Deploying SCEPman in Azure

This task explains how to deploy SCEPman in Microsoft Azure using the Enterprise (subscription-based) edition, which is recommended for Mobile Endpoint Agent deployments.

SCEPman is used during Mobile Endpoint Agent deployment to enable certificate‑based authentication through Microsoft Intune. It provides an SCEP server capability deployed as a web application in Azure, allowing certificates to be installed directly on managed devices without manual intervention.

In this deployment model, Intune works with SCEPman to validate device identity and issue certificates automatically. These certificates are later used to securely authenticate mobile devices when they communicate with Forcepoint services.

Steps

  1. Sign in to the Azure portal.
  2. Navigate to Marketplace and search for SCEPman.

    From the search results, select SCEPman Enterprise Edition (Subscription).

  3. Select a subscription plan. Choose either Monthly or Yearly.

    Selecting a plan opens the subscription configuration page.

  4. On the Basics page, provide the following information:
    • Subscription: Select the Azure subscription to associate with SCEPman.
    • Resource group: Select an existing resource group or create a new one.
    • Name: Enter a meaningful name for the deployment.

    Click Next after reviewing the details. Tags section is optional.
  5. Review the provided information and click Subscribe to add SCEPman to your Azure subscription.
  6. Open the SCEPman documentation, navigate to SCEPman deployment > Deployment Options > Enterprise deployment.
  7. From the list of templates, select the Production channel template.

    Opens a pre-populated template in the Azure portal.

  8. In the Azure deployment template, enter the required details, such as subscription, resource group, region, org name, ca key type, and other required certificate settings.

  9. Review the configuration and then click Create to begin the deployment.
  10. After deployment completes, open the Azure home page and navigate to Azure subscription > Resources. Verify that two SCEPman app services are created.

  11. To collect required SCEPman information, open the app service for the main SCEP server.
  12. Locate and copy the Default Domain URL and open it in a new browser tab.

    Opens the SCEPman app service.

  13. For the Mobile Endpoint Agent MDM deployment:
    • Download the CA certificate
    • Copy the Intune MDM URL

Result

SCEPman is successfully deployed in Azure and is ready to issue certificates for Mobile Endpoint Agent deployments through Microsoft Intune.