Use this guide to configure Inbound Simple Certificate Enrollment Protocol (SCEP) from MobileIron VSP settings in a SecureAuth IdP realm.
The Network Device Enrollment Service (NDES) allows software on network and other devices that run without domain credentials to obtain certificates based on SCEP.
SecureAuth IdP supports both Outbound and Inbound from MobileIron SCEP calls.
Inbound SCEP Calls from MobileIron are made when the MobileIron server requests a certificate from SecureAuth IdP via SCEP. SecureAuth IdP can then retrieve a certificate from the Cloud Services, or from an on-premises CA, and MobileIron will provide the certificate to the user.
Refer to Outbound SCEP configuration guide for Outbound SCEP configuration.
Ensure the following items have been addressed before proceeding to the configuration steps:
- MobileIron VSP is installed and you can access server settings.
- Access to the SecureAuth IdP Web Admin and all realms requiring Inbound MobileIron SCEP configuration.
SecureAuth IdP configuration steps
These configuration steps are required on each SecureAuth IdP realm that will use the Inbound MobileIron SCEP calls.
1. Select True from the Inbound SCEP Request dropdown.
No other configuration is required for specifically inbound SCEP calls from MobileIron.
NOTE: Distinct configuration is required if using MobileIron VSP Inbound SCEP calls in addition to Outbound SCEP calls (using existing on-premises CA instead of SecureAuth IdP Cloud Services).
For Inbound and Outbound SCEP Configuration
a. Select True from the Use SCEP dropdown.
b. Leave the SCEP Web Service URL as the default unless the web service is being hosted in a different location.
c. Set the SCEP / NDES URL as the SCEP / NDES Listener URL.
d. Select True from the Inbound SCEP Request.
2. Click Save once the configuration is complete and before leaving the System Info page to avoid losing changes.
3. The Company Name information is required for the MobileIron VSP Configuration Steps (below).
SecureAuth IdP IIS Manager configuration steps
It is recommended to lock down access to this realm by restricting it to the SCEP Client's IP Address.
4. In the IP Address and Domain Settings for the realm being configured on the IIS Manager, select Edit Feature Settings under the Actions menu.
5. Select Deny from the Access for unspecified clients dropdown.
6. Click Add Allow Entry, and supply either the Specific IP Address or the Range of IP of the MobileIron VSP.
MobileIron VSP configuration steps
If using MobileIron Inbound SCEP calls to multiple SecureAuth IdP realms, a new Profile must be created and configured on each realm.
1. In the Policies & Configs section, click Add New - SCEP.
2. Set the Name to what will be displayed on the device for this profile, e.g. SA Certificate.
3. Select SCEP from the Setting Type dropdown.
4. Set the URL to the Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance, followed by the realm number configured for Inbound SCEP calls, then /webservice/sceprequest.svc/Request
5. Set the Subject to the Company GUID and Company Name from the SecureAuth IdP Web Admin in the following format:
6. Click Issue Test Certificate to issue a test certificate in real time, before clicking Save.
7. Click Save.
Troubleshooting / common issues
Plug these URLs into a rest client to check connectivity: