Ventura & SCEP

We have the exact issue except with Intune-not Jamf Pro/Jamf Cloud that SCEP has been working fine up to Monterey. We just blocked everyone from upgrading to Ventura until there's a fix.

We manually intercepted the SCEP response from SCEP server and imported it to the System Keychain. We were then able to connect to a 802.1x protected network.

The whole issue seems to be related to Apple changes in the SCEP flow. We escalated this post to the Apple Business Support but haven't got any response since last week.

Hello, Seems like my company is facing the same issue. On Ventura no SCEP certificates are provisioned via AZURE. Have you heard anything back from ABS?

Hi, It was discovered that Ventura, unlike Monterey, sends additional cert operation called GetCACaps to the SCEP server, which is also a thing in on iOS 16, we’re trying to fix for that, but no luck so far.

Regards, osxninja

I'm having similar issues. I'm using a Microsoft PKI SCEP server and Apple Configurator profiles and none of our 13.2 MacOS clients are getting certs. Our iOS clients are not affected but they use and MDM solution to acquire the certs versus just using Apple Configurator. I get an error that states "Unable to obtain cert from SCEP server". The error code is MDM-SCEP:15002

Again, MacOS 12 works fine, iOS clients of all flavors work fine... just our MacOS 13 clients are failing

I have having the same issue and was hoping this would be updated.

We are now on 13.3.1 and still this is not working. I see a Beta for 13.4 does mention about Enrollment and Proxy, but will see if this at all resolves anything.

Would be good to have an Apple Engineer to elaborate. Cleary an isolated issues, but was cannot have network configs pushed to new devices on MacOS 13 upwards. Having to DFU back to 12.6.1 isnt sustainable and New M2 Pros will not downgrade

I'm having the same problem on JAMF PRO, sadly Jamf Support can't fix it, we have escalated this to everyone and not solution, I was hoping that Apple might have fix this by now.

Heyho,

for the use of our Scep certificates on Ventura we had to insert the fingerprint of the Root-Ca in the payload. This was not necessary on older MacOS Versions. We are rolling out the certificates using a mobileconfig which is pushed from an mdm server.

Update from myself,

We had always put a fingerprint into our Root-ca for the payload. As this was never needed into pre Ventura it was never questioned as being erroneous. We discovered that out finger print was incorrect. Check your fingerprints!