You can configure Sophos Mobile to use the Simple Certificate Enrollment
Protocol (SCEP) for distributing certificates to Android devices, iPhones, and iPads.
Prerequisites:
- You have a SCEP-enabled Windows CA.
- The Sophos Mobile server has HTTP or HTTPS access to
YOUR-SCEP-SERVER/CertSrv/MSCEP_ADMIN and
YOUR-SCEP-SERVER/CertSrv/MSCEP.
-
On the menu sidebar, under SETTINGS, click , and then click the SCEP tab.
-
Specify the following:
-
In the SCEP server URL field, enter
https://YOUR-SCEP-SERVER/CertSrv/MSCEP.
-
In the Challenge URL field, enter
https://YOUR-SCEP-SERVER/CertSrv/MSCEP_ADMIN.
Note If you use a Windows 2003 server as the SCEP server, enter
https://YOUR-SCEP-SERVER/CertSrv/MSCEP.
-
In the User and Password fields, enter the
user credentials of the user who can create a challenge code.
Note In the User field, enter a user who has the necessary rights to
enroll certificates. Use the logon format: username@domain
-
In the Challenge characters field, select the character types that
are used for the challenge password.
-
In the Challenge length field, accept the default length.
- Optional
Clear the Use HTTP proxy option if you want Sophos Mobile to bypass the HTTP proxy when connecting to the SCEP
server. This option is only available if the HTTP proxy is enabled.
The super administrator can configure an HTTP proxy that Sophos Mobile uses for outbound HTTP and SSL/TLS
connections.
-
Click Save.
Sophos Mobile tests the connection to your SCEP server.
To deploy a certificate using SCEP, add a SCEP configuration to an Android
or iOS policy.
Tip In the policy, you can configure an interval after which the device automatically requests
a certificate renewal.