This article will review some configuration 'know-how' for deploying SCEP certificates for device management to the Local Machine / System Certificate store, instead of the User Certificate Store in Windows OS. This would be done with the intention of establishing device management on a shared workstation.
- Okta Identity Engine (OIE)
- Device Management / Device Trust OIE
- Mobile Device Manager (MDM)
- Workspace One
When deploying for a shared workstation, deploy the SCEP cert to the System Store located on the Windows OS under Local Machine > Personal Store.
- Ensure that all users who may require device management on the machine have a separate account on the machine and that they all have permission to use the private key of the certificate.
One issue that might be encountered in the MDM, as in Workspace One MDM, is that the default value on the profile configuration is set to:
- Select the location for the certificate private key:
- TPM If Present
Admin may encounter issues if deploying to the TPM, in that the OS may no longer allow anyone/anything but the "SYSTEM" to have permissions to that Cert's Private Key. In this situation, deploy to the:
- Software – Select to store the private key in the device OS.
This way, Admins may set user and group permissions to the private key, and users or groups that log in and register with Okta Verify may have those registrations show as managed.
