Skip to main content

Configure iOS/iPadOS enrollment via SCEP

DigiCert​​®​​ Trust Lifecycle Manager supports web-based iOS/iPadOS certificate enrollments via the Simple Certificate Enrollment Protocol (SCEP) to facilitate direct provisioning of certificates to Apple iPhones and iPads without the need to deploy a full-scale MDM/UEM solution.

Prerequisites

  • Your Trust Lifecycle Manager account needs the SCEP and Enable iOS/iPadOS features enabled in DigiCert® Account Manager.

  • You need an issuing CA in DigiCert® CA Manager that is configured to Allow CA to decrypt and sign SCEP packets.

  • Your DigiCert ONE instance must be set up to sign Apple .mobileConfig files using a public CA certificate.

Note

If you use the cloud-hosted version of DigiCert ONE, contact your DigiCert account representative for help with these prerequisites. For on-premises deployments, reach out to your DigiCert system administrator.

Available certificate templates

Use the following base templates to create certificate profiles in Trust Lifecycle Manager for iOS/iPadOS enrollment of private device or user certificates from issuing CAs in DigiCert® CA Manager.

Template name

Seat type

Generic Device Certificate

Device

Generic User Certificate

User

Create certificate profile in Trust Lifecycle Manager

To create a certificate profile for iOS/iPadOS enrollment:

  1. From the Trust Lifecycle Manager main menu, select Policies > Certificate profiles.

  2. Select the Create profile from template action at the top of the page.

  3. Select one of the templates from the above table as the basis for creating the certificate profile.

    Work through the profile creation wizard, focusing on the iOS/iPadOS-related options described below and making other selections for your business needs and types of certificates you want to issue. After filling out each screen, select Next to move to the next screen.

  4. On the initial Primary options screen of the profile creation wizard, configure the:

    • General information: Select the applicable business unit and SCEP-enabled issuing CA to issue certificates.

    • Enrollment method: Select iOS/iPadOS.

    • Authentication method: Enrollment Code is automatically selected for you for iOS/iPadOS-based enrollments. You can adjust the enrollment code settings.

  5. On the Certificate options screen:

    • Subject DN and SAN fields: Select the fields to include in the Subject Distinguished Name (DN) and Subject Alternative Name (SAN) of issued certificates.

      For each field, select either Entered/Uploaded by Admin or Fixed Value as the source of the field's value, depending on whether the value will get supplied dynamically by the administrator during enrollment or not.

      By default, only the Common name is included and configured to have its value Entered/Uploaded by Admin. If you only need a common name in your certificates and want to set it at enrollment time, you don't need to make any other selections here.

  6. On the Additional options screen:

    • Certificate delivery format is set to X.509 PEM and cannot be changed, as this is the required delivery format for the SCEP protocol.

  7. On the Advanced settings screen:

    • Seat ID Mapping: Select one of the available certificate fields to use as the seat ID when enrolling certificates via iOS/iPadOS. The default selection is to use the certificate common name as the seat ID in Trust Lifecycle Manager.

    • iOS device profile configuration: The Web authentication settings use case is automatically enabled as this is currently the only supported use case for iOS-based enrollments.

  8. Select Create to save the new certificate profile.

Create and enroll seats against the profile in bulk

Create a CSV file

Create a CSV file in the following format to use to create seats and assign enrollment codes to them in Trust Lifecycle Manager:

seat_id,seat_name,enrollment_code,enrollment_email

For example:

seat01,seat01,817902767,seat01@acme.com

In this example, 817902767 is the enrollment code needed to validate the enrollment on the Apple device.

Important

The enrollment link gets emailed to the address provided in the enrollment_email field. Make sure to provide a valid email address here for each iOS/iPadOS enrollment.

Upload CSV to create/enroll seats

Upload the CSV file to create the seat records and register the enrollment codes in Trust Lifecycle Manager:

  1. Select Account > Seats from the Trust Lifecycle Manager main menu.

  2. Select the button to Manage seats in bulk.

  3. Select the applicable seat type for the iOS/iPadOS-enabled profile you created (either Device or User seats).

  4. In the Operation dropdown, select Create/Update seats.

  5. Check off Do you wish to enroll the Seats against a profile?

  6. Select CSV file contains enrollment codes from the enrollment code generation method dropdown.

  7. Select your iOS/iPadOS-enabled profile from the certificate profiles dropdown.

  8. Drag your CSV file into the upload area or click to select it from your computer.

    The system creates seat IDs based on the values in the CSV file (if they do not already exist) and generates pending enrollments for them using the enrollment codes. To verify:

    • Select Account > Seats from the Trust Lifecycle Manager main menu to check the created seat records.

    • Select Enrollments to check the pending code-based enrollments.

Validate the enrollment and install the certificate on the Apple device

Warning

The Safari web browser is required to complete these steps.

After validating the enrollment and downloading the .mobileConfig file, you must install the profile within 8 minutes or it gets automatically deleted by iOS/iPadOS as a security precaution. To avoid issues, complete both of the following steps in a single session.

Validate the enrollment and download the profile

  1. The enrollment link gets emailed to the address used when creating/enrolling the seat in Trust Lifecycle Manager.

  2. Use the Safari web browser to open the enrollment link on the Apple device where you want to install the certificate.

  3. Enter the corresponding enrollment code for the seat record in Trust Lifecycle Manager.

  4. Upon successful validation, the response includes the signed .mobileConfig file.

  5. Select Allow to enable Safari to download the profile.

    ios_confirm_profile_download.png

Install the profile and certificate

  1. Go to Settings > General > Device Management on the Apple device.

  2. Verify the profile details and select Install to install it.

    ios_install_profile.png
  3. iOS sends a certificate request to Trust Lifecycle Manager and installs the resulting certificate profile and payload on the device.