Configure SCEP

You can configure Sophos Mobile to use the Simple Certificate Enrollment Protocol (SCEP) for distributing certificates to Android devices, iPhones, and iPads.

Prerequisites:

  • You have a SCEP-enabled Windows CA.
  • The Sophos Mobile server has HTTP or HTTPS access to YOUR-SCEP-SERVER/CertSrv/MSCEP_ADMIN and YOUR-SCEP-SERVER/CertSrv/MSCEP.

To configure SCEP:

  1. On the menu sidebar, under SETTINGS, click Setup > Sophos setup, and then click the SCEP tab.
  2. Specify the following:
    1. In the SCEP server URL field, enter https://YOUR-SCEP-SERVER/CertSrv/MSCEP.
    2. In the Challenge URL field, enter https://YOUR-SCEP-SERVER/CertSrv/MSCEP_ADMIN.
      Note If you use a Windows 2003 server as the SCEP server, enter https://YOUR-SCEP-SERVER/CertSrv/MSCEP.
    3. In the User and Password fields, enter the user credentials of the user who can create a challenge code.
      Note In the User field, enter a user who has the necessary rights to enroll certificates. Use the logon format: username@domain
    4. In the Challenge characters field, select the character types that are used for the challenge password.
    5. In the Challenge length field, accept the default length.
    6. Optional Clear the Use HTTP proxy option if you want Sophos Mobile to bypass the HTTP proxy when connecting to the SCEP server. This option is only available if the HTTP proxy is enabled.

      The super administrator can configure an HTTP proxy that Sophos Mobile uses for outbound HTTP and SSL/TLS connections.

  3. Click Save.

Sophos Mobile tests the connection to your SCEP server.

To deploy a certificate using SCEP, add a SCEP configuration to an Android or iOS policy.

Tip In the policy, you can configure an interval after which the device automatically requests a certificate renewal.