- In Jamf Pro, click Settings in the sidebar.
- In the Global section, click PKI certificates .
- Click the Management Certificate Template tab, and then click External CA.
- Click Edit.
- Use the External CA pane to specify SCEP parameters.
- Choose the type of challenge password to use from the Challenge Type pop-up menu:
- Static —
If you want all computers and mobile devices to use the same challenge password, choose "Static" and specify a challenge password. The challenge password will be used as the pre-shared secret for automatic enrollment.
- Dynamic —If you are using a non-Microsoft CA and you want each computer and mobile device to use a unique challenge password, choose "Dynamic". The "Dynamic" challenge type requires the use of either a webhook or a Java Service Provider Interface (SPI) plug-in:
- Webhook Method (recommended) —
For details on the webhook method, see SCEPChallenge in the "Webhooks" section of the Jamf Pro Developer Portal.
- Java SPI Plug-in Method —
The Java SPI plug-in method only works for on-premise Jamf Pro installations. This method has the same functionality as the webhook method, however, it requires membership in the Jamf Developer Program. Before choosing the "Dynamic" challenge type, contact Jamf Support to learn more about the Jamf Developer Program and the additional steps needed to use this method.
Note:The "Dynamic" challenge type requires you to use user-initiated enrollment or automated device enrollment to enroll computers and mobile devices so that a unique challenge password is used for each device.
For more information on user-initiated enrollment, see:
For information on automated device enrollment, see:
- Webhook Method (recommended) —
- Dynamic-Microsoft CA —If you are using a Microsoft CA and you want each computer and mobile device to use a unique challenge password, choose "Dynamic-Microsoft CA".Note:
When using the "Dynamic-Microsoft CA" challenge type, the Username field requires the down-level logon name format. For more information, see the Using Name Formats documentation from Microsoft.
- The "Dynamic-Microsoft CA" challenge type requires you to use user-initiated enrollment to enroll computers and mobile devices so that a unique challenge password is used for each device. For more information, see:
- Dynamic-Entrust —If you are using an Entrust CA, choose "Dynamic-Entrust".Note:
If you enable Jamf Pro as SCEP Proxy and you are integrating with an Entrust CA, additional steps are needed to distribute certificates via configuration profiles. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.
- Static —
- Click Save .