Set up certificates for managed mobile devices

This feature is available with G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium editions.

You can control user access to your organization’s Wi-Fi networks, internal apps, and internal websites on mobile devices by distributing device certificates from your on-premises Certificate Authority (CA). The Google Cloud Certificate Connector is a Windows service that securely distributes certificates and authentication keys from your Simple Certificate Enrollment Protocol (SCEP) server to users’ mobile devices. Learn more

Note: Private keys for the device certificates are generated on Google servers. The keys are purged from Google servers after the certificate is installed on the device or 24 hours, whichever comes first.

System requirements

  • Your organization uses Microsoft Active Directory Certificate Service for an SCEP server and the Microsoft Network Device Enrollment Service (NDES) to distribute certificates.

  • Device certificates can be distributed to iOS and Android devices under advanced mobile management. Learn more about device requirements.

  • Android devices must use the Android Device Policy app. The legacy Google Apps Device Policy app for Android isn’t supported. Learn more

Before you begin

  • If you need the certificate Subject name to use Active Directory usernames, you must sync your Active Directory and Google Directory with Google Cloud Directory Sync (GCDS). If necessary, set up GCDS.

  • If you haven’t already uploaded a CA Certificate in the Google Admin console, add a certificate.

Step 1: Download the Google Cloud Certificate Connector

Perform the following steps on the SCEP server or a Windows computer with an account that can sign in as a service on the SCEP server. Have the account credentials available.

If your organization has several servers, you can use the same certificate connector agent on all of them. Download and install the installation file, configuration file, and key file on one computer as described in the following steps. Then, copy those three files to the other computer and follow the setup instructions on that computer.

Note: You download the Google Cloud Certificate Connector and its components only once, when you first set up certificates for your organization. Your certificates and SCEP profiles can share a single certificate connector.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices. On the left, click Networks.

    Requires having the Shared device settings administrator privilege.

  3. Click Secure SCEPand thenDownload Connector.
  4. In the Google Cloud Certificate Connector section, click Download. The download creates a folder on your desktop that contains the certificate connector. We recommend you download the other connector configuration files to this folder.
  5. In the Download the connector configuration file section, click Download. The config.json file downloads.

  6. In the Get a service account key section, click Generate key. The key.json​ file downloads.
  7. Run the certificate connector installer.
    1. In the installation wizard, click Next.
    2. Accept the terms of the license agreement and click Next.
    3. Choose the account that the service is installed for and click Next. The account must have privileges to sign in as a service on the SCEP server.
    4. Select the installation location. We recommend using the default. Click Next.
    5. Enter your service account credentials and click Next. The service installs.
    6. Click Finish to complete the installation.
  8. Move the configuration and key files (config.json and key.json) into the Google Cloud Certificate Connector folder created during installation, typically: C:\Program Files\Google Cloud Certificate Connector.
  9. Launch the Google Cloud Certificate Connector service:
    1. Open Windows Services.
    2. Select Google Cloud Certificate Connector in the list of services.
    3. Click Start to start the service. Ensure that the status changes to Running. The service automatically restarts if the computer reboots.

If you download a new service account key later, restart the service to apply it.

Step 2: Add a SCEP profile

The SCEP profile defines the certificate that lets users access your Wi-Fi network. You assign the profile to specific users by adding it to an organizational unit. You can set up several SCEP profiles to manage access by organizational unit and by device type.

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices. On the left, click Networks.

    Requires having the Shared device settings administrator privilege.

  3. Click Create SCEP Profile.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Click Add Secure SCEP Profile.
  6. Enter the configuration details for the profile. If your CA issues a particular template, match the details of the profile to the template.
    • SCEP profile name—A descriptive name for the profile. The name is shown in the list of profiles and in the profile selector in the Wi-Fi network configuration.
    • Subject name format—Choose how you want to identify the certificate owner. If you select Fully Distinguished Name, the certificate Common Name is the user's username.
    • Subject alternative name—Provide an SAN. Default is None.
    • Signing algorithm—The hash function used to encrypt the authorization key. Only SHA256 with RSA is available.
    • Key usage—Options for how to use the key, key encipherment and signing. You can select more than one.
    • Key size (bits)—The size of the RSA key.
    • SCEP server URL—The URL of the SCEP server.
    • Certificate validity period (years)—How long the device certificate is valid. Enter as a number.
    • Renew within days—How long before the device certificate expires to try to renew the certificate.
    • Extended key usage—How the key can be used. You can choose more than one value.
    • Challenge type—To require Google to provide a specified challenge phrase when it requests a certificate from the SCEP server, select Static and enter the phrase. If you select None, the server doesn’t require this check.
    • Template name—The name of the template used by your NDES server.
    • Certificate Authority—The name of a certificate you uploaded to use as the Certificate Authority.
    • Network type this profile applies to​—The type of networks that use the SCEP profile.
    • Platforms this profile applies to—The device platforms that use the SCEP profile.
  7. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

After you add a profile, it's listed with its name and the platforms its enabled on. In the Platform column, the profile is enabled for platforms with blue icons and disabled for platforms with grey icons. To edit a profile, point to the row and click Edit"".

The SCEP profile is automatically distributed to users in the organizational unit.

Step 3: (Optional) Configure Wi-Fi networks to require the SCEP profile

Now that users’ mobile devices have received certificates from the SCEP server, you can configure Wi-Fi networks to require certificate authentication.

To select the certificate and apply the SCEP profile to a Wi-Fi network:

  1. Add a Wi-Fi configuration or edit an existing configuration.
  2. In the Platform access section, check the box for Android or iOS, or both.
  3. In the Details section, set the following:
    1. For Security settings, select WPA/WPA2 Enterprise (802.1 X) or Dynamic WEP (802.1 X).
    2. For the Extensible Authentication Protocol, select EAP-TLS or EAP-TTLS.
    3. For SCEP profile, select the SCEP profile you want to apply to this network.
  4. Click Save.

Now the first time that users try to connect to the Wi-Fi network, their device must provide the certificate.

  • For Android, the certificate corresponding to their SCEP profile and the network are automatically filled in, and the user clicks Connect.
  • For iOS, the user must choose the certificate to use and then click Connect.

How certificate authentication through Google Cloud Certificate Connector works

The Google Cloud Certificate Connector is a Windows service that establishes an exclusive connection between your SCEP server and Google. The certificate connector is configured and secured by a configuration file and a key file, both dedicated to your organization only.

You assign device certificates to users with SCEP Profiles. To assign the profile to users, you choose an organizational unit and add the profile to that organizational unit. The profile includes the Certificate Authority that issues device certificates. When a user enrolls their device for management, Google endpoint management fetches the user’s SCEP profile and installs the certificate on the device. If the device is already enrolled, the certificate is installed as part of a regular sync cycle.

When a user attempts to connect to your network, they are prompted to provide the certificate. On Android devices, the certificate is automatically selected and the user clicks Connect. On iOS devices, the user must select the certificate manually and then connect. The device accesses your organization’s network using a key negotiated by Google over the certificate connector. Google temporarily stores the key during the security negotiation, but purges the key once it’s installed on the device (or after 24 hours).

Known issues

  • Certificates can’t be revoked after they’re installed on a device.
  • SCEP profiles don’t support dynamic challenges.
  • SCEP profiles can’t be applied to VPN or Ethernet configurations.
  • Certificate chains longer than CA certificate-identity certificate, such as CA certificate-intermediate certificate-identity certificate, aren’t supported.


Google, G Suite, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?