The payload that configures Simple Certificate Enrollment Protocol (SCEP) settings.
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
Payload Content PayloadContent A dictionary containing the SCEP information. 13 subkeys | dictionary | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.0+) |
└─ URL URL The SCEP URL. See Over-the-Air Profile Delivery and Configuration for more information about SCEP. | string | required | — | ✓Yes | macOS (10.7+) |
└─ Name Name A string that's understood by the SCEP server; for example, a domain name like example.org. If a certificate authority has multiple CA certificates, this field can be used to distinguish which is required. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.0+) |
└─ Subject Subject The representation of an X.500 name as an array of OID and value.
For example, `/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar` translates to `[ [ ["C", "US"] ], [ ["O", "Apple Inc."] ], …, [ [ "1.2.5.3", "bar" ] ] ]`.
OIDs can be represented as dotted numbers, with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN). 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.0+) |
└─ └─ Array Inside SCEP Subject Array SCEPSubjectArrayInnerArray 1 subkey | array | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.0+) | |
└─ └─ └─ Subject Array Pair SCEPSubjectArrayPair 1 subkey | array | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.0+) | |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 1 subkey (deeply nested - 1 subkey). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.0+) | ||
└─ Challenge Challenge A preshared secret. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.0+) |
└─ Key Size Keysize The key size, in bits. | integer | optional | 1024 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.0+) |
└─ Key Type Key Type Always `RSA`. | string | optional | RSA | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.0+) |
└─ Key Usage Key Usage A bitmask indicating the use of the key. Possible values:
- `1`: Signing
- `4`: Encryption
Some certificate authorities, such as Windows CA, support only encryption or signing, but not both at the same time. | integer | optional | 0 | ✓Yes | macOS (10.11+) |
└─ Fingerprint CAFingerprint The fingerprint of the Certificate Authority certificate. | data | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.0+) |
└─ Retries Retries The number of times the device should retry if the server sends a PENDING response. | integer | optional | 3 | ✓Yes | macOS (10.10+) |
└─ Retry Delay RetryDelay The number of seconds to wait between subsequent retries. The first retry is attempted without this delay. | integer | optional | 10 | ✓Yes | macOS (10.10+) |
└─ Subject Alt Name SubjectAltName The SCEP payload can specify an optional `SubjectAltName` dictionary that provides values required by the CA for issuing a certificate. You can specify a single string or an array of strings for each key. The values you specify depend on the CA you're using, but might include DNS name, URL, or email values. For an example, see Sample Configuration Profile or Over-the-Air Profile Delivery and Configuration. 4 subkeys | dictionary | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.0+) |
└─ └─ RFC 822 Name rfc822Name The RFC 822 (email address) string. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.0+) |
└─ └─ DNS Name dNSName The DNS name. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.0+) |
└─ └─ URI uniformResourceIdentifier The Uniform Resource Identifier. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.0+) |
└─ └─ NT Principal Name ntPrincipalName The NT principal name. Use an other name OID set to `1.3.6.1.4.1.311.20.2.3`. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.0+) |
└─ KeyIsExtractable KeyIsExtractable If `false`, the system disables exporting the private key from the keychain. | boolean | optional | true | ✓Yes | macOS (10.13.4+) |
└─ Allow All Apps Access AllowAllAppsAccess If `true`, all apps have access to the private key. | boolean | optional | false | ✓Yes | macOS (10.10+) |
