JAMF SCEP Configuration

Follow these steps and the screenshots to configure JAMF to use Foxpass's SCEP for an EAP-TLS network.

Download Active Server CA

Download active Server CA from the SCEP page by clicking 'Download CA' under 'Server Certificate Authorities'.

Download Active Server CA

Download Active Server CA

Configure SCEP Profile

  • Click on 'Certificates'
  • Name - <e.g. Foxpass SCEP>
  • Distribution Method - Install Automatically

  • URL - Obtain the URL from SCEP page. It will be mentioned below 'Unique Endpoint' heading on the SCEP page. If you need to create a SCEPEndpoint, please see the screenshot below for reference. Copy the endpoint from Foxpass console and paste it under URL in Apple Configurator.
SCEP URL Location

Ensure that you set Verification Type to 'User' and Authentication Type to 'Challenge Password'. The challenge password will be auto-generated upon creation.

  • Subject - CN=<user's email address>
  • Challenge - Copy the Challenge password from the SCEP page.
  • Fingerprint - Click 'Upload Certificate' and select the CA certificate you downloaded earlier.


Email Address is required!

Make sure that every user in JAMF has an email address associated with their profile.

> 📘 Allow export from Keychain?

We recommend you don't allow export from Keychain, despite what the following screenshot shows.

Configure WiFi Profile

  • SSID - Your network's SSID Note: this must match EXACTLY, including capital letters.
  • Security Type - WPA/WPA 2 Enterprise
  • Accepted EAP Types - TLS
  • Identity Certificate - Select SCEP from the dropdown.

The profile will be installed and you can see a SCEP certificate under 'Client Certificates' on the SCEP page.

Sample SCEP certificate

Sample SCEP certificate


If there are any SCEP errors, it will be displayed as an alert in red colored box on the top of the SCEP page of the Foxpass console.