Skip to main content

Hi everyone,

We’re currently using Jamf School to manage our Apple devices and are running into issues with Microsoft’s enforcement of strong certificate mapping as outlined in KB5014754.

Our environment relies on certificate-based authentication with Active Directory. While we’ve configured UPN mapping using the RFC 822 SAN field, our domain controllers (now in Full Enforcement mode) are rejecting certificates that don’t meet the new strong mapping requirements.

Unfortunately, Jamf School doesn’t appear to support:

  • Inclusion of SAN URIs with SID
  • Custom certificate templates
  • Scripting or automation for explicit mapping via altSecurityIdentities

We’ve temporarily enabled Compatibility Mode on our domain controllers, but this is only viable until 10 September 2025, when Microsoft will enforce Full Enforcement by default.

Questions for the community and Jamf staff:

  1. Are there any confirmed plans for Jamf School to support strong certificate mapping before the enforcement deadline?
  2. Has anyone found a reliable workaround using Jamf School?
  3. If not, what’s the best path forward—migrating to Jamf Pro, or using an external certificate issuance workflow?

Any insights or official guidance would be hugely appreciated!

Ran into something similar. When we flipped the “Subject Alternative Name Type” to Uniform Resource Identifier (previously had it to RFC 822 SAN), it all started working.

Can you test that change?

We are in compatibiltiy mode here, but testing for us is going well. We don’t see “event 39” in SCEP/NDES logs. We plan out rolling out more test devices with this profile soon.
 

Did you engage with Jamf Support about this yet?

 


 

Hi mvu, thanks for the response.

Just to check is that Jamf Pro or Jamf School? As I’m up against it using Jamf School. I don’t think Jamf School supports custom attributes for providing the sid from AD?

 

I have tried to contact Jamf, but cannot get past their ‘bot’, and when I do, I don’t get put through to anyone...

 

Yeah, it’s for Jamf Pro. Hopefully you can get a response, as the clock is ticking. Did you try submitting a ticket on their new portal?

@mvu, yes I did finally get through to them and their response is “We have filed a request with our team to implement this integration within Jamf School though there is no confirmation on this integration at the moment. You can certainly check back at a certain date/time to reference this ticket number on this status.”

Oh, you’re in tough waters. Engage with Microsoft support? See if there’s a different configuration you could use that meets Microsoft’s strong certificate mapping for Jamf School?

At the moment I’m just going to roll back to using PEAP… which is annoying.

Will PEAP work after September 10?

I don’t believe so, not for PEAP with MSCHAPv2. I’ll do some testing!

Reply


Terms & ConditionsCookie settings