Before you do anything else, you’ll need to add a SCEP provisioner to your new authority. To do that, run the command to “Configure step to use this authority” under “Quick Actions” on your authority page. Then run these commands:

# mint a decrypter cert
step ca certificate scep-decrypter decrypter.crt decrypter.key --kty RSA --size 3072 --not-after 8760h

# create the provisioner
step ca provisioner add jumpcloud --type SCEP --challenge <challenge> --scep-decrypter-key-file decrypter.key --scep-decrypter-certificate-file decrypter.crt --encryption-algorithm-identifier 2

This uses the provisioner name jumpcloud, but you can use a different name if you want.

Replace <challenge> in the second command with a SCEP challenge secret (e.g., generated via head /dev/urandom | shasum or whatever your favorite secret-generation-command is). Keep it somewhere safe because you’ll need it later.

With that done, instructions vary for macOS & Windows…

MacOS

For macOS we’ll create a .mobileconfig profile and upload it to Jumpcloud as a “MDM Custom Configuration Profile”.

You’ll need:

• Your Smallstep CA’s root certificate (run step ca root root.crt to download)
• Your Smallstep CA’s SCEP URL (https://<your-ca-domain>/scep/<scep-provisioner-name>)
• Your Smallstep CA’s SCEP Challenge
• Your Radius server’s Root CA cert

Create the .mobileconfig profile

Open Apple Configurator and go to file → new profile.

• Name the profile under “General”
• Click Certificates
  • Click Configure
  • Select the root certificate for your Smallstep CA from disk
  • Click the + in the upper-right
  • Select your Radius server’s Root CA cert
• Click SCEP
  • Click Configure
  • URL → Smallstep CA’s SCEP URL
  • Name → Whatever you want to name it (this will show up in Settings on macOS)
  • Subject → CN=%HardwareUUID%
  • Challenge → Your Smallstep CA’s SCEP Challenge
  • Key size → 2048
  • ✅ Use as digital signature
  • ✅ Use for key encipherment
  • Leave fingerprint empty
• Click Wifi
  • Click Configure
  • SSID → Wifi SSID
  • ✅ Auto Join (optional)
  • Security type → WPA2 / WPA3 Enterprise
  • Protocols → TLS
  • Identity Certificate → SCEP: <whatever you named your SCEP profile>
  • Click “Trust” under “Enterprise Settings”
    • Trusted Certificates → Select your Radius Server’s Root CA Cert
    • Trusted Server Certificate Name → The Common Name (CN) on your Radius server’s leaf certificate

Save this profile. Go to Policy Management → click the big + → Mac → search for “MEM Custom Configuration Profile” and click configure. Upload your mobile config. Assign devices. Save.