Skip to content

SCEP configuration (Android Sophos container policy)

With the SCEP configuration you enable devices to request certificates from a Certificate Authority using the Simple Certificate Enrollment Protocol (SCEP). These certificates are available to the Work browser feature of Sophos Secure Workspace.


The Sophos container policy is only available for Sophos Central accounts created before October 1, 2022 and for accounts migrated from an on-premise installation of Sophos Mobile.


You must first add a Root certificate configuration to upload the CA certificate of the SCEP server before you can add a SCEP configuration.

Setting Description
URL The web address of the Certificate Authority server.

Use the variable %_SCEPPROXYURL_% to refer to the server URL that is configured on the SCEP tab of the Sophos setup page.

Alias name The name under which the certificate will appear in selection dialogs.

This should be a memorable name to identify the certificate. For example, use the same value as in the Subject field, but without the CN= prefix.

Subject The name of the entity (for example person or device) that will receive the certificate.

You can use placeholders for user data or device properties.

The value that you enter (with placeholders replaced by the actual data) must be a valid X.500 name.

For example:

  • Enter CN=%_USERNAME_% to specify a user.
  • Enter CN=%_DEVPROP(serial_number)_% to specify an Android device.
Type of Subject Alternative Name To add a Subject Alternative Name (SAN) to the SCEP configuration, select the SAN type and then enter the SAN value. SAN types are:
  • RFC 822 name: A valid email address.
  • DNS name: The DNS name of the CA server.
  • Uniform resource identifier: The fully qualified URL of the CA server.
Value of Subject Alternative Name
AD user logon name The User logon name value set in Active Directory, i.e. the user’s User Principal Name (UPN).
Challenge The web address to obtain a challenge password from the SCEP server.

Use the variable %_CACHALLENGE_% to refer to the challenge URL that is configured on the SCEP tab of the Sophos setup page.

Root certificate The CA certificate.

Select the certificate from the list. The list contains all certificates that you have uploaded in Root certificate configurations of the current policy.

Key size The size of the public key in the issued certificate.

Make sure that the value matches the size configured on the SCEP server.

Certificate usage Select what the certificate can be used for.
  • Use as digital signature: The certificate can be used as a digital signature.
  • Use for encryption: The certificate can be used for data encryption.