Connect Fleet DM to Smallstep
Smallstep can integrate with Fleet DM to deploy certificates to your Fleet-managed devices. Fleet has a native Smallstep integration that makes it easy to configure Dynamic SCEP for certificate enrollment.
In this document, we will configure your Fleet instance for use with your Smallstep team.
Requirements
You will need:
- A Smallstep team with Pro features enabled
- A Fleet DM instance with MDM enabled for your target platforms
Client requirements:
- For SCEP certificate enrollment, devices must be MDM-enrolled in Fleet
- The Smallstep agent will need to reach the following domains:
smallstep.com api.smallstep.com gateway.smallstep.com control.infra.smallstep.com *.[team-name].ca.smallstep.com auth.smallstep.com att.smallstep.com
Supported platforms:
- macOS, iOS, iPadOS (via
.mobileconfigprofiles) - Windows (via
.xmlSyncML profiles) - Linux (via agent software deployment)
Step 1. Get a Fleet API token
Smallstep needs a Fleet API token to sync your device inventory. You can use a personal API token for testing, or create a dedicated API-only user for production use.
Option A: Use a personal API token
- In Fleet, click your profile icon in the top right and select My account
- Click Get API token
- Copy the token — you'll need it for the next step
Option B: Create an API-only user (recommended for production)
For production use, we recommend creating a dedicated API-only user for the Smallstep integration rather than using a personal account token. An API-only user cannot log into the Fleet UI and is intended for automated integrations.
You'll need the fleetctl CLI tool installed and authenticated with admin privileges.
-
Configure fleetctl with your Fleet server address:
fleetctl config set --address 'https://fleet.example.com'
-
Log in with your admin credentials:
fleetctl login
-
Create the API-only user:
fleetctl user create --name 'Smallstep' \ --email 'smallstep-api@example.com' \ --password 'your-secure-password' \ --api-only
-
The command will output an API token:
Success! The API token for your new user is: <TOKEN>
Copy this token — you'll need it for the next step.
The default role for API-only users is Observer, which grants read-only access to hosts and device information. This is the appropriate permission level for Smallstep device sync.
Step 2. Connect Fleet to Smallstep
Now you'll add your Fleet API credentials to Smallstep.
- In the Smallstep console, go to Settings → Device Management
- Under Available Providers, find Fleet and click Connect
- Fill in the fields:
- API Base URL: Your Fleet server URL (for example,
https://fleet.example.com) - API Token: Paste the API token from the previous step
- Name/Alias: An optional identifier for this connection (for example,
Production Fleet)
- API Base URL: Your Fleet server URL (for example,
- Click Connect MDM
- After connecting, temporarily save the following values:
- SCEP URL (for example,
https://your-team.scep.smallstep.com/p/agents/integration-fleet-abc123) - SCEP Challenge URL (for example,
https://your-team.scep.smallstep.com/webhook/abc123-def4-5678-9abc-def012345678/challenge) - Challenge Username
- Challenge Password
- Under Authority Certificates, download the Root CA certificate.
- SCEP URL (for example,
Within a few minutes, you will see your Fleet devices in the Devices tab. Your Smallstep device inventory syncs from Fleet approximately every four hours.
Now we'll add the Smallstep SCEP credentials to Fleet.
- In Fleet, go to Settings (click your profile icon in the top right)
- Navigate to Integrations → Certificate authorities
- Click Add CA
- From the dropdown, select Smallstep
- Fill in the fields:
- Name: A unique identifier using letters, numbers, and underscores only (for example,
SMALLSTEP_AGENT). Fleet will create configuration profile variables with this name as a suffix. - SCEP URL: Paste the SCEP URL from Smallstep
- Challenge URL: Paste the SCEP Challenge URL from Smallstep
- Username: Paste the Challenge Username from Smallstep
- Password: Paste the Challenge Password from Smallstep
- Name: A unique identifier using letters, numbers, and underscores only (for example,
- Click Add CA
Fleet will test the CA connection after you create it.
If you plan to use GitOps instead of the Fleet UI, skip this step and see the GitOps section below for the YAML-based alternative.
Step 4. Create SCEP configuration profiles
Fleet deploys certificates to devices using configuration profiles. You'll need to create profiles that include the SCEP payload with Fleet's dynamic variables.
Fleet provides these variables for Smallstep certificate enrollment:
| Variable | Description |
|---|---|
$FLEET_VAR_SMALLSTEP_SCEP_CHALLENGE_SMALLSTEP_AGENT | The dynamic SCEP challenge string |
$FLEET_VAR_SMALLSTEP_SCEP_PROXY_URL_SMALLSTEP_AGENT | The SCEP proxy URL for certificate requests |
$FLEET_VAR_SCEP_RENEWAL_ID | A unique renewal identifier for the device |
$FLEET_VAR_HOST_END_USER_EMAIL_IDP | The end user's email from the identity provider |
If you used a different name when adding the CA in Fleet, replace SMALLSTEP_AGENT accordingly.
macOS/iOS SCEP profile (smallstep-agent.mobileconfig)
Create a file called smallstep-agent.mobileconfig with the following structure.
This profile contains three payloads:
- SCEP payload: Issues a provisional SCEP certificate that the Smallstep agent uses for bootstrapping into a Device Attested environment
- Root CA trust payload: Installs the Smallstep Agent Root CA so the agent can validate its certificate chain.
To create this payload, open the downloaded
.pemfile in a text editor and copy the Base64-encoded certificate contents (everything between-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----, not including those lines) You will paste this value inside the<data>field of the Root CA trust payload below. - Agent Configuration: A configuration payload for the Smallstep Agent that includes your Smallstep team slug.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<!-- Payload 1: SCEP Certificate Enrollment -->
<dict>
<key>PayloadDisplayName</key>
<string>Smallstep SCEP</string>
<key>PayloadIdentifier</key>
<string>com.smallstep.scep</string>
<key>PayloadType</key>
<string>com.apple.security.scep</string>
<key>PayloadUUID</key>
<string>C15F6CB6-473E-4B66-9B5B-A7B01C07152F</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadContent</key>
<dict>
<key>Challenge</key>
<string>$FLEET_VAR_SMALLSTEP_SCEP_CHALLENGE_SMALLSTEP_AGENT</string>
<key>Key Type</key>
<string>RSA</string>
<key>Key Usage</key>
<integer>5</integer>
<key>Keysize</key>
<integer>2048</integer>
<key>Subject</key>
<array>
<array>
<array>
<string>CN</string>
<string>step-agent-bootstrap</string>
</array>
</array>
<array>
<array>
<string>OU</string>
<string>$FLEET_VAR_SCEP_RENEWAL_ID</string>
</array>
</array>
</array>
<key>URL</key>
<string>$FLEET_VAR_SMALLSTEP_SCEP_PROXY_URL_SMALLSTEP_AGENT</string>
</dict>
</dict>
<!-- Payload 2: Smallstep Agent Root CA Trust -->
<dict>
<key>PayloadDisplayName</key>
<string>Smallstep Agent Root CA</string>
<key>PayloadIdentifier</key>
<string>com.smallstep.root-ca</string>
<key>PayloadType</key>
<string>com.apple.security.pem</string>
<key>PayloadUUID</key>
<string>CCE7C356-A5DB-4796-86B5-E8DFAEA7F08E</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadContent</key>
<data>
<!-- Paste the Base64-encoded Root CA certificate here -->
</data>
</dict>
<!-- Payload 3: Smallstep Agent Settings -->
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.smallstep.Agent</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.smallstep.Agent.settings</string>
<key>PayloadUUID</key>
<string>EBEA31C0-C9A4-4862-A939-E16DA63DE35B</string>
<key>PayloadDisplayName</key>
<string>Smallstep Agent Settings</string>
<key>TeamSlug</key>
<string><team-slug></string>
<key>Certificate</key>
<string>mackms:label=step-agent-bootstrap;se=false;tag=</string>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Smallstep Agent</string>
<key>PayloadIdentifier</key>
<string>com.smallstep.Agent</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>18F9A37B-AEDB-4D9E-808F-F946ACBF3A46</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Smallstep Certificate</string>
<key>PayloadIdentifier</key>
<string>com.smallstep.certificate-profile</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>AD981C97-F3F4-41D8-996A-9DE254012810</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
- If you used a different CA name in Fleet, replace
SMALLSTEP_AGENTin the variable names accordingly. - Replace the
<team-slug>value with your Smallstep team slug
Windows SCEP profile (smallstep-scep.xml)
For Windows devices, create a file called smallstep-scep.xml using the SyncML format.
This profile mirrors the macOS profile above, enrolling a SCEP certificate
and trusting the Smallstep Agent Root CA.
To get the CA Thumbprint, go to Certificate Manager → Authorities, click View details on the Agents authority, and copy the Root Fingerprint (SHA-256).
<Replace>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Replace>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID/Install/KeyUsage</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>160</Data>
</Item>
</Replace>
<Replace>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID/Install/KeyLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>2048</Data>
</Item>
</Replace>
<Replace>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID/Install/HashAlgorithm</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>SHA-1</Data>
</Item>
</Replace>
<Replace>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID/Install/SubjectName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>CN=step-agent-bootstrap,OU=$FLEET_VAR_SCEP_RENEWAL_ID</Data>
</Item>
</Replace>
<Replace>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID/Install/EKUMapping</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>1.3.6.1.5.5.7.3.2</Data>
</Item>
</Replace>
<Replace>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID/Install/ServerURL</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>$FLEET_VAR_SMALLSTEP_SCEP_PROXY_URL_SMALLSTEP_AGENT</Data>
</Item>
</Replace>
<Replace>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID/Install/Challenge</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>$FLEET_VAR_SMALLSTEP_SCEP_CHALLENGE_SMALLSTEP_AGENT</Data>
</Item>
</Replace>
<Replace>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID/Install/CAThumbprint</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>YOUR_ROOT_CA_SHA256_FINGERPRINT</Data>
</Item>
</Replace>
<Exec>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID/Install/Enroll</LocURI>
</Target>
</Item>
</Exec>
- Replace
YOUR_ROOT_CA_SHA256_FINGERPRINTwith the Root Fingerprint from the Smallstep Agents authority. - If you used a different CA name in Fleet, replace
SMALLSTEP_AGENTin the variable names accordingly.
Windows Root CA profile (smallstep-root-ca.xml)
To install the Smallstep Agent Root CA on Windows, create a second file called smallstep-root-ca.xml using the RootCATrustedCertificates CSP:
<Replace>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/RootCATrustedCertificates/Root/YOUR_ROOT_CA_SHA256_FINGERPRINT/EncodedCertificate</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">b64</Format>
</Meta>
<Data>
<!-- Paste the Base64-encoded Root CA certificate here -->
</Data>
</Item>
</Replace>
Step 5. Deploy the configuration profiles and Smallstep agent
Upload profiles
- In Fleet, go to Controls → OS settings → Custom settings
- Click Add profile
- Upload your
smallstep-agent.mobileconfigfile (for macOS/iOS) or your.xmlfiles (for Windows) - Assign the profile to your desired scope (teams or all devices)
The profiles will be deployed to devices at their next check-in. Fleet will automatically substitute the variables with the appropriate values for each device.
Deploy the agent
The last step is to deploy the Smallstep agent to your endpoints. The agent manages certificates and makes it easy to configure endpoints.
You can deploy the agent using Fleet's software deployment feature:
- Download the agent package:
- macOS: step-agent-plugin_latest.pkg
- Windows (x64): step-agent-plugin_latest_amd64.msi
- Windows (ARM64): step-agent-plugin_latest_arm64.msi
- Linux (Debian/Ubuntu x64): step-agent-plugin_amd64_latest.deb
- Linux (Debian/Ubuntu ARM64): step-agent-plugin_arm64_latest.deb
- Linux (RHEL/Fedora x64): step-agent-plugin_x86_64_latest.rpm
- Linux (RHEL/Fedora ARM64): step-agent-plugin_aarch64_latest.rpm
- In Fleet, go to Software, choose Custom Package, and add the package for distribution
Alternatively, you can use a separate software management system such as Munki to deploy the agent. See the Smallstep Agent manual installation guide for detailed instructions.
Linux agent configuration
Linux does not support MDM configuration profiles, so the SCEP enrollment flow used for macOS and Windows does not apply. Instead, the Smallstep agent on Linux registers directly using TPM attestation. After installing the agent package, you must configure it with your Smallstep team slug and CA fingerprint.
When adding a Linux agent package in Fleet, add the following post-install script to configure and start the agent:
#!/bin/bash
# Configure the Smallstep agent
mkdir -p /etc/step-agent
cat > /etc/step-agent/agent.yaml << EOF
team: "<your-team-slug>"
fingerprint: "<your-agents-ca-fingerprint>"
EOF
# Enable and start the agent service
systemctl daemon-reload
systemctl enable --now step-agent
Replace <your-team-slug> with your Smallstep team slug (found in Settings → Team), and <your-agents-ca-fingerprint> with the SHA-256 root fingerprint of your Smallstep Agents authority (found in Certificate Manager → Authorities under the Agents authority).
If your fleet includes multiple Linux distributions or architectures, create separate software entries for each package variant. Use Fleet labels to target .deb packages to Debian/Ubuntu hosts and .rpm packages to RHEL/Fedora hosts. See the GitOps section for a complete example with label targeting.
After deployment, Linux devices will self-register with your Smallstep team via TPM attestation. By default, new devices require admin approval in the Smallstep console. To automate approval, you can pre-register devices via API.
GitOps: Configure Fleet with fleetctl
As an alternative to Steps 3 through 5, you can manage your entire Fleet configuration with YAML files and the fleetctl gitops command. This approach is ideal for version-controlled, repeatable deployments.
Directory layout
A typical GitOps repository for Fleet looks like this:
fleet-gitops/
├── default.yml
├── teams/
│ └── team.yml
└── lib/
├── smallstep-agent.mobileconfig
├── smallstep-scep.xml
├── smallstep-root-ca.xml
└── smallstep-agent-setup.sh
default.yml— Organization-wide settings, including certificate authoritiesteams/team.yml— Per-team configuration for profiles and softwarelib/— Configuration profile files created in Step 4 and Linux agent setup script
Add the Smallstep CA
In default.yml, add the Smallstep certificate authority under org_settings:
org_settings:
certificate_authorities:
smallstep:
- name: SMALLSTEP_AGENT
url: <SCEP URL from Smallstep>
challenge_url: <SCEP Challenge URL from Smallstep>
username: $SMALLSTEP_CHALLENGE_USERNAME
password: $SMALLSTEP_CHALLENGE_PASSWORD
The $SMALLSTEP_CHALLENGE_USERNAME and $SMALLSTEP_CHALLENGE_PASSWORD values are environment variables. Set them before running fleetctl gitops:
export SMALLSTEP_CHALLENGE_USERNAME='your-challenge-username'
export SMALLSTEP_CHALLENGE_PASSWORD='your-challenge-password'
Add configuration profiles
In your team YAML file, reference the profile files from Step 4:
controls:
macos_settings:
custom_settings:
- path: ../lib/smallstep-agent.mobileconfig
windows_settings:
custom_settings:
- path: ../lib/smallstep-scep.xml
- path: ../lib/smallstep-root-ca.xml
Add the Smallstep agent software
In the same team YAML file, add the Smallstep agent packages:
software:
packages:
- url: https://packages.smallstep.com/stable/darwin/step-agent-plugin_latest.pkg
- url: https://packages.smallstep.com/stable/windows/step-agent-plugin_latest_amd64.msi
- url: https://packages.smallstep.com/stable/linux/step-agent-plugin_amd64_latest.deb
post_install_script:
path: ../lib/smallstep-agent-setup.sh
- url: https://packages.smallstep.com/stable/linux/step-agent-plugin_x86_64_latest.rpm
post_install_script:
path: ../lib/smallstep-agent-setup.sh
If your Linux fleet includes multiple architectures, add entries for each variant and use labels_include_any to target the correct package to each host:
- url: https://packages.smallstep.com/stable/linux/step-agent-plugin_amd64_latest.deb
post_install_script:
path: ../lib/smallstep-agent-setup.sh
labels_include_any:
- Ubuntu Linux
- url: https://packages.smallstep.com/stable/linux/step-agent-plugin_arm64_latest.deb
post_install_script:
path: ../lib/smallstep-agent-setup.sh
labels_include_any:
- Ubuntu Linux
- url: https://packages.smallstep.com/stable/linux/step-agent-plugin_x86_64_latest.rpm
post_install_script:
path: ../lib/smallstep-agent-setup.sh
labels_include_any:
- Red Hat Linux
- url: https://packages.smallstep.com/stable/linux/step-agent-plugin_aarch64_latest.rpm
post_install_script:
path: ../lib/smallstep-agent-setup.sh
labels_include_any:
- Red Hat Linux
Adapt the label names to match your Fleet label configuration. Fleet includes built-in labels for common Linux distributions. For architecture-specific targeting, you can create custom labels using osquery queries (for example, SELECT 1 FROM system_info WHERE cpu_type = 'x86_64').
Apply the configuration
Run fleetctl gitops to apply the configuration:
fleetctl gitops -f default.yml -f teams/team.yml
Use --dry-run to validate your configuration before applying:
fleetctl gitops -f default.yml -f teams/team.yml --dry-run
The --dry-run flag is useful for CI pipelines. You can run it on pull requests to validate configuration changes before merging.
Confirmation
To confirm certificate deployment:
- In Fleet, go to Hosts and select a device that received the profile
- Check the OS settings status to verify the profile was applied successfully
- In the Smallstep console, go to Devices to verify the device has enrolled and received a certificate
On the device itself:
- macOS: Open Keychain Access and look for a certificate issued by your Smallstep authority
- iOS/iPadOS: Go to Settings → General → VPN & Device Management to view installed profiles
- Windows: Open certmgr.msc and check the Personal certificates store
- Linux: Run
sudo systemctl status step-agentto verify the agent is running, and check/var/lib/step-agentfor certificate files
Last updated on February 5, 2026
Introducing
Device Identity
Ensure that only company-owned devices can access your enterprise's most sensitive resources.
