Credential ACME (macOS Device)

Use this setting to enable devices to obtain certificates from an ACME server.

Before you begin

Using a certificate template ensures that each certificate issued to a device is dynamic. For information about creating a certificate template, see Step One: Integrate Certificate Authority Services.

About this task

The Automated Certificate Management Environment (ACME) configuration allows you to distribute ACME certificates to devices. Assets are added to profiles to push the reference data required by these configurations

Procedure

  1. Under the Asset tab, select and choose Credential ACME. The Credential ACME window opens.
    ACME Credentials profile configuration
  2. Specify the asset name for the certificate.
  3. Specify the Keychain Accessibility level:
    • Default
    • After first unlock
  4. Select the Certificate Template required by the configuration.
  5. Enter a unique string for Client Identifier to identify a specific device. The ACME server may use this as a one-time identifier to prevent issuing multiple certificates.
    Tip: Use the icon to use macros.
  6. Optional: Enable the Attest toggle to allow the device to send attestations and its key to the ACME server.
    Note: The ACME server evaluates trust and determines whether to provide the certificate.
  7. Optional: Use the Hardware Bound toggle to specify whether the private key is hardware-bound. If false, the private key is not bound to the device.
    Note: Setting this key to true is supported as of macOS 14 on Apple Silicon and Intel devices that have a T2 chip. Older macOS versions or other Mac devices require this key but it must have a value of false.
    Note: If Attest is enabled, set Hardware Bound to true.
  8. Select Save.

Results

You have successfully configured the Credential ACME profile.

What to do next

To distribute certificates to Apple devices, configure the Security Certificates profile. For more information, see Configuring Security Certificates.