Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Branding
Branding Branding
Login Check our Prices

Certificate Enrollment Validation with Jamf & SCEP

Are you using Jamf for managing your end-points and fear of impersonation attack while adopting SCEP for distributing X.509 certificates? Then this configuration is for you.

We in SecureW2 have understood this security concern of our Jamf customers and have devised a double protection solution - Jamf account lookup while issuing certificates with a SCEP challenge that is dynamic. Read on further to protect all your managed devices.

The following are high-level steps for setting up Jamf Account Lookup for Certificate Enrollment with a dynamic SCEP challenge in SecureW2’s JoinNow.

  1. Create an Intermediate CA
  2. Generate a Certificate Template
  3. Create a Signing Certificate for Jamf
  4. Make a compliance group in Jamf
  5. Configure an Identity Lookup Provider
  6. Create a SCEP API gateway
  7. Manage Policies in JoinNow
  8. Set up Certificate Enrollment via SCEP in Jamf
  9. Configure Webhooks in Jamf for dynamic SCEP challenge
  10. Set up Configuration profiles in Jamf

Creating an Intermediate CA

It is recommended to have a new intermediate CA for enrolling devices using SCEP Gateway integration with Jamf for easy management.

To create a new intermediate CA:

  1. From your JoinNow Management Portal, go to PKI > Certificate Authorities.
  2. Click Add Certificate Authority.
  3. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
  4. From the Type drop-down list, select Intermediate CA.
  5. From the Certificate Authority drop-down, select the default Root CA that comes with your organization.
  6. For the Common Name field, enter a name.

  7. Click Save

Creating a Certificate Template for Jamf

A certificate template determines the information to be encoded in the certificate issued by the Certificate Authority.

To create a Jamf Certificate Template for account lookup:

  1. Navigate to PKI > Certificate Authorities.
  2. Click Add Certificate Template.
  3. In the Basic section, for the Name field, enter the name of the certificate template.
  4. Subject field can be configured to source values from the Jamf.

    1. To use the attributes sent from Jamf, enter CN=${/auth/displayName:/device/identity:/csr/subject/commonname:/device/clientId}
  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  7. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.

  8. In the SAN section:

    1. In the Other Name field, enter ${/auth/upn:/device/identity:/csr/san/othername:/device/clientId}
    2. In the RFC822 field, enter ${/auth/email:/device/identity:/csr/san/rfc822name}
    3. In the DNS field, enter ${/device/computerIdentity:/device/buildModel:/csr/san/dnsname}
    4. In the URI field, enter  ${/csr/san/uniformresourceidentifier}
  9. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.
  10. Click Save.

Creating a Signing Certificate for Jamf

Jamf requires a signing certificate to sign custom configuration profiles and packages. These profiles are then automatically trusted when installed on managed devices.

The signing certificate can be created from the JoinNow Management Portal using the Create Certificate option.

  1. Navigate to PKI > Create Certificate.
  2. In the Device Info section, from the Operating System drop-down list, select an operating system.
  3. For User Description, enter a suitable description.
  4. For MAC Address, enter a unique MAC address.
  5. In the Certificate Signing Request section, select the Generate Keypair and CSR option to generate a keypair and CSR file, and create client certificates.
  6. From the Algorithm drop-down list, select RSA.
  7. From the Key Size drop-down, select 2048.
  8. For the Subject field, enter the common name (the recommended name format for the certificate is “Jamf Signing Certificate.” This helps to easily identify the CA).
  9. In the Other Name field, enter the same value as in the Subject field.
  10. Ignore the other fields.
  11. In the Certificate Issuance Policy section, from the Certificate Authority drop-down list, select the intermediate CA created earlier for issuing certificates to clients using SCEP
  12. From the Use Certificate Template drop-down list, select the certificate template created
  13. Select the Include Entire Certificate Chain checkbox. This is mandatory.
  14. In the Distribution section, for the Format field, select PKCS12.
  15. In the Receive via field, select Download.
  16. Click the Create button, and a Password for private key pop-up window opens. Enter the password for the certificate file and click Submit.

 

Creating Compliance Group in Jamf

After enrolling your devices in Jamf for management (you can use any of the methods for this), create a compliance group in Jamf with your set of requirements.

  1. Goto Devices -> Smart Device Groups -> Create New
  2. Give appropriate name for the group and set Criteria (a sample is given below)
  3. Click Save.

This configuration means all mobile devices with iPhone 12 mini model and iOS version 18.0 can be part of this Compliance group.

Creating an Identity Lookup Provider in JoinNow

To create an Identity Lookup Provider for Jamf SCEP based enrollment:

  1. Navigate to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. Enter a Name and Description for the IDP in the respective fields.
  4. From the Type drop-down list, select Jamf Identity Lookup.
  5. Click Save. The page refreshes and opens the Configuration, Attribute Mapping, and Groups tab.
  6. Click on the Configuration tab.
  7. In the Provider URL field, enter the Jamf URL of your organization.
  8. In the Username field, enter your (Admin’s) Jamf username.
  9. In the Password field, enter your (Admin’s) Jamf Password.
  10. Click Validate to validate your connection with Jamf.
  11. Under the Attribute Mapping section, click Add.
  12. In the Local Attribute field, enter email.
  13. From the Remote Attribute drop-down list, select the User Defined. Enter the Email in the field that appears next to the Remote Attribute field.
  14. Click Next.
  15. Create groups in the Groups tab. This is the Compliance group which you created in previous step that has all your compliant devices.
  16. Click Update.

Creating an API Gateway

The SCEP URL serves as an endpoint using which managed devices can connect with the SCEP server and enroll for certificates. The secret is also passed to Jamf’s external CA to authenticate these certificate requests.

A SCEP URL and secret can be generated by creating an API Gateway in the JoinNow Management Portal.

Additionally, the tokens created for SCEP Enrollment can be used in Policy Management to assign a user/device role based on the token in the incoming request.

To create an API Gateway, perform the following steps:

  1. Navigate to Identity Management > API Gateways.
  2. Click Add API Gateway.
  3. In the Basic section, in the Name field, enter the name of the API Gateway.
  4. In the Description field, enter the description for the API Gateway.
  5. From the Type drop-down list, select SCEP Enrollment Token.
  6. From the Vendor drop-down list, select JAMF.
  7. From the Certificate Authority drop-down list, select the Intermediate CA created previously. If you do not select a CA, by default, the organization CA is chosen.
  8. From the Challenge Type drop-down list, select the Dynamic option. The Dynamic Challenge Type generates a unique challenge for each enrollment request internally, providing an additional layer of security.
  9. From the JAMF Identity Lookup Provider drop-down list, select the JAMF Identity Lookup Provider created.
  10. The URL used for authentication is displayed in the Challenge URL field.
  11. Click Save. A .csv file containing the API secret and Enrollment URL is downloaded, and the Enrollment URL is displayed on the screen.

    NOTE: Save this file securely. It is downloaded only once during token creation. If you lose it, you can not retrieve the secret.
  12. The page refreshes and displays the Auto Revocation and Attribute Mapping tabs.
  13. Click the Auto Revocation tab.
  14. Select the Enable Auto Revocation checkbox for certificate auto-revocation.
  15. In the Server URL field, enter the JAMF server URL.
  16. In the Authentication section, enter the credentials of a user.
  17. In the Revocation Group section, if required enter the name of the mobile device groups that contain devices to be revoked. These groups are created in the Jamf Portal to identify and group the devices based on configurable criteria like non-compliance or old devices that need to be deleted. JoinNow Management Portal revokes the certificates of these devices as soon as Jamf identifies and moves them to these groups.

  18. Click the Test Connection button to verify that the connection works.
  19. Click Update.

Policy Management in JoinNow

Policy Management allows us to create specific Lookup policies, roles for user and device groups, which can be used in SecureW2 to create custom certificate enrollment policies as well.

Creating an Account Lookup Policy:

Account Lookup Policy can be mapped along with the Jamf Identity Lookup provider created earlier for device lookup.

  1. From the JoinNow Management Portal, go to Policy Management > Account Lookup Policies.
  2. Click Add Account Lookup Policy.
  3. In the Basic tab, enter a Name and Description in respective fields.
  4. Click Save. The page refreshes and the Settings tab is displayed.
  5. From the Identity Provider Lookup drop-down, select the Jamf Lookup IDP created in the previous step.
  6. From the Identity drop-down, select Client ID (device serial number).
  7. Choose Lookup Purpose as Certificate Issuance to lookup if the device exists in Compliance group created in Jamf during Enrollment.
  8. Click Update.

Creating a Policy Engine Workflow

  1. Go to Policy Management > Policy Engine Workflows.
  2. Click Add Policy Engine Workflows.
  3. In the Basic section,
    1. In Name field, enter a name for the policy.
    2. In the Description field, enter a description for the policy.
  4. Click Save.
  5. On the displayed page, click the Conditions tab.
  6. Click Save.The page refreshes and automatically selects the Conditions tab.
  7. In the Conditions section, click the Identity Provider drop-down and select the Identity Lookup Provider you created in the earlier section. See that the Group you mentioned while creating Identity Lookup Provider automatically appears as a condition here.

    This means when a Certificate Issuance request is sent to SecureW2 from a Jamf managed device, its serial number is looked up in the Jamf tenant mentioned in the Identity Lookup Provider. If it exists there, then a certificate is issued.

Creating an Enrollment Policy

This policy adds Polilicy Engine Workflow for certificate enrollment as well as decides the CA and certificate template for the same.

  1. From the JoinNow Management Portal, go to Policy Management > Enrollment Policies.
  2. Click Add Enrollment Policy.
  3. In the Basic tab, for Name, enter a name.
  4. For Description, enter a description.
  5. Click Save. The page refreshes and displays the Conditions and Settings tab.
  6. In the Conditions section, for Role, select the user role policy you created in the Policy Engine Workflow section.
  7. For Device Role, retain the default one.
  8. From the Use Certificate Template drop-down, choose the certificate template created for this Jamf SCEP enrollment.

Setting Up Certificate Enrollment via SCEP on Jamf

Setting up SCEP in Jamf requires configuring SecureW2’s Certificate Authority as an External Certificate Authority in Jamf. To configure external CA in Jamf:

  1. Log in to the Jamf Pro console.
  2. Navigate to Settings > Global.
  3. Click PKI certificates.

  4. Select the Management Certificate Template tab, select External CA, and click Edit.
  5. Select the Enable Jamf Pro as SCEP Proxy for configuration profiles checkbox.
  6. In the URL field, enter the new SCEP URL you saved in the CSV file.
  7. In the Name field, enter the name of the certificate
  8. In the Subject field, enter “CN=$DEVICENAME.”
  9. From the Subject Alternative Name Type drop-down list, select None.
  10. From the Challenge Type drop-down list,  select Dynamic.
  11. From the Key Size drop-down list, select 2048. SecureW2 does not recommend selecting 1024.
  12. Click Save
  13. Under the Signing Certificate section, click Change Signing and CA Certificates to upload the signing certificate you created in Creating a Signing Certificate for Jamf section
  14. On the Upload Keystore step, click Choose File and upload the PKCS12 file you downloaded
  15. Click Next.
  16. On the Enter Password step, enter the password you entered in the Password for private key prompt in which you created
  17. Click Next.
  18. On the Choose Certificate step, verify that the correct CA certificate is selected from the Choose Certificate drop-down list and that the correct certificate chain is displayed.
  19. Click Next.
  20. On the Upload CA Certificate step, click Next to skip the upload. The CA certificate is already present in PKCS12.
  21. On the Complete step, click Done.

Configuring Webhook in Jamf

Configuring Webhooks in Jamf is an important step for creating a dynamic challenge. The webhook setting in Jamf sends a request to JoinNow CloudConnector for a dynamic challenge. The JoinNow CloudConnector validates the user in Jamf by performing a lookup, and upon successful validation, a dynamic challenge is issued to Jamf.

To configure a webhook, perform the following steps:

  1. Log in to the Jamf Pro console.
  2. Navigate to Settings > Global.
  3. Click Webhooks.
  4. Click New.
  5. In the Name field, enter the display name of the webhook.
  6. In the Webhook URL field, enter the Challenge URL obtained from the Creating an API Gateway section.
  7. From the Authentication Type drop-down list, select the Header Authentication option.
  8. In the Header Authentication field, enter {"Authorization":"Bearer <secret>"}
  9. In the Content Type field, select  any one of the  options for sending the webhook information:
    • JSON
    • XML
  10. From the Webhook Event drop-down list, select SCEPChallenge to trigger the Webhook event.
  11. Click Save.

Configurations in Jamf

Setting up configuration profiles in Jamf

Configuration profiles are XML files that are pushed to end-user devices along with certificates. These configuration files help Jamf MDM effectively manage mobile devices, computers, and users.

This section explains how to set up Jamf configuration profiles for iOS

  1. From your Jamf Pro console, go to Devices > Configuration Profiles.
  2. Click New. To update an existing configuration profile, click Edit for the profile.
  3. Select Options > General.
  4. In the Name field, enter a name that can reflect the profile for the specific OS.
  5. In the Description field, enter a descriptive text explaining the purpose of this configuration.
  6. From the Distribution Method drop-down list, select Install Automatically or Make Available in Self-Service.

Setting up the JAMF as SCEP Proxy for Configuration Profiles

Jamf can deploy configuration profiles that install user certificates in endpoints. By setting up Jamf as the SCEP proxy in the configuration profile, Jamf communicates with the SCEP server to download and install the certificate directly on macOS or iOS devices.

This section explains how to set up Jamf as a SCEP proxy for the iOS configuration profiles.

To set up Jamf as a SCEP proxy, perform the following steps:

  1. From your Jamf Pro console, go to Options > SCEP.
  2. Click Configure.
  3. Select the Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile checkbox.
  4. In the Name field, enter the common name of the intermediate CA that will issue the certificate for the client. The common name can be found in the JoinNow Management Portal.
  5. From the Redistribute Profile drop-down list, select the desired number of days.
  6. In the Subject field, enter a value to help administrators identify the device. You can make this a static value if you wish.

    Examples: 

    • CN=$DEVICENAME 
    • CN=$UDID 
    • CN=$SERIALNUMBER
    NOTE: What you enter as Subject and Subject Alternative Name are referred to as payload variables and define the common name that you want to be encoded on certificates.
  7. From the Subject Alternative Name Type drop-down list, select the RFC 822 Name option.
  8. In the Subject Alternative Name Value field, use the appropriate variables from the list below according to the business requirements.
    clientId;deviceConfigId;buildModel;buildVersion;userDescription;deviceConfigName;enrollmentPolicyId;organizationId;language;profileId;operatingSystem;osVersion

    The values returned by these variables will be encoded as the Subject Alternative Name Value attributes on issued certificates.
  9. Click Save.
  10. Navigate to the Scope section and update the scope for the devices to the ones in the Compliance Policy group created previously.

Certificate Issuance

After completing the steps above, the device now connects with the Jamf.  The organization’s SCEP profile is pushed and device is looked up which triggers enrollment.

Jamf Configuration profile log:

SecureW2 JoinNow portal General Events:

Now that you’ve completed this configuration you can protect your organization from any potential hackers who try and compromise your Certificate Authorities and issue themselves certificates.

Schedule a Demo

Sign up for a quick demonstration and see how SecureW2 can make your organization simpler, faster, and more secure.

Schedule Now

Pricing Information

Our solutions scale to fit you. We have affordable options for organizations of any size. Click here to see our pricing.

Check Pricing