ACME DA vs Static or Dynamic SCEP
You may be using a SCEP deployment, particularly "Static SCEP". In this case, a single shared secret allows all devices to use the same `mobileconfig` to get a certificate from the CA. Currently, the SCEP standard does not specify how granular per-device secrets (passwords) should be negotiated between an MDM and a CA.
There are a couple of solutions you can consider:
- ACME Device Attestation (ACME DA): This option is inherently granular but requires device inventory integration.
- Some MDMs have proprietary mechanisms for negotiating SCEP secrets per device. For example, Jamf supports retrieving a challenge from a webhook and Intune exposes an API for verifying challenges.
Note that even with Dynamic SCEP, nothing prevents the re-use of a mobileconfig on a different device. You can mitigate to some extent by making the per-device secret single-use, but that doesn’t fully solve the problem. Ultimately, this is one of the problems that ACME DA solves.