Get the PDF

Common: SCEP profile settings

Common: SCEP profile setting	Description
Certificate authority connection	This setting specifies whether the CA is Entrust , OpenTrust , or another CA. If you configured one or more connections to your organization’s Entrust software or OpenTrust software, you can select one of the connections in the drop-down list. Select Generic if you are using any other CA. If you select an Entrust or OpenTrust connection, you must then select the appropriate PKI profile and specify the necessary values. The available profiles vary based on what the Entrust or OpenTrust administrator has configured in the PKI software. The default value is Generic.
URL	This setting specifies the URL of the SCEP service. The URL should include the protocol, FQDN, port number, and SCEP path (CGI path that is defined in the SCEP specification). You must set a value for this setting to activate a device successfully. SCEP HTTPS URLs are supported by iOS devices and BlackBerry 10 OS version 10.3.0 and later.
Instance name	This setting specifies the name of the CA instance. The value can be any string that is understood by the SCEP service. For example, it could be a domain name like example.org. If a CA has multiple CA certificates, this field can be used to distinguish which one is required.
Verify SCEP server connection trust chain	This setting specifies whether BlackBerry UEM verifies that the root CA of the SCEP server is stored in the BlackBerry UEM certificate store to allow BlackBerry UEM to trust the SCEP server when testing connections, retrieving challenge passwords, and acting as a proxy for SCEP requests from devices.
SCEP challenge type	This setting specifies whether the SCEP challenge password is dynamically generated or provided as a static password. If this setting is set to "Static," every device uses the same challenge password. If this setting is set to "Dynamic," every device receives a unique challenge password. Possible values: Static Dynamic The default value is Dynamic. For Windows devices, only "Static" passwords are supported.
Challenge password generation URL	This setting specifies the URL that devices use to obtain a dynamically generated challenge password from the SCEP service. The URL should include the protocol, domain, port, and SCEP path (CGI path that is defined in the SCEP specification). If you use a dynamic challenge password, you must set a value to activate BlackBerry 10 devices successfully. This setting is valid only if the "SCEP challenge type" setting is set to "Dynamic."
Authentication type	This setting specifies the authentication type devices use to connect to the SCEP service and obtain a challenge password. This setting is valid only if the "SCEP challenge type" setting is set to "Dynamic." Possible values: Basic NTLM The default value is Basic.
Domain	This setting specifies the domain used for NTLM authentication when devices connect to the SCEP service to obtain a challenge password. This setting is valid only if the "Authentication type" setting is set to "NTLM."
Username	This setting specifies the username required to obtain a challenge password from the SCEP service. This setting is valid only if the "SCEP challenge type" setting is set to "Dynamic."
Password	This setting specifies the password required to obtain the challenge password from the SCEP service. This setting is valid only if the "SCEP challenge type" setting is set to "Dynamic."
Challenge password	This setting specifies the challenge password that a device uses for certificate enrollment. If you use a static challenge password, you must set a value for this setting to activate BlackBerry 10 devices successfully. This setting is valid only if the "SCEP challenge type" setting is set to "Static."

Section:

SCEP profile settings