+9If I have Jamf cloud and I have integrated my Jamf cloud with Azure AD for device compliance and also registering the mac in AAD then should still need AD-CS connector to get the certificate? If yes then why? and this AD-CS connector should run on DMZ?
How can I know if AD-CS connector is integrated properly in my Jamf? Is it from Settings/PKI Certificate/Certificate authority?
+25@Asifahmed The Device Compliance integration between Jamf Pro and Intune does nothing to enable proxying certificate installs via Jamf Pro like the AD CS Connector allows.
My org uses the Jamf PKI Proxy instead of the AD CS Connector so I can't speak of the latter from first hand experience, but you should be able to check the status of your AD CS Connector instance by going to Settings->Global->PKI certificates->Certificate Authorities and clicking the View button for it.
+9@Asifahmed The Device Compliance integration between Jamf Pro and Intune does nothing to enable proxying certificate installs via Jamf Pro like the AD CS Connector allows.
My org uses the Jamf PKI Proxy instead of the AD CS Connector so I can't speak of the latter from first hand experience, but you should be able to check the status of your AD CS Connector instance by going to Settings->Global->PKI certificates->Certificate Authorities and clicking the View button for it.
I am using JSS Built-in CA for enrollment, and we are using local user account on end point. Still we need AD-CS connector?
+25I am using JSS Built-in CA for enrollment, and we are using local user account on end point. Still we need AD-CS connector?
That depends on if you need to install certificates from your organization's CA. Some examples for needing that would be certificates needed for 802.1x Wi-Fi or VPN authentication.
+9That depends on if you need to install certificates from your organization's CA. Some examples for needing that would be certificates needed for 802.1x Wi-Fi or VPN authentication.
Make sense, and does AD-CS runs on DMZ? I mean as I am on Jamf cloud so how it will speak to my cloud Jamf?
+25Make sense, and does AD-CS runs on DMZ? I mean as I am on Jamf cloud so how it will speak to my cloud Jamf?
AD CS Connector is designed to communicate with an on-prem AD system, so yes it would need to live in your DMZ for that to work.
+9@Asifahmed The Device Compliance integration between Jamf Pro and Intune does nothing to enable proxying certificate installs via Jamf Pro like the AD CS Connector allows.
My org uses the Jamf PKI Proxy instead of the AD CS Connector so I can't speak of the latter from first hand experience, but you should be able to check the status of your AD CS Connector instance by going to Settings->Global->PKI certificates->Certificate Authorities and clicking the View button for it.
Settings->Global->PKI certificates->Certificate Authorities here I can see Jamf Pro Built-in CA and Other, no name of AD-CS. If I go to Computers/configuration Profiles/Certificate and click "Select Certificate option" no such name of AD-CS. Any idea on this?
+9AD CS Connector is designed to communicate with an on-prem AD system, so yes it would need to live in your DMZ for that to work.
If any organization uses JIM server in that case AD-CS will work properly?
+8Make sense, and does AD-CS runs on DMZ? I mean as I am on Jamf cloud so how it will speak to my cloud Jamf?
the AD-CS connector has to be in an accessible network segment, DMZ or likewise. The Connector speaks to your ADCS server on your internal network and acts as a proxy directly handing certificates to Jamf Pro, in the cloud. Jamf Pro then relays that cert to the device(in the typical setup). When you setup the ADCS Connector it will ask for certain information.
https://learn.jamf.com/bundle/technical-paper-integrating-ad-cs-current/page/Integrating_with_Active_Directory_Certificate_Services.html#concept-9196
+25Settings->Global->PKI certificates->Certificate Authorities here I can see Jamf Pro Built-in CA and Other, no name of AD-CS. If I go to Computers/configuration Profiles/Certificate and click "Select Certificate option" no such name of AD-CS. Any idea on this?
That would indicate you do not have an AD CS Connector properly configured to communicate with your Jamf Pro instance.
+25If any organization uses JIM server in that case AD-CS will work properly?
A JIM instance and an AD CS Connector instance can be run on the same server, but they are separate services and one does not require the other to function.
+9A JIM instance and an AD CS Connector instance can be run on the same server, but they are separate services and one does not require the other to function.
So only for one certificate(AD certificate) we are integrating AD-CS connector with Jamf or do we have different purpose? If it is only one cert then why we cant push it through a config profile and renew it before expiration?
BTW I cant see AD-CS here Settings->Global->PKI certificates->Certificate Authorities and clicking the View button for it. Only showing other apart from Jamf Pro Built-in CA
+26Settings->Global->PKI certificates->Certificate Authorities here I can see Jamf Pro Built-in CA and Other, no name of AD-CS. If I go to Computers/configuration Profiles/Certificate and click "Select Certificate option" no such name of AD-CS. Any idea on this?
JAMFs logging for the AC CS Connector is minimal at best. I recommend going to the Windows Server and looking over the API logs to get an idea of what is going on. The default log path is in C:\\inetpub\\Logs\\LogFiles\\, but you can check IIS to see where the files are.
The AD CS Connector sets up with a local account by default, and you have to change the configuration to use a domain account. If the local account does not have access to request certificates from the template on your AD CS it will fail.
+9the AD-CS connector has to be in an accessible network segment, DMZ or likewise. The Connector speaks to your ADCS server on your internal network and acts as a proxy directly handing certificates to Jamf Pro, in the cloud. Jamf Pro then relays that cert to the device(in the typical setup). When you setup the ADCS Connector it will ask for certain information.
https://learn.jamf.com/bundle/technical-paper-integrating-ad-cs-current/page/Integrating_with_Active_Directory_Certificate_Services.html#concept-9196
Ok, so my next question is if I go to Settings/PKI Certificate/Certificate authorities then why we see so many certificates under Jamf Pro Built-in CA and with good number for Other also, from where all these certs are coming?
+9JAMFs logging for the AC CS Connector is minimal at best. I recommend going to the Windows Server and looking over the API logs to get an idea of what is going on. The default log path is in C:\\inetpub\\Logs\\LogFiles\\, but you can check IIS to see where the files are.
The AD CS Connector sets up with a local account by default, and you have to change the configuration to use a domain account. If the local account does not have access to request certificates from the template on your AD CS it will fail.
Ok, so my next question is if I go to Settings/PKI Certificate/Certificate authorities then why we see so many certificates under Jamf Pro Built-in CA and with good number for Other also, from where all these certs are coming?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.