How to Configure SCEP / NDES for Symantec Mobile Management for Symantec Management Platform


Article ID: 181737


Updated On:


Mobile Management




SMM for SMP: Network Device Enrollment Service (NDES/SCEP)






In an MPKI network where client certificates are required, the standard method to issue certificates for network devices is via a NDES.  Currently iOS devices require a Simple Certificate Enrollment Protocol (SCEP) upon enrollment.  In SMM for SMP, the NDES role resides on a Windows server in the environment.  NDES requires a CA exist within the environment, the CA may be on the same server as the NDES role, although it is not recommended.  The NDES role may be installed on the MMS but the CA role cannot be on the MMS (due to self-signed certificate limitations). 

Required items:

·        Windows Server 2008 R2

·        Existing CA

·        Domain Account with Cryptographic Privileges


1.      To add the NDES role go to the Server Manager and add the “Active Directory Certificate Services”.



2.      Next through to the “Select Role Services” options page and check the “Network Device Enrollment Service” and the “Certificate Enrollment Web Service” (CEWS). 

Note: If this is not the CA, uncheck the “Certificate Authority” role to be able to add the two additional roles.  Additionally: If this is being installed on the MMS, do NOT add the CA role to the MMS.  If this is an off-box CA, install the CA role, with role defaults using at least 2048 strength cypher.  The NDES role and CEWS roles may be added later.

3.      Click Next and specify a user account for the role service.


Note: This service account does not need to have an SPN set but it will need to be added to the local machine “IIS_IUSRS” group.

4.      Next, specify a CA for NDES enrollment by selecting “Browse…” and navigating to a qualified CA.



5.      Specify a Registration Authority (RA) name.

6.      For the “Signature key CSP” and “Encryption key CSP” select “Microsoft Strong Cryptographic Provider”.



7.      Specify a CA for the SCEP service.

8.      Set “Authentication Type”.



9.      Specify an Account Credential for SCEP.

10.   Next, leave the default role services as they are and Next through to Installation.


Set SCEP password to never expire

11.   Once the installation is complete open regedit and change the “UseSinglePassword” value from “0” to “1”, located in:

HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP > UseSinglePassword

12.   Restart the server.

13.   Obtain the CA Certificate “HASH” value and enrollment password by going to https://localhost/certsrv/mscep_admin logging in with either a Domain Administrator or the service account used from step 3.


14.   Copy the hash and challenge password to the “SCEP Servers” settings section of the Mobile Management Console.

Note: The “URL” needs to be accessible from the enrolling device.  The default enrollment URL is https://<FQDN>/CertSrv/MSCEP/MSCEP.dll

15.   From the “iOS Enrollment” settings page of the Mobile Management Console select the  icon next to “Cryptographic credential used for authentication”.

Add a new SCEP setting selecting the newly created SCEP configuration from “SCEP Server” list.  Set the Subject to something simple like “CN=MobileSCEPand Set the “Key Size” to 2048; Save Changes.

16.   Close the sub-window and select the newly created credential and Save changes.

Troubleshooting SCEP

·        SCEP enrollment returns an invalid response:

·        500 Error upon changing the reg-key to 1:

  1. Open IIS Manager.

  2. In the navigation pane, click Application Pools.

  3. In Application Pools, click SCEP.

  4. In the Actions Pane, click Advanced Settings.

  5. Under Process Model, click Load User Profile. Set to True.

  6. Click OK to all open dialog boxes.

  7. Restart IIS.


·        Invalid SCEP Configuration upon enrollment:

Check the enrollment URL and see whether it is accessible from the enrolling device.  The enrollment URL page will look something like this: