Hi friends,
I am new at Jamf and appreciate your help.
We use Jamf Pro in the cloud and we have a local Microsoft CA server.
My goal is to install certificates from the local CA using Jamf pro cloud on the mac devices.
I understand there are two ways to do this:
1. Using Jamf ADCS Connector
2. Using Jamf SCEP with local NDES server
Am I right?
What is the right and secure way to do it?
We also have Azure and Intune if that can help.
Thanks
Best answer by dfarnworth_b
Ah yeah, this one took me a few days to figure out ...In our environment, the purpose of this was to do cert based 802.1x authentication.
At first my intention was to use the SCEP server already setup for our windows based devices enrolled through intune, struggled with it but failed to get it to work. This was (as I later found out) due to the intune connector, it takes over SCEP preventing you from using it for other purposes. So I spun up a new SCEP server specifically for Mac devices to retrieve a cert from our Windows PKI.
Once that was clear the general steps were this:
I'd be very interested in some more detail around this, diags/screenshots/gotchas/watchas etc if you have time to provide?
+16AD-CS is the way forward, but if you have Azure we found it easier to create a Azure proxy connection to the server running the AD-CS connector and publish it out that way (that vey similar to how Intune provide its certificates from the premise CA using its own internal connector)
AD-CS is the way forward, but if you have Azure we found it easier to create a Azure proxy connection to the server running the AD-CS connector and publish it out that way (that vey similar to how Intune provide its certificates from the premise CA using its own internal connector)
That way there will be no need to open ports out?
Is there a guide on how to do this?
Thanks.
+16There's still ports to setup for the proxy in Azure, but it meant I didn't have to deal with our network team at all and punch more holes in the firewall.
I don't have a guide for the Azure side, as my Azure SME did this part for me, but for the Jamf side I pieced information from both Travelling Tech Guy's blog
https://travellingtechguy.blog
and watching Laurent's JNUC presentation on AD-CS
https://www.youtube.com/watch?v=PbQOG5rJBcQ&t=1683s
Setup is really in two parts
1) getting the AD-CS connector installed and communicating with Jamf
2) setting ups PKI and certificate templates for the payloads to the clients
The best tip I can give for the latter what Laurent mentions in his presentation of don't use an existing certificate template being used for Windows but create a new one specifically for the Mac's
If I have listened to this first around it would of saved a whole lot of time troubleshooting
Thank you @garybidwell .
1. I installed the connector, and for -fqdn I used the full name of the server:
.\\deploy.ps1 -fqdn jamfadcs.contoso.lan -jamfProDn contoso.jamfcloud.com -cleanInstall
2. I installed the Azure Proxy connector
3. I am in the process of creating the app in azure and not sure what data I should give in the internal Url (localhost or the name of the server?) and how to configure the other settings.
I have not yet been able to make it work and if anyone can help it would be greatly appreciated. Thanks
+2I have not yet been able to make it work and if anyone can help it would be greatly appreciated. Thanks
Just curious if you made any progress on this. I am starting down the same path.
+4Thank you @garybidwell .
1. I installed the connector, and for -fqdn I used the full name of the server:
.\\deploy.ps1 -fqdn jamfadcs.contoso.lan -jamfProDn contoso.jamfcloud.com -cleanInstall
2. I installed the Azure Proxy connector
3. I am in the process of creating the app in azure and not sure what data I should give in the internal Url (localhost or the name of the server?) and how to configure the other settings.
My understanding is this doesnt work
https://macnotes.wordpress.com/2020/11/10/can-jamf-adcs-connector-use-azure-web-app-proxy/
Azure Application Proxy decrypts and re-encrypts the traffic it proxies and the Azure/cloud version doesn’t have native support for the client-certificate based authentication used by Jamf ADCD Connector.
+5There's still ports to setup for the proxy in Azure, but it meant I didn't have to deal with our network team at all and punch more holes in the firewall.
I don't have a guide for the Azure side, as my Azure SME did this part for me, but for the Jamf side I pieced information from both Travelling Tech Guy's blog
https://travellingtechguy.blog
and watching Laurent's JNUC presentation on AD-CS
https://www.youtube.com/watch?v=PbQOG5rJBcQ&t=1683s
Setup is really in two parts
1) getting the AD-CS connector installed and communicating with Jamf
2) setting ups PKI and certificate templates for the payloads to the clients
The best tip I can give for the latter what Laurent mentions in his presentation of don't use an existing certificate template being used for Windows but create a new one specifically for the Mac's
If I have listened to this first around it would of saved a whole lot of time troubleshooting
I am seeing comments below indicating that this wouldnt work since the certs wont be passed through app proxy. How did you get around that?
+5Thank you @garybidwell .
1. I installed the connector, and for -fqdn I used the full name of the server:
.\\deploy.ps1 -fqdn jamfadcs.contoso.lan -jamfProDn contoso.jamfcloud.com -cleanInstall
2. I installed the Azure Proxy connector
3. I am in the process of creating the app in azure and not sure what data I should give in the internal Url (localhost or the name of the server?) and how to configure the other settings.
Did you get this fully working? Did you do another work around?
+5My understanding is this doesnt work
https://macnotes.wordpress.com/2020/11/10/can-jamf-adcs-connector-use-azure-web-app-proxy/
Azure Application Proxy decrypts and re-encrypts the traffic it proxies and the Azure/cloud version doesn’t have native support for the client-certificate based authentication used by Jamf ADCD Connector.
How did you ultimately solve this challenge?
+4How did you ultimately solve this challenge?
Ah yeah, this one took me a few days to figure out ...In our environment, the purpose of this was to do cert based 802.1x authentication.
At first my intention was to use the SCEP server already setup for our windows based devices enrolled through intune, struggled with it but failed to get it to work. This was (as I later found out) due to the intune connector, it takes over SCEP preventing you from using it for other purposes. So I spun up a new SCEP server specifically for Mac devices to retrieve a cert from our Windows PKI.
Once that was clear the general steps were this:
+5Ah yeah, this one took me a few days to figure out ...In our environment, the purpose of this was to do cert based 802.1x authentication.
At first my intention was to use the SCEP server already setup for our windows based devices enrolled through intune, struggled with it but failed to get it to work. This was (as I later found out) due to the intune connector, it takes over SCEP preventing you from using it for other purposes. So I spun up a new SCEP server specifically for Mac devices to retrieve a cert from our Windows PKI.
Once that was clear the general steps were this:
Thank you. We are going with the dmz route on ADCS connector.
+1Ah yeah, this one took me a few days to figure out ...In our environment, the purpose of this was to do cert based 802.1x authentication.
At first my intention was to use the SCEP server already setup for our windows based devices enrolled through intune, struggled with it but failed to get it to work. This was (as I later found out) due to the intune connector, it takes over SCEP preventing you from using it for other purposes. So I spun up a new SCEP server specifically for Mac devices to retrieve a cert from our Windows PKI.
Once that was clear the general steps were this:
can you help me with screenshot i struggling to do the same setup we have created a new Scep server for jamf and success we get the certificate the certificate is getting rejected by the radius server.
i have question is the ipsec offline is mandatory
+4Thank you. We are going with the dmz route on ADCS connector.
I likely would have done the same if I had a DMZ setup. But since I didnt ...
+4My understanding is this doesnt work
https://macnotes.wordpress.com/2020/11/10/can-jamf-adcs-connector-use-azure-web-app-proxy/
Azure Application Proxy decrypts and re-encrypts the traffic it proxies and the Azure/cloud version doesn’t have native support for the client-certificate based authentication used by Jamf ADCD Connector.
for me also client certificate unable to issue , it works well with the default certificate issued via proxy , how to fix this ?
+4Ah yeah, this one took me a few days to figure out ...In our environment, the purpose of this was to do cert based 802.1x authentication.
At first my intention was to use the SCEP server already setup for our windows based devices enrolled through intune, struggled with it but failed to get it to work. This was (as I later found out) due to the intune connector, it takes over SCEP preventing you from using it for other purposes. So I spun up a new SCEP server specifically for Mac devices to retrieve a cert from our Windows PKI.
Once that was clear the general steps were this:
not working for me ( unable to get client certificate )
+4ADCS is working for us to get client certificate but via Azure Proxy unable to get client certificate but i m getting default offline certificate IPSEC. : any advise here pls
+1ADCS is working for us to get client certificate but via Azure Proxy unable to get client certificate but i m getting default offline certificate IPSEC. : any advise here pls
Register the certificate template in registry to issue the certificate to Jamf.
By default the registry entry is ipsec, later i found NDES template was not register to issue as default certificate once you update this Template your CA authority will issue the registered certificate template.
+4i have updated registry on below templates i have mentioned client certificate template created for JamfNDES
Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MSCEP
EncryptionTemplate
GeneralPurposeTemplate
SignatureTemplate
after making these changes now Configuration profile in pending state earlier it was working with default
+1i have updated registry on below templates i have mentioned client certificate template created for JamfNDES
Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MSCEP
EncryptionTemplate
GeneralPurposeTemplate
SignatureTemplate
after making these changes now Configuration profile in pending state earlier it was working with default
You need to restart the server to apply the settings have you completed it.
+1You need to restart the server to apply the settings have you completed it.
Also add the fingerprint haash key to your configuration profile.
+4You need to restart the server to apply the settings have you completed it.
yes server have restarted already
+4yes fingerprint hash key seems to be same and it have not changed ( i have checked it already )
+1So do you use this sever dedicated to JAMF.
If you have intune or any other mdm using the same server to get certificate, definitely this will not work and in jamf you might see pending .
you might need dedicated server
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
