Knowledge base
Requests
Documentation
New Request
Find answers fast
Home
Device Identity

Why can I enroll other devices with the same mobileconfig file?

Edited

You may be using a SCEP deployment, particularly "Static SCEP". In this case, a single shared secret allows all devices to use the same mobileconfig to get a certificate from the CA. Currently, the SCEP standard does not specify how granular per-device secrets (passwords) should be negotiated between an MDM and a CA.

There are a couple of solutions you can consider:

  • ACME Device Attestation (ACME DA): This option is inherently granular but requires device inventory integration.

  • Some MDMs have proprietary mechanisms for negotiating SCEP secrets per device. For example, Jamf supports retrieving a challenge from a webhook and Intune exposes an API for verifying challenges.

Note that even with Dynamic SCEP, nothing prevents the re-use of a mobileconfig on a different device. You can mitigate to some extent by making the per-device secret single-use, but that doesn’t fully solve the problem. Ultimately, this is one of the problems that ACME DA solves.

 

Was this article helpful?

Sorry about that! Care to tell us more?

Thanks for the feedback!

There was an issue submitting your feedback
Please check your connection and try again.
Support Report
Privacy Policy