Workspace ONE Integration with MTG CLM via SCEP

This page describes the technical steps required to integrate Workspace ONE with MTG CLM for automated certificate enrollment using the SCEP protocol.

Prerequisites

  • MTG CLM version 5.0 installed and configured

  • MTG SCEP Server version 5.0 installed and configured

  • MTG CARA version 2.7.7

  • API Client and Secret created in Keycloak for SCEP authentication

Preparation

  1. Ensure MTG CLM and MTG SCEP Server are both installed and operational.

  2. The API Client and Secret required for SCEP must be generated in Keycloak and configured in MTG SCEP Server.

MTG SCEP Server Configuration

  1. Install and configure MTG SCEP Server.

  2. Set the API Client credentials and shared secret.

  3. If using a static challenge, configure the static challenge value as required.

Policy Setup in MTG CLM

  • Create at least one policy in MTG CLM. The policy defines the certificate attributes (e.g., subject name, key length, usage).

  • Copy the Policy ID for use in Workspace ONE configuration.

  • Multiple policies can be created for different use cases (e.g., user certificates, device certificates, macOS, VPN, or organizational branches).

The policy must use RSA as the encryption algorithm (protocol limitation).

Trust Chain Distribution

Ensure that root and intermediate CA certificates are distributed to all managed devices. This is required for devices to trust certificates issued by your CA. Workspace ONE can be used to distribute these certificates, especially for on-premise root CAs not present by default on devices.

Workspace ONE Configuration

For more detailed instructions please refer to the original guide.

  1. In Workspace ONE, configure a new SCEP profile.

  2. Set Authority Type to "Generic SCEP."

  3. Use the SCEP URL in the format: mtg.pki.de/scep/<policy_id>;

  4. Configure the certificate request template in Workspace ONE UEM to match the attributes defined in the MTG CLM policy (subject name, key length, usage, etc.).

For successful enrollment all parameters between the MTG CLM policy and Workspace ONE template must match.

Certificate Enrollment Process

  • Devices receive the SCEP URL via Workspace ONE.

  • The private key is generated on the device and remains on the device.

  • The device requests a certificate from MTG CLM via SCEP, using the policy ID.

  • Certificates are issued according to the configured policy and installed on the device.

Notes & Limitations

  • ⚠️ This guide is intended for enrolling macOS and iOS devices only; Windows, Android or other operating systems are not supported.

  • ⚠️ Only RSA keys and certificates are supported in this integration.

  • ⚠️ If the trust chain is not present on the device, certificate-based authentication and encryption will fail.

  • ⚠️ All configuration steps must be completed for successful automated certificate lifecycle management.

Related Sections & External Links