Home Knowledge Base SecureW2 Documentation NinjaOne REST API Certificate Issuance

NinjaOne REST API Certificate Issuance

Introduction

NinjaOne is an endpoint management platform that supports custom PowerShell automation scripts, which can be leveraged to enroll certificates with SecureW2 using the SecureW2 REST Enrollment API. This provides an alternative approach for certificate enrollment since NinjaOne does not currently support SCEP natively.

This guide outlines how to integrate NinjaOne with the SecureW2 REST Enrollment API to perform certificate enrollment using script language on macOS and Windows.

Prerequisites

The following are the requirements for the administrator to integrate the NinjaOne Platform with the SecureW2 REST Enrollment API:

  1. An active JoinNow Platform subscription with an Enterprise or Ultimate license.
  2. An active subscription to the NinjaOne platform.

Configuring NinjaOne

Mac OS Configuration

Enrolling a macOS Device in MDM

NinjaOne MDM allows you to enroll macOS devices by manually installing the enrollment profile.

To generate an enrollment profile for macOS, perform the following steps:

  1. Log in to the NinjaOne portal.
  2. On the Dashboard page, click the + icon in the top-right corner.
  3. Click Device and then select Computer.
  4. On the Add a computer pop-up window, select Mac.
  5. In Mac OS configuration:
    1. Specify the Organization, Location, and Device role for the device.
    2. From the Distribution type drop-down list, select MDM enrollment profile and select the APN certificate.
    3. Click Generate installer
    4. Once the installer is generated, you can send the MDM enrollment profile to users using one of the following methods:
      1. Email: From the Select users to send the profile drop-down list, select the user accounts to email the enrollment profile to.
      2. Share the link: Click Copy link to copy the installer link to a text editor. The installer link follows this format: https://ca.ninjarmm.com/apple/enroll/xxxxxxxxxxxxx
      3. Download: Click Download profile to download the installer to your console. The profile you download will be in .mobileconfig format.
Installing the macOS installer on a Mac Device

To install an enrollment profile on macOS:

  1. Copy or download the macOS installer that you want to enroll.
  2. Double-click the installer file to start the installation.
  3. Follow the prompts in System Settings to complete the enrollment. Once installed, you can view the enrollment profile in System Settings > General > Device Management.

The enrolled device will appear in the NinjaOne dashboard.

Creating a Custom Automation Script

NinjaOne allows you to create and edit custom scripts. When running custom scripts on devices, NinjaOne will prompt you to specify optional parameters.

To import a new script into NinjaOne, perform the following steps:

  1. Navigate to Administration > Library > Automation, then click Add automation > Import from file. Choose the script file you want to import. Before importing, ensure the script includes the API URL and API Secret obtained from the SecureW2 JoinNow portal.
  2. On the Create Script page:
    1. In the Name field, enter the name of the script.
    2. From the Language drop-down list, select ShellScript.
    3. From the Operating System drop-down list, select Mac.
    4. From the Architecture drop-down list, select either 32-bit or 64-bit.
    5. From the Run as drop-down list, select System.
  3. Click Save.

Configuring a Policy for macOS

A policy is a collection of conditions, actions, and settings that can be applied to a group of devices. Devices assigned to the policy inherit these configurations.

To create a new policy, perform the following steps:

  1. Navigate to Administration > Policies > Agent policies and then click Create New Policy.
  2. In the Create a policy dialog box:
    1. In the Name field, enter the policy name.
    2. From the Role drop-down list, select Mac Desktops and Laptops to assign the policy to those devices.
    3. From the Parent policy drop-down list, select an option.
  3. Click Create.
  4. On the displayed page, click Scheduled Automations in the left pane, then click Add a Scheduled Automation.
  5. In the Scheduled Automation pop-up window:
    1. In the Name field, enter a name for the scheduled automation.
    2. From the Schedule drop-down list, specify when the automation should run.

      NOTE      : If the device is offline, the automation will neither run nor be queued.
    3. In the Time field, specify the preferred time.
  6. To activate the automation, perform the following steps:
    1. Click Add Automation in the top-right corner and select the script to run as part of the scheduled automation.
    2. In the Automation Library dialog, select the custom scripts you added to the library and click Apply. For instructions on creating a custom automation script, see the Creating a Custom Automation Script section.
    3. After adding the script, click Add to apply the configuration for the new scheduled automation and then save your policy.

Windows Configuration

Enrolling a Windows OS in MDM

NinjaOne MDM allows you to enroll Windows devices by manually installing the enrollment profile.

To generate an enrollment profile for Windows, perform the following steps:

  1. Log in to the NinjaOne portal.
  2. On the Dashboard page, click the + icon in the top-right corner.
  3. Click Device and then select Computer.
  4. On the Add a computer pop-up window, select Windows.
  5. In Windows OS configuration:
    1. Specify the Organization, Location, and Device role for the device.
    2. Click Generate installer
    3. After generating the installer, you can send the Windows installer package to users using one of the following methods:
      1. Share the link: Click Copy link to copy the installer link to a text editor.
      2. Download: Click Download to save the installer. The downloaded profile will be in .msi format.
Installing the Windows Installer on a Windows Device

To install an enrollment profile on Windows:

  1. Copy or download the Windows installer that you want to enroll.
  2. Double-click the installer file: NinjaOneAgent.msi
  3. The installer runs and registers the device automatically.

The enrolled device will appear in the NinjaOne dashboard.

Creating a Custom Automation Script

To import a new script into NinjaOne, perform the following steps:

  1. Navigate to Administration > Library > Automation, then click Add automation > Import from file. Choose the script file you want to import. Before importing, ensure the script includes the API URL and API Secret obtained from the SecureW2 JoinNow portal.
  2. On the Create Script page:
    1. In the Name field, enter the name of the script.
    2. From the Language drop-down list, select PowerShell.
    3. From the Operating System drop-down list, select Windows.
    4. From the Architecture drop-down list, select either 32-bit or 64-bit.
    5. From the Run as drop-down list, select System.
  3. Click Save.

Configuring a Policy for Windows

To create a new policy, perform the following steps:

  1. Navigate to Administration > Policies > Agent policies and then click Create New Policy.
  2. In the Create a policy dialog box:
    1. In the Name field, enter the policy name.
    2. From the Role drop-down list, select Windows Desktops and Laptops to assign the policy to those devices.
    3. From the Parent policy drop-down list, select an option.
  3. Click Create.
  4. On the displayed page, click Scheduled Automations in the left pane, then click Add a Scheduled Automation.
  5. In the Scheduled Automation pop-up window:
    1. In the Name field, enter a name for the scheduled automation.
    2. From the Schedule drop-down list, specify when the automation should run.


      NOTE      : If the device is offline, the automation will neither run nor be queued.

    3. In the Time field, specify the preferred time.
  6. To activate the automation, perform the following steps:
    1. Click Add Automation in the top-right corner and select the script to run as part of the scheduled automation.
    2. In the Automation Library dialog, select the custom scripts you added to the library and click Apply. For instructions on creating a custom automation script, see the Creating a Custom Automation Script section.
    3. After adding the script, click Add to apply the configuration for the new scheduled automation and then save your policy.

Configuring JoinNow

The following high-level steps outline how to set up certificate enrollment through SCEP in the JoinNow Management Portal:

  1. Creating an Intermediate CA for SCEP Gateway Integration
  2. Creating a Certificate Template
  3. Creating a Device Management Platform
  4. Policy Management

Creating an Intermediate CA for SCEP Gateway Integration

SecureW2 recommends using a new intermediate CA as a best practice for SCEP-based enrollments. 

To create a new intermediate CA, perform the following steps:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Dynamic PKI > Certificate Authorities
  3. Click Add Certificate Authority.
  4. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
  5. From the Type drop-down list, select Intermediate CA
  6. From the Certificate Authority drop-down list, select the default Root CA that comes with your organization.
  7. For the Common Name field, enter a name.
  8. From the Key Size drop-down list, select 2048 for the CA certificate key pair. 
  9. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  10. In the Validity Period field, enter the validity period for the Intermediate CA in terms of the number of years.
  11. In the Notifications section:
    1. From the Expiry Notification Frequency (in days) drop-down list, select the frequency interval for which a certificate expiration notification should be sent to users.
    2. Select the Notify user on successful Enrollment checkbox to notify users after a successful enrollment.
    3. If the RFC has a valid email address, the user will receive a certificate-issued or expired notification; otherwise, they will not.
  12. In the Revocation section:
    1. In the Revoke Certificate if unused for field, select the number of days after which an unused certificate can be revoked.
      1. Since last usage – Select this checkbox to revoke the certificate after a specified number of days if it remains unused.
      2. Since certificate issuance – Select this checkbox to revoke the certificate after a specified number of days after it is issued.
    2. From the Reason Code drop-down list, select any one of the following reasons for which the certificate is revoked. 
      1. Certificate Hold
      2. AA Compromise
      3. Privilege Withdrawn
      4. Unspecified
  13. Click Save. This generates the new intermediate CA.

Creating a Certificate Template

A certificate template defines how information is encoded in certificates issued by the Certificate Authority. It includes a list of certificate attributes and specifies how each attribute’s value should be encoded. This information is provided by the organization administrator through the JoinNow Management Portal.

To create a certificate template, perform the following steps: 

  1. Navigate to Dynamic PKI > Certificate Authorities.
  2. Scroll to the Certificate Templates section and click Add Certificate Template.
  3. In the Basic section, enter the name of the certificate template in the Name field.
  4. In the Subject field, enter CN=${/csr/subject/commonname}. This fetches the configured common name in Jamf School.
  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  7. To override the Validity Period attribute, select the Override Validity Period checkbox and choose an end date from the date picker to set a hard-coded expiry date for a certificate.
  8. From the Signature Algorithm drop-down list, select SHA-256 as the signature algorithm for the certificate signing request.
  9. In the SAN section:
    1. In the Other Name field, enter ${/csr/san/commonname}
    2. In the RFC822 field, enter ${/csr/san/dnsname}
    3. In the DNS field, enter ${/csr/san/dnsname}
    4. In the URI field, enter ${/csr/san/uniformresourceidentifier}
  10. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.
  11. In the Notification section, select the Notify admin on certificate expiry checkbox to send certificate expiry email notifications to all Admins.
  12. Click Save.

Creating a Device Management Platform

This section describes how to create a Device Management Platform in JoinNow and configure the shell script with the Enrollment URL and API secret required for certificate enrollment through the REST Enrollment API.

To generate the REST API Certificate Management Token, perform the following steps: 

  1. Navigate to Integrations Hub > Device Management Platforms.
  2. Click Add.
  3. In the Name field, enter a name for the API token.
  4. In the Display Description field, enter a description for the API token.
  5. From the Type drop-down list, select REST API Certificate Management Token.
  6. In Access, select Read-Write.  
  7. Click Save. A .csv file containing the API secret and Enrollment URL is downloaded.

Policy Management

This section describes the configuration process for policies related to certificate enrollment. Policy Management allows you to define rules for each policy to ensure the correct certificate template is applied and the appropriate certificates are issued to users.

Creating a Policy Workflow

To create a policy workflow, perform the following steps:

  1. Navigate to Policy Management > Policy Workflows.
  2. Click Add Policy Workflow.
  3. In the Basic section, enter the name of the policy workflow in the Name field.
  4. In the Display Description field, enter a suitable description for the policy workflow.
  5. Click Save.
  6. The page refreshes, and the Conditions tab is displayed. 
  7. Click the Conditions tab.
  8. From the Core Provider drop-down list, select the device management platform you created earlier.
  9. Click Update.

Creating an Enrollment Policy

To create an enrollment policy, perform the following steps:

  1. Navigate to Policy Management > Enrollment.
  2. Click Add Enrollment Policy.
  3. In the Basic section, enter the name of the enrollment policy in the Name field.
  4. In the Display Description field, enter a suitable description for the enrollment policy.
  5. Click Save.
  6. The page refreshes, and the Conditions and Settings tabs are displayed.
  7. Click the Conditions tab.
    1. From the Policy Workflow list, select the policy workflow you created earlier (see the Creating a Policy Workflow section).
    2. From the Device Role drop-down list, select DEFAULT DEVICE ROLE POLICY 1.
  8. Click the Settings tab.
    1. From the Use Certificate Authority drop-down list, select the intermediate CA you created earlier (see the Creating an Intermediate CA for SCEP Gateway Integration section).
    2. From the Use Certificate Template drop-down list, select the template you created earlier (see the Creating a Certificate Template section).
    3. In the other settings, retain the default values.
  9. Click Update.

Deployment and Certificate Issuance

SecureW2 Admins can check for successful certificate enrollment under Data and Monitoring > Enhanced Events.