Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Branding
Branding Branding
Login Check our Prices

Deploy Client Certificates via SCEP to Jamf Managed Devices

When using certificate-driven authentication for your Wi-Fi network, the way you issue client certificates to your devices is important. With devices managed by an MDM such as Jamf, Simple Certificate Enrollment Protocol (SCEP) can simplify the process.

SCEP allows digital certificates to be issued and managed automatically. It eliminates the need for human interaction by letting devices automatically seek and receive certificates from a Certificate Authority (CA). SCEP allows businesses to greatly improve their security by doing away with the weaknesses of password-based authentication.

SCEP, when used in tandem with Jamf, streamlines the process of issuing client certificates to devices under Jamf’s control. This simplified method automates the enrolment of certificates without requiring complicated settings from end users. In this configuration guide, you’ll learn how to set up SCEP profiles in Jamf, which will facilitate the easy rollout of client certificates and increase the safety of your wireless network.

Configuring EAP-TLS and SCEP for SecureW2 Managed Device Gateway API:

EAP-TLS is a lightweight Extensible Authentication Protocol – Transport Layer Security, highly secure and frequently used authentication mechanism within the EAP flexible authentication architecture. It uses the TLS protocol’s security characteristics to build a secure communication channel between the client device and the authentication server. EAP-TLS passes EAP messages across the client and server, which contain the cryptographic certificates and keys required for mutual authentication. EAP Transport Layer Security, unlike other EAP methods such as EAP-Password or EAP-PEAP, EAP-PSK, EAP-TTLS does not send plaintext passwords over the network, making it extremely resistant to password eavesdropping and dictionary attacks. Instead, it uses digital certificates and private keys to ensure the authentication process’s secrecy and integrity.

Setting up EAP-TLS and SCEP with SecureW2’s Managed device gateway is essential for ensuring secure certificate-based authentication. Here’s a step-by-step guide.

  1. Using SecureW2’s PKI Services, begin by configuring the Intermediate CA, the actual certificate format, and the SCEP Gateway URL
  2. In the Jamf management portal, upload your new Signing Certificate
    • Your network will now trust certificates and will integrate with Access Points from all major vendors
  3. Enter the SCEP URL as the avenue in which the certificates will be distributed
  4. Prepare the Jamf Wi-Fi and SCEP Profiles for macOS and iOS devices
    • The certificate payload and Wi-Fi payload will be sent via the SCEP URL and will equip devices with trusted certificates and your organization’s customized wireless settings
  5. Once completed, devices can begin requesting certificates and be configured for a WPA2-Enterprise EAP-TLS network protected by certificate-based security.
    • Managed devices will be authenticated by an existing RADIUS Server from any major vendor or The SecureW2 Cloud RADIUS

Prerequisites:

These are the prerequisites for setting SCEP profile on Jamf:

Configuring a SCEP Gateway for certificate enrollment with SecureW2

Setting up a SCEP gateway is critical in certificate authority administration and safe certificate deployment. The SCEP streamlines certificate enrollment inside an organization by allowing for the smooth acquisition of client certificates through certificate signing requests. Configuring an issuing Intermediate Certificate Authority (CA), which serves as an intermediate between the root CA and end-user devices, is part of this procedure. The SCEP gateway guarantees that client certificates are provided with suitable security mechanisms by handling certificate requests, validity periods, and certificate templates. Furthermore, the SCEP gateway is important in certificate revocation, allowing for the effective processing of expired or compromised certificates and ensuring the overall security of the certificate management protocol. Organizations may use the SCEP gateway to install and maintain server certificates and client certificate, ensuring secure communication and data security throughout their network security architecture.

The following are the high-level steps to set up certificate enrollment through SCEP via the JoinNow Management Portal:

  1. Creating an Intermediate CA for SCEP Gateway Integration
  2. Creating a Jamf Certificate Template
  3. Creating a Jamf Signing Certificate
  4. Generating an SCEP URL and Secret
  5. Policy Management

Creating an Intermediate CA for SCEP Gateway Integration

As a best practice, SecureW2 recommends having a new intermediate CA for JoinNow SCEP Gateway integration with Jamf. The CA issuing certificates to BYOD devices should be separate from the CA issuing certificates to managed devices, because managed devices don’t require email notifications. You can disable email notifications for the dedicated CA issuing certificates to Jamf managed devices.

To create a new intermediate CA:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to PKI > Certificate Authorities.
  3. Click Add Certificate Authority.
  4. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
  5. From the Type drop-down list, select Intermediate CA.
  6. From the Certificate Authority drop-down list, select the default Root CA that comes with your organization.
  7. In the Common Name field, enter a name. SecureW2 recommends a name that includes “SCEP.”
  8. From the Key Size drop-down list, select 2048 for the CA certificate key pair.
  9. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  10. In the Validity Period (in years) field, enter the validity period for the Intermediate CA in terms of the number of years.
  11. In the Notifications section:
    1. From the Expiry Notification Frequency (in days) drop-down list, select the frequency interval for which a certificate expiration notification should be sent to users.
    2. Select the Notify user on the successful Enrollment checkbox to notify users after a successful enrollment.
    3. If the RFC has a valid email address, the user will receive the certificate issued or expired notification; otherwise, they will not receive the notification.
  12. In the Revocation section:
    1. In the Revoke Certificate if unused for field, select the number of days after which an unused certificate can be revoked.
    2. From the Reason Code drop-down list, select any one of the following reasons for which the certificate is revoked.
      • Certificate Hold
      • AA Compromise
      • Privilege Withdrawn
      • Unspecified
    3. If the user uses SecureW2 RADIUS, auto revocation will take place.
  13. Click Save. This generates the new intermediate CA.

Creating a Certificate Template for Jamf

Setting up a tailored SCEP certificate template is a pivotal step in the realm of certificate management protocols.

To create a Jamf Certificate Template, perform the following steps:

  1. Navigate to PKI > Certificate Authorities.
  2. Scroll to the Certificate Templates section and click Add Certificate Template.
  3. In the Basic section, for the Name field, enter the name of the certificate template.
  4. In the Subject field, enter CN=${/auth/displayName:/device/identity:/csr/subject/commonname}. This fetches the common name configured in the Jamf.
  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  7. In the Override Validity Period field, choose a specific date to bypass the validity period.
  8. From the Signature Algorithm drop-down list, select SHA-256 as the signature algorithm for the certificate signing request.
  9. Under the SAN section, enter the following values:
    1. In the Other Name field, enter ${/device/clientId}
    2. In the RFC822 field, enter ${/device/clientId}
    3. In the DNS field, enter ${/device/buildModel}
    4. In the URI field, enter ${/device/userDescription}

  10. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.
  11. Click Save.

Creating a Signing Certificate for Jamf

Jamf requires a signing certificate to sign custom configuration profiles and packages. These profiles are then automatically trusted when installed on managed devices.

The signing certificate can be created from the JoinNow Management Portal using the Create Certificate option.

NOTE: The CA that is configured in Policy Management > Enrollment Policies to issue certificates for Jamf enrollment requests should be the same CA with which you create this signing certificate.

To create a Jamf signing certificate, follow these steps:

  1. Navigate to PKI > Create Certificate.
  2. In the Device Info section, from the Operating System drop-down list, select an operating system.
  3. In the User Description field, enter a suitable description.
  4. In the MAC Address field, enter a unique MAC address.
  5. In the Certificate Signing Request section, select the Generate Keypair and CSR option to generate a keypair and CSR file and create client certificates.
  6. From the Algorithm drop-down list, select RSA.
  7. From the Key Size drop-down list, select 2048.
  8. In the Subject field, enter the common name (the recommended name format for the certificate is “Jamf Signing Certificate”. This helps in easy identification of the CA).
  9. In the Other Name field, enter the same value as in the Subject field. Ignore the other fields.
  10. In the Certificate Issuance Policy section, from the Certificate Authority drop-down list, select the intermediate CA created earlier for issuing certificates to clients using SCEP (refer to the Creating an Intermediate CA for SCEP Gateway Integration section).
  11. From the Use Certificate Template drop-down list, select the certificate template created in the Creating a Certificate Template for Jamf section.
  12. Select the Include Entire Certificate Chain checkbox. This is mandatory.
  13. In the Distribution section, for the Format field, select PKCS12.
  14. In the Receive via field, select Download.

  15. Click the Create button, and a Password for private key pop-up window opens. Enter the password for the certificate file and click Submit.

Generating a SCEP URL and Secret

The SCEP URL serves as an endpoint using which managed devices can connect with the SCEP server and enroll for certificates. The secret is also passed along to Jamf’s external CA for authentication of these certificate requests.

A SCEP URL and secret can be generated by creating an API Gateway in the JoinNow Management Portal.

Additionally, the tokens created for SCEP Enrollment can also be used in Policy Management to assign a user/device role based on the token in the incoming request.

To generate the SCEP URL and secret, perform the following steps:

  1. Navigate to Identity Management > API Gateways.
  2. Click Add API Gateway.
  3. In the Basic section, in the Name field, enter the name of the API Gateway.
  4. In the Description field, enter the description for the API Gateway.
  5. From the Type drop-down list, select SCEP Enrollment Token.
  6. From the Vendor drop-down list, select JAMF.
  7. From the Certificate Authority drop-down list, select the Intermediate CA created in the Creating an Intermediate CA for SCEP Gateway Integration​ section. If you do not select a CA, by default, the organization CA is chosen.
  8. From the Challenge Type drop-down list, select the Static option. The Static Challenge Type utilizes a consistent challenge for all enrollment requests.
  9. Click Save. A .csv file containing the API secret and Enrollment URL is downloaded, and the Enrollment URL is displayed on the screen.

    NOTE: Save this file securely. It is downloaded only once during token creation. If you lose it, you can not retrieve the secret.

  10. The page refreshes and displays the Auto Revocation and Attribute Mapping tabs.
  11. In the Auto Revocation section, select the Enable Auto Revocation checkbox for certificate auto-revocation.
  12. In the Server URL field, enter the JAMF server URL.
  13. In the Authentication section, enter the credentials of a Read-Only user. Refer to the Creating a Read Only user in Jamf section for further configurations.
  14. In the Revocation Group section, enter the name of the computer and mobile device groups. These groups are created in the Jamf Portal to identify and group the devices based on configurable criteria like non-compliance or old devices that need to be deleted. JoinNow Management Portal revokes the certificates of these devices as soon as Jamf identifies and moves them to these groups. Refer to the Configuration of Auto Revocation Based on Computer/Device Groups in Jamf section for further configurations.
  15. Click the Test Connection button to verify that the connection works.

  16. Click Update.

NOTE: You can also refer to the steps in Configuring API Gateway (SCEP Enrollment Token) in the JoinNow MultiOS and Connector Configuration Guide, which is available in the Management Portal.

Policy Management

This section describes the configuration process for different policies concerning certificate enrollment and network access. Through Policy Management, diverse rules can be set for each policy, which helps in selecting the correct certificate template for issuing the appropriate certificate to users. Likewise, Network Policy allows for the configuration of various rules to be applied based on user and device roles during network authentication.

When these rules align with the configured attributes during network authentication, suitable network attributes can be applied to the devices.

Configuring a Policy Engine Workflow

To configure a Policy Engine Workflow, follow these steps:

  1. Navigate to Policy Management > Policy Engine Workflows.
  2. Click Add Policy Engine Workflows.
  3. In the Basic section, enter the name of the Policy Engine Workflow in the Name field.
  4. In the Display Description field, enter a suitable description for the policy engine workflow.
  5. Click Save.
  6. The page refreshes, and the Conditions tab is displayed.
  7. Select the Conditions tab.
  8. From the Identity Provider drop-down list, select the API token you created in the Generating a SCEP URL and Secret section.
  9. Click Update.

Creating Enrollment Policy

To add an Enrollment Policy, perform the following steps:

  1. Navigate to Policy Management > Enrollment Policies.
  2. Click Add Enrollment Policy.
  3. Under the Basic section, in the Name field, enter the name of the enrollment policy.
  4. In the Display Description field, enter a suitable description for the enrollment policy.
  5. Click Save.
  6. The page refreshes, and the Conditions and Settings tabs are displayed.
  7. Select the Conditions tab.
  8. In the Conditions section, from the Role list, select the role policy you created in the Configuring a Policy Engine Workflow section.
  9. From the Device Role list, select DEFAULT DEVICE ROLE POLICY.
  10. Select the Settings tab.
  11. In the Settings section, from the Use Certificate Authority drop-down list, select the intermediate CA created in the Creating an Intermediate CA for SCEP Gateway Integration section.
  12. From the Use Certificate Template drop-down list, select the template created in the Creating a Certificate Template for Jamf section.
  13. In the other settings, retain the default values.
  14. Click Update.

Setting up Certificate Enrollment via SCEP on Jamf

Before we can setup the SCEP Profile in Jamf, we need to configure our SecureW2 Certificate Authority as an External Certificate Authority in Jamf. In order to configure a Jamf Profile for the Simple Certificate Enrollment Protocol (SCEP), we need to configure our CA in our Global Management settings.

  1. Log in to the Jamf Pro console.
  2. Navigate to Settings > Global.
  3. Click PKI certificates.
  4. Select the Management Certificate Template tab, select External CA, and click Edit.
  5. Select the Enable Jamf Pro as SCEP Proxy for configuration profiles checkbox.
  6. In the URL field, enter the new SCEP URL you saved in the CSV file.

    NOTE: You can also refer to the steps in Configuring API Tokens (SCEP Enrollment Token) in the JoinNow MultiOS and Connector Configuration Guide available in the Management Portal.
  7. In the Name field, enter the name of the certificate issuing CA created in the JoinNow Management portal.
  8. In the Subject field, enter CN=$DEVICENAME
  9. From the Subject Alternative Name Type drop-down list, select None.
  10. From the Challenge Type drop-down list, select Static.
  11. In the Challenge and Verify Challenge fields, enter the Secret from the CSV file you downloaded in the Generating a SCEP URL and Secret section.
  12. From the Key Size drop-down list, select 2048. SecureW2 does not recommend selecting “1024”.
  13. Click Save.
  14. Under the Signing Certificate section, click Change Signing and CA Certificates to upload the signing certificate you created in the Creating a Signing Certificate for Jamf section.
  15. On the Upload Keystore step, click Choose File and upload the PKCS12 file you downloaded in the Creating a Signing Certificate for Jamf section.
  16. Click Next.
  17. On the Enter Password step, enter the password you entered in the Password for private key prompt in the Creating a Signing Certificate for Jamf section when you created the certificate.
  18. Click Next.
  19. On the Choose Certificate step, verify that the correct CA certificate is selected from the Choose Certificate drop-down list and that the correct certificate chain is displayed.
  20. Click Next.
  21. On the Upload CA Certificate step, click Next to skip the upload. The CA certificate is already present in PKCS12.
  22. On the Complete step, click Done.

Configuration in Jamf Portal

Configuration profiles are XML files that are pushed to end-user devices along with certificates. These configuration files help Jamf MDM in the effective management of mobile devices, computers, and users, allowing for seamless SCEP certificate enrollment and WPA2-Enterprise security.

This section explains how to set up Jamf configuration profiles for iOS and macOS.

Setting up of Jamf Configuration Profiles

This section explains how to set up Jamf configuration profiles for iOS and macOS.

For iOS

To set up a Jamf configuration profile for iOS, perform the following steps:

  1. From your Jamf Pro console, go to Devices > Configuration Profiles.
  2. Click + New.

    NOTE: To update an existing configuration profile, click Edit for the profile.
  3. Select Options > General.
  4. In the Name field, enter a name that can reflect the profile for the specific OS.
  5. In the Description field, enter a descriptive text explaining the purpose of this configuration.
  6. From the Distribution Method drop-down list, select Install Automatically or Make Available in Self-Service.

For macOS

To set up a Jamf configuration profile for macOS:

  1. From your Jamf Pro console, go to Computers > Configuration Profiles.
  2. Click New.

    NOTE: To update an existing configuration profile, click Edit for the profile.
  3. Select Options > General.
  4. In the Name field, enter a name for the OS profile. E.g. MacOS_Office.
  5. In the Description field, enter a description for the configuration profile.
  6. From the Level drop-down list, select Computer Level.
  7. From the Distribution Method drop-down list, select Install Automatically or Make Available in Self Service.

Setting up the JAMF as SCEP Proxy for Configuration Profiles

Jamf can deploy configuration profiles that install certificates for users to access wireless networks. By setting up Jamf as the SCEP proxy in the configuration profile, Jamf communicates with the SCEP server to download and install the certificate directly on macOS or iOS devices.

This section explains how to set up Jamf as a SCEP proxy for the iOS and macOS configuration profiles.

To set up Jamf as a SCEP proxy, perform the following steps:

  1. From your Jamf Pro console, go to Options > SCEP. The steps are similar for both the iOS and macOS configuration profiles.
  2. Click Configure.
  3. Select the Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile checkbox.
  4. In the Name field, enter the common name of the intermediate CA that will issue the certificate for the client. The common name can be found in the JoinNow Management Portal.
  5. From the Redistribute Profile drop-down list, select the desired number of days.
  6. In the Subject field, enter a value that will help the administrators identify the device. If you wish, you can make this a static value.

    Examples:
    CN=$DEVICENAME
    CN=$UDID
    CN=$SERIALNUMBER

    NOTE: What you enter as Subject and Subject Alternative Name are referred to as payload variables, and define the common name that you want to be encoded on certificates. You can find available iOS payload variables here: https://docs.jamf.com/9.9/casper-suite/administrator-guide/iOS_Configuration_Profiles.html

  7. From the Subject Alternative Name Type drop-down list, select RFC 822 Name. This is mandatory.
  8. In the Subject Alternative Name Value field, use the appropriate variables from the list below according to the business requirements.

    clientId;deviceConfigId;buildModel;buildVersion;userDescription;deviceConfigName;enrollmentPolicyId;organizationId;language;profileId;operatingSystem;osVersion

    The values returned by these variables will be encoded as the Subject Alternative Name Value attributes on issued certificates.

    Example:

    If the customer wants to use variables such as clientId, buildModel, and profileId, they should use the format mentioned below.
    clientId;;buildModel;;;;;;;profileId;;

    You can use the appropriate variables and skip the rest but retain the semicolons in the list.
  9. Click Save.
  10. Navigate to the Scope section and update the scope for the devices to which the configuration profile will be pushed.


NOTE: If you want to change Jamf as an SCEP proxy in Settings > Global > PKI Certificates > Management Certificate Template > External CA, first disable the Use the External Certificate Authority settings to enable Jamf Pro as an SCEP proxy for this configuration profile checkbox. If you proceed without disabling this, it will affect the corresponding profile using Jamf as an SCEP proxy.

Setting up the Certificate Payload for RADIUS Server Certificate Validation

This section explains how to set up the certificate payload so our devices can perform Server Certificate Validation. This is a form of server authentication that is a standard part of any of the EAP protocols aka Extensible Authentication Protocol. Since Cloud RADIUS will be the authentication server, you must upload its RADIUS server authentication certificate.

If your RADIUS server certificate also has one or more intermediate CA certificates as part of the certificate chain, you can add those certificates (Root and Intermediate) to this payload.

NOTE: Do not upload the actual RADIUS server certificate.

This section explains how to set up a Certificate Payload for RADIUS Connections. It applies to both iOS and macOS configuration profiles.

To set up a certificate payload, perform the following steps:

  1. From your Jamf Pro console, go to Devices > Configuration Profiles. The steps 2 to 10 are similar for both the iOS and macOS configuration profiles.
  2. Click Edit for the configuration profile you want to configure.
  3. Select Options > Certificate.
  4. Click Configure.
  5. In the Certificate Name field, enter the name of the certificate being added. This will be the Common Name (Issued To).
  6. From the Select Certificate Option drop-down list, select Upload.
  7. Click Upload Certificate.
  8. On the Certificate pop-up window, click Choose File and upload the issuing Root CA from the JoinNow Management portal under PKI > Certificate Authorities.
  9. Click Upload.
  10. After the certificate uploads, click Save.

NOTE: If the setup has more than one RADIUS server for validation, you can add more than one Common Name with the same certificate payload configuration.

Setting up the Wi-Fi Payload

WiFi profile/payload helps in configuring the device to connect to the preferred secure network. Jamf includes built-in Wi-Fi settings that the admin can configure and deploy to the devices in your organization. This Wi-Fi profile can be assigned based on different Device users and Device groups.

This section explains how to set up Wi-Fi Payload for iOS and macOS devices.

To set up the Wi-Fi Payload for iOS, perform the following steps:

  1. From your Jamf Pro console, go to Devices > Configuration Profiles. For macOS devices, navigate to Computers > Configuration Profiles > Edit > Options > Network. Steps 4 to 16 are similar for both the iOS and macOS configuration profiles.
  2. Click Edit for the configuration profile you want to configure.
  3. Select Options > Wi-Fi.
  4. Click Configure.
  5. In the Service Set Identifier (SSID) field, enter the name of the secure network.
  6. Select other applicable settings as per the organization’s requirements.
  7. From the Security Type drop-down list, select WPA2 Enterprise (iOS 8 or later except Apple TV).
  8. Under the Network Security Settings section, select the Protocols tab.
  9. In the Accepted EAP Types section, select the TLS checkbox.
  10. Click the Trust tab.
  11. In the Trusted Certificates section, select the checkbox for the certificate you uploaded.


    NOTE: Along with validating a RADIUS server by certificates, specify the RADIUS server certificate names for validation as an additional security measure. This is available in the Wi-Fi payload when the uploaded certificate is enabled.
  12. In the CERTIFICATE COMMON NAME section, click + Add.
  13. In the field that appears, enter the name of the RADIUS server used for validation, and then click Save.
  14. Navigate back to the Protocols tab.
  15. From the Identity Certificate drop-down list, select the CA from the SCEP payload.
  16. Click Save to save the Wi-Fi payload.

When a device successfully enrolls, the Configuration Profiles table shows an increased value for Completed.

Admins can also check for successful certificate enrollment under Data and Monitoring > General Events. The Chrome device enrolled will display a Certificate Issued message.

Configuration of Auto Revocation Based on Computer/Device Groups in Jamf

JoinNow Management Portal facilitates auto revocation of the certificates based on device groups configured in the Jamf portal. There are two kinds of groups you can create and add mobile devices and computers to the Revocation Group list:

  1. Smart Device/Computer Groups (Revocation of devices/computers is based on set criteria)To add Smart Device Groups:
    1. From your Jamf Pro console, go to Devices > Smart Device Groups. For Smart Computer Groups, please click on Computers. Steps II to VIII are similar for both the Smart Device Groups and Computer Groups.
    2. Click + New.
    3. Under the Mobile Device Group tab, in the Display Name field, enter a name for your group.
    4. Navigate to the Criteria tab and click Add. You can establish a set of criteria for a group and add devices when they meet the specified conditions.

      In the following example, the criterion used is the Last Inventory Update.

      Jamf synchronizes with managed devices regularly. If an update between a device and Jamf has not occurred within the configured time interval, Jamf verifies that the criteria have been met and automatically moves the device to this group. The relevant device information is then shared with the JoinNow Management Portal, and the corresponding certificate on the device is automatically revoked.

      Please refer to https://docs.jamf.com/10.42.0/jamf-pro/documentation/Smart_Groups.html for more information on Smart Device/Computer group configurations.

    5. Click Choose.
    6. From the OPERATOR drop-down list, choose the period type/date based on which revocation should be applied.
    7. In the VALUE field, enter the date/number of days. In our example, the OPERATOR selected is more than x days ago, and the VALUE entered is “10”. So, if an update between Jamf and the device has not occurred for more than 10 days, all certificates in the device will be revoked.
    8. Click Save. The Smart Device Group is created.
  2. Static Device/Computer Groups (Revocation of devices/computers is automatic when added to these groups)
    1. From your Jamf Pro console, go to Devices > Static Device Groups. For Static Computer Groups, please click on Computers. Steps II to VI are similar for both the Static Device Groups and Computer Groups.
    2. Click + New.
    3. Under the Mobile Device Group tab, in the Display Name field, enter a name for your group.
    4. Navigate to the Assignments tab.
    5. Select the devices you want to add to this group by clicking the checkbox.
    6. Click Save.

Creating a Read-Only user in Jamf

To create a Read Only user in Jamf:

  1. From your Jamf Pro console, go to Settings > User accounts and groups.
  2. Click the + New button.
  3. On the Choose an Action step, select the Create Standard Account option and click Next.
  4. In the Account tab:
      1. In the Username field, enter a username for the account.
      2. From the Privilege Set drop-down list, select Custom.
      3. Enter the other details, such as email address, password, and so on, in the respective fields.
      4. Click the Privileges tab and select the READ checkbox for the following items.
        1. Mobile Devices
        2. Smart Computer Groups
        3. Smart Mobile Device Groups
        4. Static Computer Groups
        5. Static Mobile Device Groups
        6. Computers

      5. Click Save.

Secure EAP-TLS 802.1x with SecureW2's SCEP Gateway

In the past, issuing certificates to all the devices on a network was a challenge. With Jamf and SecureW2’s SCEP gateways, this problem has a simple and elegant solution. Organizations can eliminate the requirement for Pre shared Key and improve the overall effectiveness of authentication by following the  steps described in this article and configuring Jamf to issue certificates.

SecureW2 doesn’t just make issuing certificates to Jamf-managed devices easy – also simplify revoking certificates with our Auto-Revocation feature. With auto-revocation, our managed device gateways will check smart and static groups in Jamf every several minutes. Devices with certificates in those groups will be automatically revoked.

This setup has several advantages, including automating certificate enrollment and revocation procedures. Certificates issued by SecureW2’s PKI Platform can be used for more than only Jamf-managed devices, including Bring Your Own Device (BYOD) Wi-Fi, Virtual Private Network (VPN), Web application authentication, and PIV-backed Smart Cards. 

Explore an affordable security solution that exceeds all expectations. Click here for a free cost estimate.

Jamf is a registered trademark in the United States of America and/or other countries. All other trademarks, logos, and service marks mentioned on this website are the property of SecureW2 or their respective owners.

Schedule a Demo

Sign up for a quick demonstration and see how SecureW2 can make your organization simpler, faster, and more secure.

Schedule Now

Pricing Information

Our solutions scale to fit you. We have affordable options for organizations of any size. Click here to see our pricing.

Check Pricing