Video Screencast Help

iOS enrollment without SCEP?

Created: 17 Aug 2012 • Updated: 23 Aug 2012 | 5 comments
This issue has been solved. See solution.

I have the MDM certificate installed on our mobile management server. The CA on our domain is on a Server 2003 machine, and I added the SCEP plugin. When I visit http://caserver/certsrv I see a page, but not when I visit http://caserver/certsrv/mscep_admin

The prerequisite checker fails when checking for SCEP. When run from my SMP server, it tries to reach http://caserver/certsrv/mscep_admin and returns a 401 unauthorized code. I have already added the user SCEP is running under to IIS_WPG domain group.

Is it possible to get an iPad enrolled without using SCEP? I am doing a test on 5-10 right now. I could not get much from the documentation. But right now under "iOS MDM Enrollment Configuration" the dropdown "Cryptographic credential used for authentication" is blank, and even after entering the push certiicate subject, save changes is grayed out.

If anyone has set this up using Server 2003 CA, please let me know what documentation you used.


Comments 5 CommentsJump to latest comment

Arun_Singh's picture

To successfully enrol an iOS device you must either have an internal certificate, which is issued by a Certificate Authority (SCEP is the protocol used to issue a certificate) or you must use a third party certificate e.g. Verisign.

The whitepaper written by microsoft is your best resource for setting up a proper CA ( However, if this is only for testing the product the following video provides a quick tutorial:

Once you have setup a CA follow the following KB:

Mina Gerges's picture

An alternative for SCEP/NDES is using Symantec MPKI or an Identity certificate, however using an identity certificate is not recommended for production environment.

N.B. SCEP/ NDES is not supported on AD 2003, or you will need to change the AD schema, thus for testing you can use an identity certificate, and when you go live (production) you have to update your AD schema or use Symantec MPKI

Another point to keep in mind is the need of SSL connection as per iOS 5.x, below is a detailed article how to use an in-house / non commercial SSL certificate and configure SMM to work with it.

zchandran's picture

I was able to enroll the devices by exporting the certificate as described in the article, and then adding that as a credential. I will have to wait until we go to AD 2008 before I can switch over to SCEP.



HighTower's picture

We're using 2003 AD with the 2008R2 schema, 2003 CA, and 2008R2 SCEP/NDES...

Mina Gerges's picture

You can use an identity certificate for testing purposes only: