SCEP configuration (macOS device policy)

With the SCEP configuration you enable devices to request certificates from a Certificate Authority using the Simple Certificate Enrollment Protocol (SCEP).




The web address of the Certificate Authority server.

Use the variable %_SCEPPROXYURL_% to refer to the server URL that is configured on the SCEP tab of the System setup page.

CA name

A name that is understood by the Certificate Authority. The name can, for example, be used to distinguish between instances.


The name of the entity (for example person or device) that will receive the certificate.

You can use placeholders for user data or device properties.

The value that you enter (with placeholders replaced by the actual data) must be a valid X.500 name.

For example:

  • Enter CN=%_USERNAME_% to specify a user.
  • Enter CN=%_DEVPROP(serial_number)_% to specify a device.

For information on available placeholders, see Placeholders in profiles and policies.

Type of Subject Alternative Name

To add a Subject Alternative Name (SAN) to the SCEP configuration, select the SAN type and then enter the SAN value. SAN types are:

  • RFC 822 name: A valid email address.
  • DNS name: The DNS name of the CA server.
  • Uniform resource identifier: The fully qualified URL of the CA server.

Value of Subject Alternative Name

AD user logon name

The User logon name value set in Active Directory, i.e. the user’s User Principal Name (UPN).


The web address to obtain a challenge password from the SCEP server.

Use the variable %_CACHALLENGE_% to refer to the challenge URL that is configured on the SCEP tab of the System setup page.


The number of retries if the server sends a response of type pending.

Retry delay

The number of seconds between retries.

Key size

The size of the public key in the issued certificate.

Make sure that the value matches the size configured on the SCEP server.