Cloud SCEP Gateway: Automated Device Certificate Enrollment Without NDES
Replace Microsoft NDES with BastionXP — a cloud-native SCEP gateway and private CA that automates X.509 certificate enrollment for every Intune, Jamf, and Workspace ONE-managed device in your fleet. Dynamic SCEP. No static passwords. No Windows Server. Built-in RADIUS for EAP-TLS Wi-Fi and VPN.
Automated Certificate Enrollment for Every Managed Device — No Windows Server Required
SCEP — the Simple Certificate Enrollment Protocol — is the industry standard for distributing X.509 certificates to managed devices at scale. Every major MDM platform has SCEP built in. The challenge: your Certificate Authority sits safely behind the network perimeter, unreachable from the internet. A SCEP gateway bridges that gap — receiving enrollment requests from devices anywhere, validating them, and forwarding CSRs to your CA for signing. A cloud SCEP gateway delivers the same protocol, the same MDM compatibility, without the Windows Server dependency, operational fragility, or static shared passwords that define the NDES experience.
No Manual Delivery
Devices self-enroll at MDM check-in. No per-device IT touchpoint. A fleet of 10,000 certificates runs the same way as a fleet of 10.
MDM-Native Protocol
Intune, Jamf, Workspace ONE, Kandji, and Mosyle all speak SCEP natively. No custom agents, no OS changes, no new tooling for your end users.
Scales to Any Fleet
One BastionXP SCEP endpoint handles your entire device fleet. Certificate capacity scales with your subscription — not the Windows Server you provisioned four years ago.
Why Microsoft NDES and Static SCEP Passwords Are Holding You Back
NDES was designed in 2003 for on-premise networks. It has been asked to serve as the certificate enrollment backbone for modern, cloud-first, MDM-managed device fleets — and it breaks under that pressure constantly. Static SCEP challenge passwords compound the problem: one leaked password gives any device on the internet a path into your PKI. These are structural weaknesses, not configuration problems you can tune away.
NDES breaks on every Windows Update: IIS application pools stop, service account permissions silently change, MSCEP registry keys revert — and the first sign is a wave of enrollment failures hours later.
Static passwords are permanent liabilities: One challenge password is shared across every device enrollment. A single leak — a log file, a support ticket, a misconfigured MDM profile — gives any machine a valid certificate.
Rotation is never done: Rotating the shared password invalidates every pending enrollment in the queue. So teams never rotate it. The same credential stays in production for years.
Two Windows Servers minimum: NDES requires a dedicated server separate from the ADCS CA — two servers to license, patch, harden, monitor, and maintain just to proxy certificate requests.
No automated lifecycle: Certificates are issued but never tracked. They expire silently. The first sign is usually an 802.1X authentication failure and a user who cannot connect to Wi-Fi.
How BastionXP Cloud SCEP Gateway Works: Dynamic SCEP, Private CA, and Automated Lifecycle in One
BastionXP is a private CA and cloud SCEP gateway in a single platform. Your MDM points to BastionXP's SCEP endpoint — hosted in our cloud, globally available, zero Windows Server dependency. Dynamic SCEP replaces the static shared password with per-device, time-expiring challenge tokens. Every enrollment is validated against your MDM asset inventory. Every certificate lifecycle — issue, track, renew, revoke — is automated without IT intervention.
MDM Pushes SCEP Profile: Intune, Jamf, or Workspace ONE delivers the SCEP configuration profile to enrolled devices automatically at check-in. No user action required.
Dynamic Challenge Token Issued: BastionXP's API generates a per-device, single-use challenge token with a short expiry — replacing the static shared password that defines classic SCEP's weakest link.
Device Generates Key Pair Locally: A key pair is generated on the device. The private key stays on the device. Only the Certificate Signing Request (CSR) and challenge token are transmitted.
BastionXP Validates and Signs: The cloud SCEP gateway validates the challenge token against the device's MDM identity, forwards the CSR to the BastionXP private CA, and returns the signed X.509 certificate.
EAP-TLS Authentication Enabled: The device presents its certificate during 802.1X authentication. BastionXP's built-in RADIUS server validates it against the CA and grants Wi-Fi or VPN access.
Automated Renewal Before Expiry: BastionXP tracks certificate lifetimes fleet-wide and triggers renewal via MDM before expiry. No expiry alerts. No help desk tickets. No users locked out of Wi-Fi.
Why IT and Security Teams Choose BastionXP as Their Cloud SCEP Gateway
BastionXP eliminates every operational pain point that makes legacy SCEP and NDES unsustainable — delivering automated certificate lifecycle management from a single cloud-native platform your MDM already knows how to talk to.
No NDES, No Windows Server
BastionXP is fully cloud-native. One SCEP endpoint, hosted and maintained by us, available globally. No IIS to configure, no service accounts to manage, no registry keys to audit after every Windows patch.
Dynamic SCEP with Per-Device Tokens
Every new enrollment receives a unique, time-limited challenge token tied to that device's MDM identity — eliminating the static shared password and the enrollment spoofing risk it creates.
Works with Every Major MDM
Intune, Jamf Pro, Workspace ONE, Kandji, Mosyle — if your MDM speaks SCEP (RFC 8894), it works with BastionXP without modification. Point the SCEP URL at BastionXP and your existing profiles continue to work.
Automated Certificate Lifecycle
Certificates are issued, tracked, and renewed without IT involvement. BastionXP monitors expiry across your entire fleet and triggers renewal automatically. Certificate expiry stops being a help desk category.
Built-in RADIUS for EAP-TLS
BastionXP includes a RADIUS server for 802.1X Wi-Fi and VPN authentication. Configure your access points to point at BastionXP RADIUS — no separate FreeRADIUS or NPS required for most deployments.
Upgrade Path to ACME Device Attestation
When your Apple device fleet is ready for hardware-rooted enrollment, switch from SCEP to ACME Device Attestation on the same BastionXP CA root — no new infrastructure, no RADIUS reconfiguration, no re-enrollment of remaining SCEP devices.
SCEP Gets You There. ACME Device Attestation Makes You Zero Trust.
Dynamic SCEP eliminates shared passwords and automates certificate lifecycle — a major improvement over NDES. But the private key is still software-stored. Enrollment still proves a token, not a device. ACME Device Attestation closes both gaps: keys that never leave the Secure Enclave, and cryptographic proof that the device is the exact hardware you purchased. Same BastionXP CA. No new infrastructure. Migrate Apple devices at your own pace.
Hardware-Locked Keys
Private keys are generated inside the device's Secure Enclave or TPM and never exported — not by an admin, not by a compromised OS, not by anyone.
No Secrets to Steal
ACME Device Attestation uses zero shared passwords or tokens. Enrollment is cryptographic proof from the silicon manufacturer. There is nothing to intercept.
Same CA, No Rip-and-Replace
ACME and SCEP run simultaneously from the same BastionXP CA root. Your RADIUS server trusts both. Migrate Apple devices when you are ready — without touching anything else.
Works With the MDM Platform You Already Use
BastionXP's cloud SCEP gateway is MDM-agnostic — compliant with RFC 8894, the same standard every major MDM implements. Dynamic SCEP challenge token integration is available natively for Intune and Jamf. Point your existing SCEP certificate profile at BastionXP and your devices begin enrolling immediately.
Microsoft Intune
Native SCEP certificate profiles. Dynamic SCEP via BastionXP challenge API. Windows TPM-backed key storage supported.
Jamf Pro
Native SCEP payload in configuration profiles. Dynamic SCEP via Jamf + BastionXP integration. ACME Device Attestation upgrade for iOS 16+ and macOS 13+.
Workspace ONE
Native SCEP payload support. Dynamic SCEP via BastionXP. Works with both corporate-owned and BYOD device profiles.
Kandji & Mosyle
Full SCEP certificate profile support for Apple device fleets. ACME Device Attestation upgrade path available for iOS 16+ and macOS 13+.
Fleet DM
Native SCEP enrollment for Linux, macOS, and Windows devices managed via Fleet. Dynamic SCEP and ACME upgrade supported.
Any RFC 8894 MDM
BastionXP implements SCEP per RFC 8894. Any MDM or device that speaks standard SCEP can enroll certificates through BastionXP without configuration changes.
Your Questions, Answered
Need help? Check out our FAQs for instant answers to the most common questions about BastionXP's cloud SCEP gateway and automated certificate management.