Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Branding
Branding Branding
Login Check our Prices

Enrolling Device/Machine and User Certificates in Jamf

Introduction

For organizations that have shared devices, it is a best practice to issue both Device/Machine and User certificates to devices. The Device/Machine certificate allows the device to have a constant, secure, connection when users aren’t signed in. Then, when users sign in for the first time, the device can use that connection to receive a SCEP Profile to enroll the user for their User certificate that can uniquely identify them on the network.

If you are interested in setting up EAP-TLS Authentication, you can find the relevant instructions and resources at the following link: Deploy Client Certificates via SCEP to Jamf Managed Devices

In this guide, we will show you how to configure Jamf to enroll managed devices for both Device/Machine and User certificates.

Prerequisites

The following are the prerequisites to set up SCEP on Jamf:

  1. End users should enroll their devices in Jamf.
  2. Create a certificate for Apple push notifications and upload it in Jamf.

Configure SCEP Enrollment in SecureW2

The following are the high-level steps to set up certificate enrollment through SCEP.

Create an Intermediate CA for SCEP Gateway Integration

SecureW2 recommends having a new intermediate CA for JoinNow SCEP Gateway integration with Jamf as a best practice. The CA that issues certificates to BYOD devices should be separate from the CA that issues certificates to managed devices because managed devices do not require email notifications. You can disable email notifications for the dedicated CA issuing certificates to Jamf-managed devices.

To create a new intermediate CA:

  1. Log in to the JoinNow MultiOS Management Portal.
  2. Navigate to PKI > Certificate Authorities.
  3. Click Add Certificate Authority.
  4. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option.
  5. From the Type drop-down list, select Intermediate CA.
  6. From the Certificate Authority drop-down list, select the default Root CA that comes with your organization.
  7. In the Common Name field, enter a common name for the CA certificate. SecureW2 recommends a name that includes “SCEP.”
  8. From the Key Size drop-down list, select 2048 for the CA certificate key pair.
  9. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  10. In the Validity Period (in years) field, enter the validity period of the CA certificate.
  11. Click Save. The new intermediate CA is generated.

Create a Jamf Signing Certificate

NOTE: The CA that is configured in Policy Management > Enrollment Policies to issue certificates for Jamf enrollment requests should be the same CA with which you create this Signing Certificate.

To create a Jamf signing certificate:

  1. Log in to the JoinNow MultiOS Management Portal.
  2. Navigate to PKI > Create Certificate.
  3. In the Device Info section, from the Operating System drop-down list, select an operating system.
  4. In the User Description field, enter a suitable description.
  5. In the MAC Address field, enter the MAC address of the device.
  6. In the Certificate Signing Request section, select the Generate Keypair and CSR option. The following attributes should be selected:
    1. From the Algorithm drop-down list, select an option. The options are:
      • RSA (default value).
        Here, the Key Size options are:
        • 2048 (default value)
        • 4096
      • ECC. Here, the Curve Type options are:
        • P-256 (secp256r1)
        • P-238(secp238r1)
  7. Select the Upload CSR option to create client certificates by using a .csr file. In the CSR File field, click the Choose File button to upload the .csr file.

    NOTE: The Distribution Format for the uploaded .csr file is only PKCS7.
  8. In the Subject field, enter the subject name of the certificate.
  9. In the Certificate Issuance Policy field, from the Certificate Authority drop-down list, select the intermediate CA you created earlier (see the Create an Intermediate CA for SCEP Gateway Integration).
  10. From the Use Certificate Template drop-down list, select the certificate template you created earlier to create this certificate (see the Create a Jamf Certificate Template section).
  11. Select the Include Entire Certificate Chain checkbox to add the Root and Intermediate CA certificate to the certificate file.
  12. In the Distribution section,
    1. In the Format field, select a format for the certificate. The options are:
      • PKCS12
      • PEM
      • PVK
      • PFX
    2. In the Receive via field, select any one of the options to send the certificate file to a user.
      • Download – The file is downloaded to the user’s device.
      • E-Mail – The file is sent via email to the user. Enter the email address of the recipient.
  13. Click the Create button and a pop-up window opens.
  14. In the Password for private key pop-up window, enter the password for the certificate file and click Submit.

Create a Jamf Certificate Template

A certificate template determines how information is encoded in the certificate issued by the Certificate Authority (CA). The Certificate template consists of a list of certificate attributes and how the information must be encoded in the attribute values. These details are provided by the organization administrator in the Management Portal.

MDM usually has a certificate template you can configure using a SCEP gateway.

To create a Jamf certificate template, perform the following steps:

  1. Navigate to PKI > Certificate Authorities.
  2. Click Add Certificate Template.
  3. Under the Basic section, in the Name field, enter the name of the certificate template.
  4. In the Subject field, enter CN=${/device/computerIdentity:/auth/displayName:/device/identity}.
  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  7. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  8. In the SAN section:
    1. In the Other Name field, enter ${/auth/upn:/device/identity}.
    2. In the RFC822 field, enter ${/auth/email:/device/userDescription:/device/identity}.
    3. In the DNS field, enter ${/device/computerIdentity:/device/buildModel}.
    4. In the URI field, enter ${/auth/upn:/device/clientId}.
  9. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.
  10. Click Save.

Generate a SCEP URL and Secret

To generate the SCEP URL and secret:

  1. Navigate to Identity Management > API Tokens.
  2. Click Add API Token.
  3. Under the Basic section, in the Name field, enter the name of the API token.
  4. In the Description field, enter a suitable description for the API token.
  5. From the Type drop-down list, select SCEP Enrollment Token.
  6. From the SCEP Vendor drop-down list, select JAMF.
  7. From the Certificate Authority drop-down list, select the CA you created earlier (see the Create an Intermediate CA for SCEP Gateway Integration section). If you do not select a CA, by default, the organization CA is chosen.
  8. Select the Enable Auto Revocation checkbox for certificate auto-revocation.
  9. In the Server URL field, enter the JAMF server URL.
  10. In the Authentication section, enter the credentials of a Read Only user.
    1. To create a Read Only user, log in to the Jamf portal.
    2. Click the Settings icon at the top-right corner.
    3. Click User accounts and groups.
    4. Click the + New button.
    5. In the Choose an Action section, select the Create Standard Account option and click Next.
    6. In the Account tab:
      • In the Username field, enter a username for the account.
      • From the Privilege Set drop-down list, select Custom.
      • Enter the other details, such as email address, password, and so on, in the respective fields.
      • Click Save.
    7. Navigate to the Privileges tab and click Edit. Select the READ checkbox for the following items.
      • Mobile Devices
      • Smart Computer Groups
      • Smart Mobile Device Groups
      • Static Computer Groups
      • Static Mobile Device Groups
      • Computers
    8. Click Save.
  11. In the Revocation Group section, enter the name of the computer and mobile device groups that contain the devices whose certificates are to be revoked.
    1. There are two kinds of groups you can create and add mobile devices and computers to the Revocation Group list.
      • Smart Device/Computer Groups (Revocation of devices/computers is based on set criteria)
      • Static Device/Computer Groups (Revocation of devices/computers is automatic when added to these groups)
  12. Click Save.

    To add Smart Device Groups

      1. Log in to the Jamf portal.
      2. Click Devices and select Smart Device Groups.
      3. Click the + New button.
      4. In the Display Name field, enter the name for the smart mobile device group.
      5. Navigate to the Criteria tab and click the + Add button.

        NOTE: You can create a group on a list of criteria and add devices to it. For example, we would revoke groups based on Last Inventory Update.

        With these criteria, Jamf syncs with a managed device regularly. When there is no update shared between the device and Jamf for a period of time, the certificate in the device is automatically revoked.

        Please refer to Jamf Learning Hub for more information on Smart Device/Computer group configurations.

      6. Click the Choose button.
      7. From the Operator drop-down, choose the period type/date based on which revocation should be applied.
      8. Enter the date/number of days in the Value field. In our example, the operator selected is more than x days ago and the Value is entered as 10. So, if an update between Jamf and the device has not occurred for more than 10 days. All certificates in the device will be revoked.
      9. Click Save. The Smart Device Group is created.

    NOTE: Click Computers and navigate to Smart Computer Groups, and follow the steps c to i explained above to set up Smart Computer Groups. The steps are the same for computer groups.

    To add Static Device Groups:

    1. Navigate to the Jamf portal.
    2. Click Devices and navigate to Static Device Groups.
    3. Click the + New button.
    4. In the Display Name field, enter the name for the static mobile device group.
    5. Navigate to the Assignments tab.
    6. Select the devices you want to add to this group.
    7. Click Save. The Static Device Group is created.

      NOTE: Click Computers and navigate to Static Computer Groups and follow steps c to g explained above to set up Static Computer Groups. The steps are the same for computer groups.

  13. Click the Test Connection button to verify that the connection works.
  14. Click Save. A .csv file containing the API secret and Enrollment URL is downloaded. In addition, the Enrollment URL is displayed on the screen.

    NOTE: Save this file securely. This file is downloaded only once at the time of token creation. If you lose this file, you can not retrieve the secret.

    NOTE: You can also refer to the steps in Configuring API Tokens (SCEP Enrollment Token) section in the JoinNow MultiOS and Connector Configuration Guide available in the JoinNow Management Portal.

Create a Roles Policy

A Roles policy grants a user access to defined resources.

To create a Roles policy:

  1. From the JoinNow MultiOS Management Portal, go to Policy Management > Roles Policies.
  2. Click Add Role.
  3. Under the Basic section, in the Name field, enter the name of the Role policy.
  4. In the Display Description field, enter a suitable description for the Role policy.
  5. Click Save.
  6. The page refreshes, and the Conditions tab is displayed.
  7. Select the Conditions tab.
  8. In the Conditions section, from the Identity Provider drop-down list, select the API token you created earlier (see the Generate a SCEP URL and Secret section).
  9. Click Update.

 

Create an Enrollment Policy

An enrollment policy validates the Roles and Device Role policies before issuing a certificate.

To create an enrollment policy:

  1. From the JoinNow Management Portal, go to Policy Management > Enrollment Policies.
  2. Click Add Enrollment Policy.
  3. Under the Basic section, in the Name field, enter the name of the Enrollment policy.
  4. In the Display Description field, enter a suitable description for the Enrollment policy.
  5. Click Save.
  6. The page refreshes, and the Conditions and Settings tabs are displayed.
  7. Select the Conditions tab.
  8. In the Conditions section, from the Role drop-down list, select the role policy you created earlier (see the Create a Roles Policy section).
  9. From the Device Role drop-down list, select DEFAULT DEVICE ROLE POLICY.

    NOTE: You can use a fallback device policy to allow enrollment based on the Roles policy.

  10. Select the Settings tab.
  11. In the Settings section, from the Use Certificate Authority drop-down list, select the intermediate CA you created earlier (see the Create an Intermediate CA for SCEP Gateway Integration section).
  12. From the Use Certificate Template drop-down list, select the template you created earlier (see the Create a Jamf Certificate Template section).
  13. Retain the default values for the other settings.
  14. Click Update.

Set Up Certificate Enrollment via SCEP on Jamf

To set up certificate enrollment via SCEP on Jamf:

  1. Log in to the Jamf Pro console.
  2. Navigate to Settings (Gear icon on top right corner) > Global.
  3. Click PKI certificates.
  4. Navigate to the Management Certificate Template tab and then select the External CA tab.
  5. Click Edit.
  6. Select the Enable Jamf Pro as SCEP Proxy for configuration profiles checkbox.
  7. Copy the SCEP URL from the downloaded .csv file and paste it in the URL field.

    NOTE: You can also refer to the steps in the Configuring API Tokens (SCEP Enrollment Token) section in the JoinNow MultiOS and Connector Configuration Guide available in the JoinNow Management Portal.

    NOTE: Write to support@securew2.com to confirm that this URL works with the intermediate CA you configured in the Create an Enrollment Policy section. However, you can proceed with the remaining steps, and write to SecureW2 support should you notice any failure.

  8. From the Subject Alternative Name Type drop-down list, select None.
  9. From the Challenge Type drop-down list, select Static.
  10. Copy the Secret from the downloaded .csv file and paste it in the Challenge and Verify Challenge fields.
  11. From the Key Size drop-down list, select 2048. SecureW2 does not recommend selecting 1024.
  12. Click Save.
  13. Under the Signing Certificate section, click the Change Signing and CA Certificates button to upload the signing certificate you created in the Create a Jamf Signing Certificate section.

    NOTE: The signing certificate must be a certificate signed by the intermediate CA that is used for certificate enrollment and should include the complete CA chain (signing certificate, intermediate CA certificate, and root CA certificate).

Set Up Certificate Enrollment Using the PKI Certificate Assistant

To set up certificate enrollment using the PKI certificate, perform the following steps:

  1. On the Upload Keystore step, click Choose File and upload the PKCS12 file you downloaded in the Create a Jamf Signing Certificate section.
  2. Click Next.
  3. For Enter Password, in the Password field, enter the same password that you typed in the Password for private key pop-up window when you created the certificate in the Create a Jamf Signing Certificate section.
  4. Click Next.
  5. On the Choose Certificate step, from the Choose Certificate drop-down list, select the signing certificate created earlier and verify that the correct certificate chain is displayed.
  6. Click Next.
  7. On the Upload CA Certificate step, click Next to skip the upload. The CA certificate is already present in PKCS12.
  8. On the Complete step, click Done.

Set Up Jamf Configuration Profiles

This section explains how to set up Jamf configuration profiles for iOS and macOS.

Set Up a Jamf Configuration Profile for iOS

To set up a Jamf configuration profile for iOS, perform the following steps:

  1. From your Jamf Pro console, go to Devices > Configuration Profiles.
  2. Click the + New button.


    NOTE    : To modify an existing configuration profile, open the profile and click Edit.
  3. Navigate to Options > General.
  4. In the Name field, enter the name of the profile.
  5. In the Description field, enter a suitable description for the profile.
  6. For Level – Device Level, use the following settings:
    1. From the Level drop-down list, select the Device Level option to connect to the network with a device certificate.
    2. From the Distribution Method drop-down list, select the Install Automatically or Make Available in Self Service option to distribute the profile.NOTE: You can only access the Distribution Method drop-down list at the Device Level.
    3. Navigate to Options > SCEP.
    4. Click Configure.
    5. Select the Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile checkbox.
    6. In the Name field, enter the common name of the intermediate CA that will be issuing the certificate for the client.NOTE: You can find the common name in the JoinNow Management Portal (see the Create an Intermediate CA for SCEP Gateway Integration section).
    7. From the Redistribute Profile drop-down list, select the desired number of days.
    8. In the Subject field, enter a value that will help the administrators identify the device. If you wish, you can make this a static value.Examples:
      • CN=$DEVICENAME
      • CN=$UDID
      • CN=$SERIALNUMBER

      NOTE: The value that you enter for Subject is referred to as a payload variable, and defines the common name that you want to be encoded on certificates.

      NOTE: You can find available iOS payload variables here: About This Guide

    9. From the Subject Alternative Name Type drop-down list, select RFC 822 Name. This is mandatory.

      Enter the payload variables. The values returned by these variables will be encoded as the Subject Alternative Name Value attributes on issued certificates. You must define three payload variables, each separated by a double semicolon.

      Examples:

      • $USERNAME;;$MACADDRESS;;$UDID
      • $USERNAME;;$MACADDRESS;;$EMAIL
    10. Click Save.
    11. Under the Scope section, update the scope for the devices to which the configuration profile will be pushed.

      NOTE: If you want to make changes to Jamf as SCEP proxy in Settings > Global Management > PKI Certificates > Management Certificate Template > External CA, first disable Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile. If you proceed without disabling this, it will affect the corresponding profile that is using Jamf as the SCEP proxy.

  7. For Level – User Level, use the following settings:
    1. From the Level drop-down list, select the User Level option to connect to the network with a user certificate.

      NOTE: You cannot install the User-level profiles manually or access them in Self Service. They are installed automatically.

    2. Click Save.

Set Up a Jamf Configuration Profile for macOS

To set up a Jamf configuration profile for macOS:

  1. From your Jamf Pro console, go to Computers > Configuration Profiles.
  2. Click the + New button.

    NOTE: To update an existing configuration profile, click Edit for the profile.
  3. Navigate to Options > General.
  4. In the Name field, enter the name of the profile.
  5. In the Description field, enter a suitable description for the profile.
  6. For Level Computer Level, use the following settings:
    1. From the Level drop-down list, select the Computer Level option to connect to the network with a device certificate.
  7. For LevelUser Level, use the following settings:
    1. From the Level drop-down list, select the User Level option to connect to the network with a user certificate.
  8. From the Distribution Method drop-down list, select the Install Automatically or Make Available in Self Service option to distribute the profile.
  9. Navigate to Options > SCEP.
  10. Click Configure.
  11. Select the Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile checkbox.
  12. In the Name field, enter the common name of the intermediate CA that will be issuing the certificate for the client.NOTE: You can find the common name in the JoinNow Management Portal (see the Create an Intermediate CA for SCEP Gateway Integration section).
  13. From the Redistribute Profile drop-down list, select the desired number of days prior to certificate expiration that the system should begin to display the expiration notice.
  14. In the Subject field, enter a value that will help the administrators identify the device. If you wish, you can make this a static value.Examples:
    • CN=$DEVICENAME
    • CN=$UDID
    • CN=$SERIALNUMBER

    NOTE: The value that you enter for Subject is referred to as a payload variable, and defines the common name that you want to be encoded on certificates.

    NOTE: You can find available OS X payload variables here: Payload Variables

  15. From the Subject Alternative Name Type drop-down list, select RFC 822 Name. This is mandatory.

    Enter the payload variables. The values returned by these variables will be encoded as the Subject Alternative Name Value attributes on issued certificates. You must define three payload variables, each separated by a double semicolon.

    Examples:

    • $USERNAME;;$MACADDRESS;;$UDID
    • $USERNAME;;$MACADDRESS;;$EMAIL
  16. In the Certificate Expiration Notification Threshold field, enter the number of days prior to certificate expiration that the system should begin to display the expiration notice.

    NOTE: Specify the number of days that is equal to or greater than 14 days to receive the notification of certificate expiration.
  17. Click Save.
  18. Under the Scope section, update the scope for the devices to which the configuration profile will be pushed.

    NOTE: If you want to make changes to Jamf as SCEP proxy in Settings > Global > PKI Certificates > Management Certificate Template > External CA, first disable Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile. If you proceed without disabling this, it will affect the corresponding profile that is using Jamf as SCEP proxy.

Set Up the Certificate Payload for RADIUS Connections

This section explains how to set up the certificate payload to validate your RADIUS server. If your RADIUS server certificate also has one or more CA certificates as part of the certificate chain, you can add those certificates (Root and Intermediate) to this payload.

NOTE: Do not upload the actual RADIUS server certificate. To set up the certificate payload, perform the following steps:

  1. From your Jamf Pro console, go to Devices > Configuration Profiles.
  2. Click Edit for the configuration profile you want to configure.
  3. Navigate to Options > Certificate.
  4. Click Configure.
  5. In the Certificate Name field, enter the name of the certificate. This will be the Common Name (Issued To name).
  6. From the Select Certificate Option drop-down list, select Upload.
  7. Click the Upload Certificate button.
  8. In the Certificate pop-up window, click the Choose File button and select the CA certificate you want to upload.
  9. Click Upload.
  10. Upload the certificate and then click Save.

    NOTE: If your setup has more than one RADIUS server for validation, you can add more than one Common Name with the same certificate payload configuration.

Set Up the Wi-Fi Payload

  1. From your Jamf Pro console, go to Devices > Configuration Profiles.
  2. Click Edit for the configuration profile you want to configure.
  3. Navigate to Options > Wi-Fi.
  4. Click Configure.
  5. In the Service Set Identifier (SSID) field, enter the name of the wireless network.
  6. Select any of the following Wi-Fi settings based on requirements.
    • Hidden Network
    • Auto Join
    • Disable Captive Network Detection
    • Disable MAC Address Randomization (iOS 14 or later)
  7. From the Security Type drop-down list, select WPA / WPA2-Enterprise.
  8. Under the Protocols tab, in the Accepted EAP Types section, select the TLS checkbox.
  9. Select the Trust tab.
  10. In the Trusted Certificates section, select the checkbox for the certificate you uploaded.

    NOTE: Along with validating a RADIUS server by certificates, you should also specify the RADIUS server certificate names for validation as an additional security measure. This is available in the Wi-Fi payload when you enable the certificate you just uploaded.
  11. In the CERTIFICATE COMMON NAME section, click Add.
  12. In the field that appears, enter the name of the RADIUS server used for validation and then click Save.
  13. Select the Protocols tab again. From the Identity Certificate drop-down list, select the CA from the SCEP payload.
  14. Click Save to save the Wi-Fi payload.

    NOTE: Using the previous steps for Devices and Computers, both iOS and macOS devices can be configured for Wi-Fi.

    When a device successfully enrolls, the Configuration Profiles table shows an increased value for Completed.

Schedule a Demo

Sign up for a quick demonstration and see how SecureW2 can make your organization simpler, faster, and more secure.

Schedule Now

Pricing Information

Our solutions scale to fit you. We have affordable options for organizations of any size. Click here to see our pricing.

Check Pricing