Verifying if the Device Management SCEP Certificate Installed Successfully on Desktop OS in Okta
Last Updated:
Overview
Administrators can verify the successful deployment of Device Management Simple Certificate Enrollment Protocol (SCEP) certificates to desktop devices for management attestation by reviewing logs or checking the certificate store. Once SCEP profiles deploy successfully, an Intermediate Certificate for the Certificate Authority (CA) and a Device Management Certificate install on the target local machine.
Applies To
- Okta Identity Engine (OIE)
- Device Management
- Desktop Operating Systems
- Mobile Device Management (MDM)
Solution
Confirm the certificates exist in Windows by reviewing the logs or checking the certificate store. Confirm the certificates exist in macOS by checking the System Keychain.
How is a SCEP certificate deployment verified on Windows?
Review the Event Viewer logs to confirm a SCEP certificate deploys successfully to a Windows desktop device.
- Click Start, type Event Viewer, and select Event Viewer.
- Expand Applications and Service Logs > Microsoft > Windows > DeviceManagement-Enterprise > Admin.
- In the Actions field, or by right-clicking the Admin log, select Find... and search for
SCEP: Certificate installed successfully.orSCEP: Certificate request generated successfully..
The SCEP: Certificate installed successfully. entry has an Event ID of 39.
Log Name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Source: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
Date: 6/1/2024 6:06:06 PM
Event ID: 39
Task Category: None
Level: Information
Keywords:
User: DESKTOP-A1B2C3D\Oktalab.User
Computer: DESKTOP-A1B2C3D
Description:
SCEP: Certificate installed successfully.
The SCEP: Certificate request generated successfully. entry has an Event ID of 36.
Log Name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Source: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
Date: 6/1/2024 06:06:06 PM
Event ID: 36
Task Category: None
Level: Information
Keywords:
User: DESKTOP-A1B2C3D\Oktalab.User
Computer: DESKTOP-A1B2C3D
Description:
SCEP: Certificate request generated successfully. Enhanced Key Usage: (1.3.6.1.5.5.7.3.2), NDES URL: (https://<YOUROKTASUBDOMAIN>.okta.com/pki/CE9C7A5742DE4CF2A4E31BF9B00000000000000/scep/racfaxkx00000000000/pkiclient.exe), Container Name: (), KSP Setting: (0x2), Store Location: (0x1).
NOTE: These two entries usually log at the same time.
Search the Windows certificate store to confirm the certificate exists.
- Click the Windows key or the Start button and search for
Manage User CertificatesorManage Computer Certificates.- Select Manage User Certificates if the SCEP profiles deploy to the User certificate store. The certificate installs in Certificates - Current User > Personal > Certificates.
- Select Manage Computer Certificates if the SCEP profiles deploy to the Device/System certificate store. The certificate installs in Local Machine > Personal > Certificates.
View the search results for Manage User Certificates and Manage Computer Certificates.
OR
- Navigate to the certificate in the Certificate Manager.
- In the Certificate Manager, navigate to Certificates - Current User > Personal > Certificates or Local Machine > Personal > Certificates.
NOTE: To identify the certificate, the name in the Issued To field must reflect the Subject name format configured in the SCEP Profile.
Review the example certificate produced using the Subject Name Format CN=$EMAIL managementAttestation $UDID.
- Locate the Intermediate Certificate (CA Cert used when configuring the Trusted Certificate Configuration Profile in the MDM) in either Certificates - Current User or Certificates - Local Computer under Intermediate Certification Authorities > Certificates.
- Double-click the certificate and select the Details tab to review the Issuer details and further identify or confirm the certificate.
How is a SCEP certificate deployment verified on macOS?
Open the Keychain Access application to confirm the certificate exists in the System Keychain.
- Open the Keychain Access application and select the System option.
NOTE: If the User level is selected in the MDM SCEP configuration, the certificate resides in the Login section. If the Computer level is selected, the certificate installs in the System section of the Keychain. - Verify that a client certificate and associated private key exist.
Review the client certificate and associated private key in the Keychain Access application.
NOTE: To identify the certificate, the name in the Name field must match the Subject name format configured in the SCEP Profile. Additionally, double-click or right-click the certificate, choose Get Info, and review the details to identify the certificate.
