How to Configure SCEP for Secure Enterprise WiFi and BYOD Provisioning

Welcome to this technical briefing from Purple. I am your host, and today we are diving deep into the configuration of SCEP for secure enterprise WiFi and BYOD provisioning. For IT managers, network architects, and CTOs operating in hospitality, retail, and public sectors, managing network access is a constant balancing act between security and operational efficiency. You are dealing with hundreds, sometimes thousands of devices connecting to your network every day. Staff smartphones, contractor laptops, point-of-sale tablets. And the old ways of handling this are simply not good enough anymore. Relying on Pre-Shared Keys, or PSKs, for staff and BYOD WiFi is a security vulnerability waiting to be exploited. A shared password, once compromised, gives anyone access to your network. And MAC Authentication Bypass, or MAB, is no better. Modern smartphones use randomised MAC addresses by default, which breaks MAB entirely, and MAC addresses can be spoofed in seconds. Modern network architecture demands 802.1X authentication using EAP-TLS. This ensures every device is cryptographically verified before it touches the network. But here is the challenge: how do you distribute unique client certificates to thousands of unmanaged devices without overwhelming your helpdesk? The answer is the Simple Certificate Enrollment Protocol, or SCEP. Let us start with the architecture. SCEP is the industry standard for enterprise device enrollment, defined in RFC 8894. It has been around since 1999, originally created by VeriSign, and it has stood the test of time because it solves a genuinely hard problem elegantly. In a SCEP workflow, the device generates its own private and public key pair locally. It creates a Certificate Signing Request, or CSR, and sends it via a Network Device Enrollment Service, known as NDES, to your Certificate Authority, or CA. The CA validates the request and returns the signed public certificate to the device. The critical security advantage here is that the private key never leaves the device. It is generated locally and stored in the device's hardware secure enclave. On a Windows laptop, that is the Trusted Platform Module, or TPM. On an iPhone, it is the Secure Enclave. The private key is never transmitted across the network. This is what makes SCEP vastly superior to alternatives like PKCS for network authentication, where the CA generates the key pair centrally and transmits it to the device. Now, let us talk about BYOD. This is where it gets genuinely interesting from an operational standpoint. You want staff to be able to use their personal devices to access internal tools, but you do not want to force them to enrol in your corporate MDM. That is a privacy concern, and it meets strong resistance from staff. The solution is a self-service onboarding portal. Here is how it works. The user connects their personal device to a dedicated provisioning SSID. This network is a walled garden, restricting access to everything except the onboarding portal and your identity provider. The user authenticates using their corporate credentials, typically via SAML integration with Microsoft Entra ID, Okta, or Google Workspace. Upon successful authentication, the system generates a unique, device-specific client certificate via SCEP. A configuration profile is pushed to the device containing the certificate, the root CA certificate, and the network settings. The device then automatically connects to the secure corporate SSID using EAP-TLS. It is seamless for the user and secure for the enterprise. They do not need to know anything about certificates or 802.1X. They just log in once and they are connected. Now, let us walk through the implementation in detail. The deployment sequence is critical, and getting it wrong is the most common cause of failure. Step one: deploy the Trusted Root Certificate. Before any device can request a client certificate or trust your RADIUS server, it must trust the issuing Certificate Authority. Export your Root CA certificate as a .cer file and deploy it to your target device groups. This step is non-negotiable. Without it, the entire chain fails. Step two: configure the SCEP Certificate Profile. This instructs devices on how to obtain their client certificate. You need to configure the subject name format. For user-driven authentication, the standard is CN equals UserPrincipalName. For device authentication, use CN equals the Azure AD Device ID. Set the key usage to digital signature and key encipherment. Under extended key usage, specify Client Authentication with the OID 1.3.6.1.5.5.7.3.2. Link this profile to the Trusted Root certificate profile from step one. And provide the external URL of your NDES server. Step three: deploy the 802.1X WiFi Profile. This ties the certificates to the network SSID. Enter the network name exactly as it is broadcast by your access points. Set the security type to WPA2-Enterprise or WPA3-Enterprise. Set the EAP type to EAP-TLS. Select the SCEP certificate profile as the client authentication certificate. And specify the Trusted Root certificate for server validation. This sequence is the most important thing to remember from this entire briefing. Trust, then certificate, then WiFi. In that order, every time. Now let me walk you through some best practices that will save you significant pain in production. First, publish your NDES server via Azure AD Application Proxy. The NDES server must be accessible from the internet to allow remote devices to provision certificates before they arrive on-site. But exposing an internal server directly to the internet is a significant security risk. Application Proxy gives you secure remote access without opening inbound firewall ports. Second, implement short-lived certificates for BYOD devices. Instead of a certificate valid for three years, issue certificates valid for 90 days. When the certificate expires, the user must re-authenticate through the onboarding portal. This naturally prunes stale devices from the network. A device that has not been used in 90 days simply drops off. No manual cleanup required. Third, and this is absolutely critical, configure your RADIUS server to enforce strict Certificate Revocation List checking. When an employee leaves the organisation, disabling their Active Directory account may not immediately revoke their WiFi access if their client certificate remains valid. Your RADIUS server must check the CRL before granting access. Ensure your CRL Distribution Points are highly available. If the RADIUS server cannot reach the CRL, authentication fails for everyone. That is a widespread outage. Now let us look at some common failure modes and how to avoid them. The most frequent issue is the WiFi profile failing to apply. The device receives the Trusted Root and SCEP certificates, but the WiFi profile shows as Error in the MDM console. Nine times out of ten, this is a group targeting mismatch. If the SCEP profile is assigned to a User Group, but the WiFi profile is assigned to a Device Group, the MDM cannot resolve the dependency. Audit your assignments. Ensure all three profiles target the exact same group. The second common issue is NDES 403 Forbidden errors. Devices fail to retrieve the SCEP certificate, and the NDES IIS logs show HTTP 403 errors. This is usually caused by the connector service account lacking the necessary permissions on the certificate template, or a firewall blocking the specific query string parameters used by SCEP. Verify that the connector account has Read and Enroll permissions on the CA template. Check your firewall logs to ensure URLs containing the operation equals GetCACaps parameter are not being blocked. Let me give you two real-world scenarios to illustrate how this plays out in practice. Scenario one: a 200-room hotel with 50 housekeeping staff using personal smartphones to access the scheduling app. The IT manager wants to avoid full MDM enrolment to respect staff privacy. The solution is a self-service portal integrated with Microsoft Entra ID. Staff connect to the provisioning SSID, log in with their Entra ID credentials, and download a SCEP profile. The SCEP server issues a 30-day client certificate directly to the device. The device connects to the Staff WiFi SSID using EAP-TLS. The RADIUS server assigns these devices to a restricted VLAN that only allows access to the scheduling app. When a staff member resigns, their Entra ID account is disabled, and the RADIUS server instantly denies network access. Scenario two: a national retail chain with 500 stores deploying secure WiFi for corporate-owned point-of-sale tablets. The network architect needs to ensure that even if a tablet is stolen, the credentials cannot be extracted. The solution is Microsoft Intune deploying certificates via SCEP. Intune pushes the Trusted Root certificate, followed by a SCEP profile that instructs the tablet to generate its own private key in its hardware secure enclave. The tablet submits a CSR to the NDES server, receives the client certificate, and connects to the Retail POS SSID using EAP-TLS. Because the private key is generated locally and never transmitted, a stolen tablet's credentials cannot be used elsewhere. This satisfies PCI DSS compliance requirements. Now, let us talk about the business case. Transitioning to SCEP 802.1X certificate deployment delivers measurable returns across security and operations. Password-based WiFi generates a significant volume of helpdesk tickets. Password expirations, lockouts, typos. Certificate-based authentication is invisible to the user. Devices connect automatically. This typically reduces WiFi-related helpdesk volume by 70%. That is a material reduction in operational cost. EAP-TLS eliminates the risk of credential harvesting and Man-in-the-Middle attacks. This is critical for compliance with PCI DSS in retail environments and GDPR across all sectors. The cost of a data breach far exceeds the cost of deploying a proper PKI infrastructure. And for organisations already running Purple's Guest WiFi and analytics platform, extending secure onboarding to staff BYOD devices provides a unified network management strategy. Purple's hardware-agnostic cloud overlay integrates with Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, and Fortinet, so you are not locked into a single hardware vendor. Purple operates across 80,000 live venues and has processed 440 million logins in 2024, holding ISO 27001, GDPR, CCPA, and Cyber Essentials certifications. Let me close with a rapid-fire summary of the key decisions you need to make. Should you use SCEP or PKCS? Use SCEP for WiFi authentication. The private key stays on the device. Use PKCS only for email encryption where key escrow is required. How long should certificates be valid? 90 days for BYOD. One to two years for corporate-managed devices. Should you use user or device targeting in your MDM? Use device targeting for corporate devices that need to connect before user login. Use user targeting for BYOD where the certificate should be tied to the individual. How do you handle Android fragmentation? Use Passpoint, also known as Hotspot 2.0, where possible. It provides a consistent connection experience across Android manufacturers. And finally, what is the single most important thing to get right? CRL checking on your RADIUS server. Without it, a revoked certificate can still grant network access. That is the end of today's briefing. If you want to go deeper on any of these topics, Purple's technical guides on enterprise WiFi security and EAP-TLS certificate authentication are available on the Purple website at purple.ai. Thank you for listening.