Skip to main content

Configure certificates using a File Path or Simple Certificate Enrollment Protocol (SCEP)

Configure certificates using Simple Certificate Enrollment Protocol (SCEP) or a file path in a blueprint to connect devices to networks that require authentication and encryption. 

In this article: 

Setting Up SCEP Configurations 

There are two methods for setting up SCEP configurations through the Esper console. 

  1. Setting up over EAP-TLS Wi-Fi 

    Use this method if your certificate authority (CA) is cloud-hosted. For this method, devices are trusted by default. SCEP is a protocol that automatically enrolls (and renews) digital certificates for devices. Use it with Wi-Fi network connections and Esper management to simplify certificate management across many devices. SCEP is often chosen when IT admins need to scale their fleet securely. 

  2. Setting Up via File Path 

    Use this method if CA files will be pushed to devices. Admins should develop a tracking system in order to generate new certificates and schedule updates during designated maintenance windows.

At the moment, these methods cannot be combined.

Attaching SCEP Configurations to an EAP-TLS Wi-Fi 

Requirements for SCEP via EAP-TLS Wi-Fi: 

  • Android devices
  • Esper Agent version 8.10+
  • Before applying the SCEP configuration, devices should be provisioned in Esper. Devices will need to be connected to an alternative network to receive the configuration.

A blueprint is used to configure SCEP and apply it to devices. 

In a blueprint, go to the Connectivity section under the Android tab. 

Under Wi-Fi Access Points, choose Add Wi-Fi Access Point. 

scep setup with ssid, eap security type, tls eap method, identity, not hidden, a domain, scep configuration certificate configuration method, scep url, challenge password, and renewal threshold.png

Then add the following information: 

  • The SSID: The name of the network 
  • Security Type: EAP
  • EAP Method: TLS
  • Identity: The network identity (if applicable) 
  • Hidden status: The hidden status of the network. 
  • Domain: The domain must match your radius server domain. 
  • Certificate Configuration Method: SCEP Configuration
  • SCEP URL: The SCEP URL. 
  • Challenge Password: The challenge password.
  • Renewal Threshold: The  percentage of time the renewal task will be triggered. For example, if set to 80% on January 1st, you could expect the threshold to be met on October 19th for a non-leap year.

After setting up the SCEP configuration, save and publish the blueprint. Then converge the device(s) to the blueprint. 

Checking the SCEP certificate on a Device 

To check that the SCEP certificate has been added to a device, access the device’s network configurations (manually on a physical device or through a Remote Control session). Under Wi-Fi, go to Saved Networks. 

image of a device screen's wifi with wi-fi networks. Saved networks is highlighted.png
You’ll see the network you set up in the blueprint was applied.

image of a device screen with saved networks. the newly added certificate wifi is highlighted. It has text below saying is is saved my esper device management.png

Tap on the pencil icon to see further information. 

Connect highlighted for the network.png

Verify the device’s identity and radius server domain. The press Connect. 

Your device may temporarily lose its connection with the console. Upon successfully connecting to the new network, the device will use SCEP protocol. 

Setting Up Via File Path

Requirements: 

  • Android 13+ devices 
  • Esper Agent 7.18.1175+

Transferring the certificate Via Content Management 

If the CA file is not yet on your devices, you can use the Esper console’s Content Management feature to push the file to devices. Learn more about using Content Management to transfer files. 

When you transfer the files, take note of the file path. You will need this file path when setting up the blueprint. 

Ensure that the file was successfully pushed by manually checking for it or by using the File Manager.

Setting up via EAP-TLS via file path

Once the certificate is pushed to your devices, go to Blueprint Manager in the Esper console. In a blueprint, go to the Connectivity section under the Android tab. 

Under Wi-Fi Access Points, choose Add Wi-Fi Access Point. 

Then enter the following: 

  • SSID: The name of the network. 
  • Security Type: EAP 
  • EAP Method: TLS
  • Identity: The identity, if applicable. 
  • Hidden: The network’s hidden status. 
  • Domain: The certificate domain. 
  • Certificate Configuration Method: Certificate File Path 
  • Certificate File Path: The file path where the certificate is located on the device. 
  • Certificate Password: The password, if applicable. 

After setting up the configuration, save and publish the blueprint. Then converge the device(s) to the blueprint. 

Related articles

Featured content