Cloud PKI · No NDES Required

Cloud SCEP Server — Your NDES Alternative

Replace NDES with a cloud SCEP gateway that handles certificate enrollment automatically. Simple Certificate Enrollment Protocol (SCEP) lets your MDM push WiFi certificates to every device — passwordless authentication via EAP-TLS, zero infrastructure. Works with Intune SCEP, Jamf SCEP, Google Admin, Workspace ONE, and all major MDMs.

Start Free Trial Talk to Sales
Trusted by 1,000+ organizations in 108 countries

MDM Certificate Deployment Partners

Microsoft Intune
Jamf Pro
Google Admin
Workspace ONE
+ All Major MDMs
1,000+ Organizations
108 Countries
50M+ Authentications/Month

IronWiFi's cloud SCEP server is a complete NDES alternative for automated certificate enrollment using the Simple Certificate Enrollment Protocol (SCEP). As a managed SCEP gateway with built-in cloud PKI and cloud certificate authority, it handles corporate certificate management and deploys WiFi certificates for passwordless WiFi authentication via EAP-TLS. SCEP MDM integration works with Intune SCEP profiles, Jamf SCEP certificate deployment, Google Admin, Workspace ONE certificates, and all MDM certificate deployment platforms for certificate-based authentication on WPA-Enterprise networks.

Why Replace NDES? Cloud SCEP Is the Better Way

See what changes when you switch from NDES to a cloud SCEP server (spoiler: it's all good news)

The Old Way (NDES)

  • You'll need a Windows Server running NDES
  • Don't forget AD Certificate Services
  • Plan for 2-4 weeks just for setup
  • Budget a significant annual amount for infrastructure
  • You're on the hook for certificate renewals
  • Patches and maintenance? That's on you too
  • Server goes down? Everyone's offline
  • Multiple sites? More servers, more headaches

The Better Way (IronWiFi)

  • No servers to manage - it's all in the cloud
  • Skip the AD complexity entirely
  • Set up in minutes, not weeks
  • Included with your plan - no extra cost
  • Certificates renew themselves
  • We handle the updates so you don't have to
  • High availability with built-in redundancy
  • All your sites, one simple platform
Schedule a Call

No credit card needed · Works with whatever MDM you're using

<15 min

To get up and running

80%

Fewer "WiFi not working" tickets

100%

Password-free

Zero

Servers to maintain

What Makes This SCEP Certificate Server Different?

SCEP certificate enrollment should be simple. Here's how we made corporate certificate management actually painless.

No NDES Required — Cloud SCEP Gateway

No Windows Servers, no AD Certificate Services, no infrastructure costs. Just point your MDM at our cloud SCEP endpoint and you're done.

Set It and Forget It

Certificates issue, renew, and revoke themselves. No calendar reminders, no panicked renewal scrambles, no manual work.

Every Device You've Got

Windows, Mac, iPhone, Android, Chromebook, Linux — doesn't matter. If your MDM can push a SCEP profile, we issue the certificate. Full SCEP MDM integration out of the box.

Passwordless WiFi with EAP-TLS

EAP-TLS is the gold standard for WiFi auth. Both sides verify each other, so credential theft and phishing become non-issues.

Always On, Everywhere

Our SCEP endpoints run across multiple regions with automatic failover — because reliability matters.

Know Every Device

Each device gets its own certificate. Lost a laptop? Revoke just that one. Need an audit trail? You've got it.

Cloud PKI vs. On-Prem PKI: The Real Difference

With traditional PKI, you're managing servers, dealing with AD, and constantly maintaining infrastructure. With us? You're not.

Capability
On-Prem PKI
IronWiFi
Setup Time
Days/Weeks
15 minutes
NDES Server
Required
Not needed
AD Integration
Complex
Optional
Maintenance
IT Team
Fully managed
Certificate Renewal
Manual
Automatic
Redundancy
Extra servers
Built-in

MDM Certificate Deployment — Works With Your Existing MDM

Whatever MDM you're running, we'll work with it. No switching required.

Microsoft Intune

Microsoft Intune

Intune SCEP profiles for Windows, iOS, Android, macOS

 Jamf Pro

Jamf Pro

Jamf SCEP certificate deployment for Mac, iPhone, iPad

Google Admin

SCEP certificate enrollment for Chromebooks

 Workspace ONE (VMware)

Workspace ONE

Workspace ONE certificate deployment, all platforms

Kandji

MDM SCEP profiles for Apple devices

 Meraki SM

Meraki SM

MDM certificate deployment, all platforms

How Does SCEP Certificate Enrollment Work?

The Simple Certificate Enrollment Protocol handles everything in four steps. That's it. Seriously.

1

Your MDM Does Its Thing

It pushes a SCEP profile to the device with our enrollment URL. You've done this before — same process.

2

Device Asks for a Certificate

The device creates a key pair and sends a signing request to our SCEP gateway. All automatic, nothing for you to do.

3

We Sign and Send It Back

We validate the request, sign the certificate, and send it right back. Takes seconds.

4

Device Connects to WiFi

The certificate handles authentication automatically. No passwords to type, no prompts to dismiss. It just works.

The Complete NDES Alternative — No Servers, No AD, No Hassle

We've all been there: Windows Server, AD Certificate Services, IIS config, registry edits, constant patching... it's exhausting. Here's what life looks like when you skip all that.

No Servers. Period.

No Windows Server licenses. No hardware to maintain. No 3 AM pager alerts when something breaks. We run everything in the cloud.

Skip the AD Complexity

You don't need AD Certificate Services. You don't need a PKI hierarchy. We've handled all that so you don't have to.

Actually Fast Setup

Create a SCEP profile, point it at our endpoint, push to devices. That's it. No weeks of troubleshooting IIS errors.

Save 90% compared to running your own NDES

Why Certificate-Based Authentication Beats Passwords

Here's a sobering stat: 80% of WiFi security breaches involve stolen credentials. Certificate-based authentication eliminates that entire attack surface. Instead of passwords that can be phished, shared, or brute-forced, each device gets a unique X.509 certificate that proves its identity cryptographically. This is the corporate certificate management approach that security teams and compliance auditors prefer.

  • Nothing to steal, phish, or accidentally share
  • Evil twin attacks don't work anymore
  • You can't brute-force a certificate
  • Lost device? One click and it's locked out
  • Know exactly which device connected and when
0

Passwords to worry about

80%

Smaller attack surface

<1s

To revoke access

99.99%

Uptime SLA

Who's Using Cloud SCEP for WiFi Certificates?

Pretty much anyone who wants secure WiFi without the complexity

BYOD Setups

Stop sharing WiFi passwords with everyone. Give each personal device its own certificate instead.

Company Devices

Your MDM already manages these devices. Let it push certificates too — completely automatic.

Multiple Offices

Got offices around the world? One platform handles certificates for all of them. No per-site infrastructure.

Regulated Industries

Need SOC 2 and PCI-DSS compliance? We've got you covered. Auditors love certificates.

Anyone Using Shared Passwords

If your whole company knows the WiFi password, it's not really a password anymore. Certificates fix that.

Printers, Scanners, and IoT

Headless devices need network access too. Certificates let them connect securely without human interaction. Learn more about IoT authentication

"We ditched our NDES setup and our WiFi support tickets dropped 80%. The whole migration took less than a day. Best part? Our users don't even notice — their devices just connect now. No more password complaints."

KW

Kevin Wilson, Director of IT

Global Financial Services — 2,500 devices

Questions You're Probably Asking

Here's what most people want to know

Wait, I really don't need an NDES server?

Nope! That's the whole point. We run the SCEP gateway in the cloud. You don't need NDES, AD Certificate Services, or any PKI infrastructure at all.

Will this work with my MDM?

Almost certainly yes. We work with Intune, Jamf, Google Admin, Workspace ONE, Kandji, Meraki SM, MobileIron — basically anything that can push SCEP profiles.

What about certificate renewals?

They happen automatically before expiration. Your MDM handles it in the background — users never even know it's happening.

Someone lost a laptop - can I cut them off?

Instantly. One click in our console (or an API call) and that certificate is revoked. The device can't connect anymore, but everyone else is unaffected.

I already have a RADIUS server - is that a problem?

Not at all. We include Cloud RADIUS, but our certificates work with any RADIUS that supports EAP-TLS. FreeRADIUS, Cisco ISE, whatever you've got.

What about personal devices that aren't in our MDM?

For those, users can self-enroll through our web portal. They verify their identity, get a certificate, and they're good to go.

What is SCEP (Simple Certificate Enrollment Protocol)?

SCEP — Simple Certificate Enrollment Protocol — is the industry standard for automated certificate enrollment. It lets MDM platforms like Intune, Jamf, and Workspace ONE automatically request, issue, and renew certificates on managed devices. IronWiFi runs a cloud SCEP server so you get all the benefits of SCEP certificate enrollment without running NDES or any PKI infrastructure.

Can IronWiFi handle corporate certificate management at scale?

Yes. Our cloud PKI and SCEP gateway handle corporate certificate management for organizations from 50 to 50,000+ devices. Certificates issue, renew, and revoke automatically. You get a single console for every certificate across every site — no per-location infrastructure needed.

SOC 2 Type II
GDPR Compliant
RSA 2048-bit Keys
Availability SLA
HIPAA Ready

Talk to a WiFi Identity Specialist

  • See IronWiFi working with your hardware
  • Get a deployment plan for your network
  • 30-minute call — no pitch deck
Start Free Trial Pick a Time →

Set up in under 15 minutes — no credit card required