add a SCEP configuration to the policy.
  4. In the policy’s SCEP renewal interval setting, configure the interval after which the device requests a certificate renewal.
  5. Assign the policy to your devices. See Assign a policy.

For details on the Root certificate and SCEP configurations, see the relevant help pages for your policy type.