Протокол SCEP используется для автоматического выпуска сертификатов для устройств
- Инициация запроса сертификата с помощью протокола SCEP происходит непосредственно с самого устройства
- Apple "из коробки" поддерживает только SCEP Static Challenge
- Рекомендуется ограничить запрос сертификатов только для доверенных устройств
¶ Примеры профилей MDM
¶ SCEP Dynamic Challenge для сервера NDES Microsoft CA
Необходимые поля:
- URL: адрес сервера SCEP / NDES, к которому будет обращаться устройство
- Subject: CN=$SerialNumber
- Challenge: $MSSCEPCHALLENGE
- Key Size: 4096
- Key Size: RSA
- Fingerprint
- NdesLogin
- NdesPassword
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>AllowAllAppsAccess</key>
<true/>
<key>CAFingerprint</key>
<string>$CAFINGERPRINT</string>
<key>CertificateRenewalTimeInterval</key>
<integer>14</integer>
<key>Challenge</key>
<string>$MSSCEPCHALLENGE</string>
<key>Key Type</key>
<string>RSA</string>
<key>Key Usage</key>
<integer>5</integer>
<key>KeyIsExtractable</key>
<true/>
<key>Keysize</key>
<integer>4096</integer>
<key>NdesLogin</key>
<string>Some_Login</string>
<key>NdesPassword</key>
<string>Some_password</string>
<key>NdesUrl</key>
<string>http://adcs.ringomdm.ru/CertSrv/mscep_admin/</string>
<key>Retries</key>
<integer>2</integer>
<key>RetryDelay</key>
<integer>30</integer>
<key>Subject</key>
<array>
<array>
<array>
<string>CN</string>
<string>$SERIALNUMBER</string>
</array>
</array>
</array>
<key>URL</key>
<string>http://adcs.ringomdm.ru/certsrv/mscep/mscep.dll</string>
</dict>
<key>PayloadDescription</key>
<string>step</string>
<key>PayloadDisplayName</key>
<string>SCEP</string>
<key>PayloadIdentifier</key>
<string>88F88F888-888D-8888-B888-F8DCF88DB8E8</string>
<key>PayloadOrganization</key>
<string>Nudge</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>com.apple.security.scep</string>
<key>PayloadUUID</key>
<string>88F88F888-888D-8888-B888-F8DCF88DB8E8</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>SCEP_cut</string>
<key>PayloadIdentifier</key>
<string>1A88888C-888E-888D-AFC8-88CBC888A8F8</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>A8F88888-EA88-88DC-B888-FD88AC8A8C88</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
¶ SCEP Static Challenge
Необходимые поля:
- URL: адрес сервера SCEP / NDES, к которому будет обращаться устройство
- Subject: CN=%SerialNumber%
- SubjectAltName: rfc822Name
- Challenge
- Key Size: 4096
- Fingerprint
- Use as digital Signature
- Use for key encipherment
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>CAFingerprint</key>
<data>
kPnCFh2u2VsT+qeEEm98Ow==
</data>
<key>Challenge</key>
<string>553B185B6004A97F0C7DAB5AA36795BD</string>
<key>Key Type</key>
<string>RSA</string>
<key>Key Usage</key>
<integer>5</integer>
<key>Keysize</key>
<integer>4096</integer>
<key>Name</key>
<string>ADCS-CA</string>
<key>Retries</key>
<integer>3</integer>
<key>RetryDelay</key>
<integer>10</integer>
<key>Subject</key>
<array>
<array>
<array>
<string>CN</string>
<string>%HardwareUUID%</string>
</array>
</array>
</array>
<key>SubjectAltName</key>
<dict>
<key>rfc822Name</key>
<string>%ProductName%</string>
</dict>
<key>URL</key>
<string>http://adcs.ringomdm.ru/certsrv/mscep/mscep.dll</string>
</dict>
<key>PayloadDescription</key>
<string>Configures SCEP settings</string>
<key>PayloadDisplayName</key>
<string>SCEP</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.scep.B193C47D-02A3-4B1A-B595-C7567A60C5F4</string>
<key>PayloadType</key>
<string>com.apple.security.scep</string>
<key>PayloadUUID</key>
<string>B193C47D-02A3-4B1A-B595-C7567A60C5F4</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>SCEP</string>
<key>PayloadIdentifier</key>
<string>FA6C8587-99B0-4A2F-89BE-27CE4E516BCB</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>A05D2A72-98DD-445A-8676-8001640342EC</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
¶ SCEP Proxy
Необходимые поля:
- URL: адрес сервера Ринго, к которому будет обращаться устройство
- Subject: CN=$SerialNumber
- Challenge: $MSSCEPCHALLENGE
- Key Size: 4096
- Key Size: RSA
- Fingerprint
- NdesLogin
- NdesPassword
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>AllowAllAppsAccess</key>
<true/>
<key>CAFingerprint</key>
<string>$CAFINGERPRINT</string>
<key>CertificateRenewalTimeInterval</key>
<integer>14</integer>
<key>Challenge</key>
<string>$MSSCEPCHALLENGE</string>
<key>Key Type</key>
<string>RSA</string>
<key>Key Usage</key>
<integer>5</integer>
<key>KeyIsExtractable</key>
<true/>
<key>Keysize</key>
<integer>4096</integer>
<key>NdesLogin</key>
<string>Some_Login</string>
<key>NdesPassword</key>
<string>Some_password</string>
<key>NdesUrl</key>
<string>http://adcs.ringomdm.ru/CertSrv/mscep_admin/</string>
<key>Retries</key>
<integer>2</integer>
<key>RetryDelay</key>
<integer>30</integer>
<key>Subject</key>
<array>
<array>
<array>
<string>CN</string>
<string>$SERIALNUMBER</string>
</array>
</array>
</array>
<key>URL</key>
<string>https://scep.ringomdm.ru/scep-proxy</string>
</dict>
<key>PayloadDescription</key>
<string>step</string>
<key>PayloadDisplayName</key>
<string>SCEP</string>
<key>PayloadIdentifier</key>
<string>88F88F888-888D-8888-B888-F8DCF88DB8E8</string>
<key>PayloadOrganization</key>
<string>Nudge</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>com.apple.security.scep</string>
<key>PayloadUUID</key>
<string>88F88F888-888D-8888-B888-F8DCF88DB8E8</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>SCEPproxy</string>
<key>PayloadIdentifier</key>
<string>1A88888C-888E-888D-AFC8-88CBC888A8F8</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>A8F88888-EA88-88DC-B888-FD88AC8A8C88</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>