Documentation

Table of Contents 


Other Resources


 

 

Introduction

Use this guide to configure Inbound Simple Certificate Enrollment Protocol (SCEP) from MobileIron VSP settings in a SecureAuth IdP realm.

The Network Device Enrollment Service (NDES) allows software on network and other devices that run without domain credentials to obtain certificates based on SCEP.

SecureAuth IdP supports both Outbound and Inbound from MobileIron SCEP calls.

Inbound SCEP Calls from MobileIron are made when the MobileIron server requests a certificate from SecureAuth IdP via SCEP. SecureAuth IdP can then retrieve a certificate from the Cloud Services, or from an on-premises CA, and MobileIron will provide the certificate to the user.

Refer to Outbound SCEP configuration guide for Outbound SCEP configuration.

 


Prerequisites

Ensure the following items have been addressed before proceeding to the configuration steps:

  • MobileIron VSP is installed and you can access server settings.
  • Access to the SecureAuth IdP Web Admin and all realms requiring Inbound MobileIron SCEP configuration.

 


SecureAuth IdP configuration steps

These configuration steps are required on each SecureAuth IdP realm that will use the Inbound MobileIron SCEP calls.

System Info

1. Select True from the Inbound SCEP Request dropdown.

No other configuration is required for specifically inbound SCEP calls from MobileIron.


NOTE: Distinct configuration is required if using MobileIron VSP Inbound SCEP calls in addition to Outbound SCEP calls (using existing on-premises CA instead of SecureAuth IdP Cloud Services).

For Inbound and Outbound SCEP Configuration

 Click here for configuration steps...

a. Select True from the Use SCEP dropdown.

b. Leave the SCEP Web Service URL as the default unless the web service is being hosted in a different location.

c. Set the SCEP / NDES URL as the SCEP / NDES Listener URL.

d. Select True from the Inbound SCEP Request.

2. Click Save once the configuration is complete and before leaving the System Info page to avoid losing changes.

License Info

3. The Company Name information is required for the MobileIron VSP Configuration Steps (below).

SecureAuth IdP IIS Manager configuration steps

It is recommended to lock down access to this realm by restricting it to the SCEP Client's IP Address.

4. In the IP Address and Domain Settings for the realm being configured on the IIS Manager, select Edit Feature Settings under the Actions menu.

5. Select Deny from the Access for unspecified clients dropdown.

6. Click Add Allow Entry, and supply either the Specific IP Address or the Range of IP of the MobileIron VSP.

 


MobileIron VSP configuration steps

If using MobileIron Inbound SCEP calls to multiple SecureAuth IdP realms, a new Profile must be created and configured on each realm.

1. In the Policies & Configs section, click Add New - SCEP.

2. Set the Name to what will be displayed on the device for this profile, e.g. SA Certificate.

3. Select SCEP from the Setting Type dropdown.

4. Set the URL to the Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance, followed by the realm number configured for Inbound SCEP calls, then /webservice/sceprequest.svc/Request

For example, https://secureauth.company.com/secureauth2/webservice/sceprequest.svc/Request

5. Set the Subject to the Company GUID and Company Name from the SecureAuth IdP Web Admin in the following format:

ou=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,o=Company Name

6. Click Issue Test Certificate to issue a test certificate in real time, before clicking Save.

7. Click Save.

 


Troubleshooting / common issues

Plug these URLs into a rest client to check connectivity: