Using SCEP Certificates with Okta and SureMDM for Zero Trust Security

SCEP Certificates with Okta and SureMDM

For businesses embracing zero-trust principles, secure certificate-based authentication isn’t just nice to have—it’s a necessity. With Okta as your Identity Provider (IdP) and SureMDM as your unified endpoint management solution, you can now seamlessly distribute and manage device certificates using Simple Certificate Enrollment Protocol (SCEP).

This blog will guide you through:

  • Why use SCEP Certificate with OKTA and SureMDM
  • Step-by-step guide to configuring SCEP in Okta 
  • How to configure OKTA SCEP CA server with SureMDM
  • Real-world examples and use cases

Why Use SCEP with Okta and SureMDM?

SCEP allows for secure, scalable, and automated issuance of device certificates. When Okta is configured as a CA and SureMDM manages the device endpoints, this integration brings the best of both identity and device management together. The integration is supported for multiple platforms.

Benefits:

  • Automates certificate enrollment and renewal.
  • Secures Wi-Fi, VPN, and app access without passwords.
  • Reduces manual overhead for IT teams.
  • Ensures consistent certificate policies across the device fleet.
  • Supports compliance and audit requirements with centralized logging and control.

Step-by-step guide to configuring SCEP in Okta

Step 1: Configuring SCEP in Okta

Here’s how to prepare your Okta environment to issue certificates via SCEP:

Log in and Access Admin Settings

  1. Log in to your Okta portal
  2. Click on the Admin button in the top-right corner to open the Admin Console

Navigate to Device Integration Settings

  1. Go to Security → Device Integrations
  2. Click on Add Platform

Configure the Platform for Certificate Distribution

  1. In the setup wizard:
    • Choose Platform Type as:
      Desktop (Windows and macOS only)
    • Click Next
  1. For SCEP URL Challenge Type, select:
    • Static or Dynamic depending on your organization’s security preference

Generate and Save SCEP Configuration

  1. Click Generate under the SCEP URL section
  2. Copy the SCEP URL and Secret Key values shown
  3. Click Save to finalize the SCEP platform configuration

You will use these SCEP values (SCEP URL & Secret Key) while creating a certificate profile in SureMDM.

Step 2: Configure Certificate Management in SureMDM Account Settings

As part of the SCEP integration process, certificate management must be configured at the SureMDM account level. This setup defines how SureMDM will communicate with the Certificate Authority (CA) using the details provided by Okta.

Follow these steps:

1. Access Certificate Management Settings

  1. Log in to the SureMDM Web Console
  2. Click the Settings (gear icon) in the top-right corner
  3. Navigate to Account Settings → Certificate Management

2. Fill in Certificate Authority Details

Provide the following values:

  • Certificate Management Method: SCEP
  • Connection Type: Cloud Connector
  • CA Server Address: Enter the SCEP server address provided by Okta
  • Certificate Template: Enter the name of the certificate template configured in Microsoft CA
  • Certificate Renewal Period: Set certificate validity duration
  • Common Name Wildcard: Select one of the following:
    • MAC Address
    • IME
    • Device ID
    • Serial Number
    • Custom Wildcard/Values — for example: cn=%emailaddress%
  • Subject Alternate Name Wildcard: Select one of the following:
    • MAC Address
    • IMEI
    • Device ID
    • Serial Number
    • Custom Wildcard/Values
  • Challenge Type: Select the same option as configured in Okta under the “SCEP URL Challenge Type” — either Static or Dynamic

💡Important: The Challenge Type must exactly match what was configured in Okta’s SCEP URL Challenge Type setting. Mismatched settings can cause certificate requests to fail.

3. Save the Configuration

Once all required fields are filled, click Save to finalize the certificate authority connection at the account level. This config will now be referenced in your platform-specific profiles.

Step 3: Creating a SCEP Certificate Profile in SureMDM

After setting up Certificate Management in Account Settings, the next step is to create a certificate profile for Windows devices. This profile uses the SCEP configuration defined earlier and deploys certificates to targeted devices.

Here’s how to set it up:

Navigate to Profile Section

  • Log in to the SureMDM Web Console
  • Go to Profiles from the top navigation
  • Select Windows as the platform
  • Click on Add to create a new profile
  • Choose Certificate from the list of available payloads

Add a SCEP Certificate Configuration

  • Click on the Add Certificate Configure button
  • A configuration popup will appear
  • Check the box “Retrieve certificate from CA server” to enable SCEP-based configuration

Now fill in the following details:

  • Install Context: Choose either Device or User
  • Certificate Usage: Select Wi-Fi or General
  • Certificate Name: Enter a label for this certificate 

Once configured, saving and deploying the profile will initiate certificate requests to the Certificate Authority based on configurations at Account Settings → Certificate Management and install the certificate on all targeted devices.

Override Account-wide Certificate Management Settings (Optional)

If the certificate authority is different from the one defined in Account Settings → Certificate Management then follow below steps to deploy certificate using specific Okta configurations:

  • Check the box labeled “Override Account-wide Certificate Management settings”

Once checked, the configuration is similar to Step 2 (Certificate Management section) configurations. These include:

  • CA Server Address
  • Certificate Template
  • Certificate Renewal Period
  • Common Name Wildcard
  • Subject Alternate Name Wildcard
  • Challenge Type, and more

This allows admins to define and deploy alternative certificate configurations directly within the profile, without affecting the global account-wide settings.

💡 This is especially useful when you need to deploy a certificate from a different Certificate Authority (e.g., Internal CA vs External CA or department specific certificate templates) that hasn’t been configured globally.

Step 4: Deploy and Monitor

Assign this profile to Windows devices or groups. Devices will:

  • Request certs from Okta via the SCEP endpoint
  • Receive and install them silently
  • Use the certs for secure access (e.g., Wi-Fi, VPN)
  • Monitor and track the certificates issued and pending renewal at Account Settings → Certificate Management → Get Managed Certificates.

Real-world examples and Use Cases 

Here are some practical scenarios where this integration adds real value:

Wi-Fi Authentication Without Passwords

Deploy certificates to authenticate devices to enterprise Wi-Fi networks (e.g., 802.1x, EAP-TLS, EAP-PEAP and WPA3-Enterprise) — no more shared keys or user-driven setups.

VPN Access Control

Use certificates to authenticate managed devices into VPN tunnels. Certificates ensure only enrolled, compliant devices can connect.

Zero-Touch Device Provisioning or User-less devices

During device onboarding (OOBE, Autopilot, Automated Device Enrollment (ADE/DEP) or Zero-Touch Provisioning (ZTP)), automatically install identity certificates via MDM + SCEP, allowing secure app access from day one.

School/Education Use Case

In the education sector, securely connecting student laptops to Wi-Fi networks without manual setup or sharing passwords enhances security and student experience while keeping IT overhead low and securing the setup.

BYOD and Contractor Scenarios

Certificates can be short-lived and automatically revoked, making them perfect for temporary users or unmanaged endpoints that still need secure access.

Compliance and Reporting

With centralized control and visibility in SureMDM and Okta, IT admins can demonstrate certificate-based access enforcement during audits.

Final Thoughts

The Okta-SureMDM SCEP integration enables IT teams to automate and strengthen authentication workflows, making device trust as scalable as identity management.

This integration between Okta + SureMDM using SCEP unlocks:

  • Seamless and secure certificate issuance
  • Passwordless device authentication
  • Better compliance and device hygiene
  • A strong foundation for Zero Trust security

Whether you’re running a large enterprise or a mid-sized educational institution, this setup helps you meet the demands of secure access, minimal friction, and efficient device provisioning.

Leave A Comment

Your email address will not be published. Required fields are marked *