HomeGuidesAPI Reference
Guides
Get Started

Kandji MDM SCEP/EAP-TLS

Suggest Edits

This document provides a comprehensive guide on configuring SCEP (Simple Certificate Enrollment Protocol) using Kandji MDM for EAP-TLS authentication with Foxpass. It outlines the necessary steps to integrate and manage certificates, ensuring secure and automated network authentication for macOS devices enrolled in Kandji. By following this guide, you can streamline certificate management and enhance the security of your wireless networks using EAP-TLS.

Download Foxpass Active Server CA

  • Download Foxpass Server CA by clicking the 'Download CA' button in the active CA section on the EAP-TLS page, which is located under 'Server Certificate Authorities'.
Foxpass Server CA

Foxpass Server CA

Configure Wi-Fi profile in Kandji

Follow the steps below in Kandji MDM:

  • Go to the library.
  • Click 'Add New'

Click 'Add new' button

Click 'Add new' button

  • Search for Wi-Fi in the search box.
  • Click on Wi-Fi under Profiles.
  • Click 'Add and Configure'
Add Wi-Fi profile

Add Wi-Fi profile


Add and configure Wi-Fi profile

Add and configure Wi-Fi profile

Make settings as below. Anything not mentioned, leave as the default.

  • Give a name to your profile. For e.g. <Foxpass Wi-Fi profile>
  • Install on: MAC
  • Assign it to the proper blueprint.
Configure Wi-Fi profile

Configure Wi-Fi profile


  • Service Set Identifier: <YOUR SSID> Note: This must match your network's SSID name exactly including capital letters. SSID 'Foxpass EAP-TLS' in the screenshot is just an example.
  • Authentication Type: WPA2 Enterprise

Sample SSID configuration

Sample SSID configuration


  • Accepted EAP Types: TLS
  • Username (optional): Leave blank
  • Identity certificate: SCEP
  • Click on 'Configure SCEP certificate' button.
  • URL: Copy the URL of the endpoint from the Foxpass SCEP page and paste. Create a SCEP endpoint if it doesn't exists. Set Verification Type to 'None'.
Copy and note the URL and the challenge password

Copy and note the URL and the challenge password

Create a SCEP endpoint if it doesn't exists

Create a SCEP endpoint if it doesn't exists

  • Name: Leave blank
  • Challenge: Paste the Challenge password of the endpoint noted from the Foxpass SCEP page.
  • Fingerprint: (leave blank)
  • Subject: CN=$EMAIL
  • Specify Subject Alternative Names (SAN): SAN Type: RFC 822 Name: $EMAIL
Configure settings
Configure settings

Configure settings

  • Key Size: 4096
  • Key Usage: None
  • Automatic profile redistribution: Yes

  • Certificate Trust: Select "Specify trusted certificates".
  • Upload the Server Certificate Authority that you downloaded earlier.
  • Click Save.
Save the profile

Save the profile

Enroll your device

Enroll your device to Kandji if not enrolled already. The enrollment URL is your Kandji URL followed by /enroll. Follow the on-screen instructions and install the profile on your MAC. Once the profile is installed, you will be connected to your configured SSID. You can see the status of your profile in Kandji by clicking your device and then clicking dropdown of your Wi-Fi profile.

Sample status of Wi-Fi profile

Sample status of Wi-Fi profile

You can check successful/unsuccessful logs on the RADIUS logs page.

RADIUS logs

RADIUS logs

Updated 3 months ago