Please refer the below Link, 

1. Creat a Extension attribute to find the OnPremisesSecurityIdentifier, Hope your JAMF is configured with Entra as Cloud iDP.
2. For the SCEP payload, click Add.
3. Click the SAN TYPE pop-up menu, and select "Uniform Resource Identifier".
4. In the Subject Alternative Name Value field, add the following SAN URI string: tag:microsoft.com,2022-09-14:sid:$EXTENSIONATTRIBUTE_#, and substitute # with the actual computer extension attribute ID number

refer 

https://learn.jamf.com/en-US/bundle/technical-articles/page/Supporting_Microsoft_Active_Directory_Strong_Certificate_Mapping_Requirements.html

Hello Shyam,

Thanks for your response.

I have tried with OnPremisesSecurityIdentifier as EA but that didnt work but when i tried with Objectsid, it worked on my laptop because mine is connected to Jamfconnect for testing. But when i tried the objectsid in EA in one of the user laptop that is not domain joined and also as local user it didnt work. which means sid is not captured in jamf console for his laptop. I have added Azure as Cloud idp on my jamf pro instance.

I am not sure if i am doing something wrong or the user needs to login with azure credentilas for the EA to work.

Hi ​@Pravin_23 

Could you please let me know if you’re using computer certificates or user certificates ?

Since the objectsid / OnPremisesSecurityIdentifier attributes collected by Jamf are user attributes, I suppose this method only work with user certificates (but I’d like confirmation please).

Best

Hello Loic, Thank you for the response. and i have a good news, it started working.

I am using the user certificates. Yesterday i tested with changing the EA display name and it started working. It doesnt make much sense to me but it started fetching the onpremisesecurity identifier. My EA was named “OnPremisesSecurityIdentifier” before and now i changed it to “Azure OnPremisesSecurityIdentifier”. Only thing i can think of if it is both display name and Directory Service Attribute was same before :). I would like to know if this make any sense to you guys. I have opened a ticket with jamf regarding this issue and see whats their response is.

The reason it started working is because that attribute doesn’t get populated until the device is inventoried. So you assign the user, but you’ll notice that the extension attribute stays blank until the device gets inventoried. So you end up with the chicken and the egg problem, you need the device to be on the network in order to get inventoried which triggers the population of extension attribute. So our solution is to put the device on the network using a temporary, ethernet connection, or alternative PSK network to allow inventory to occur.  you’ll find that if you modify your process to wait/verify that inventory occurs, that the extension attribute gets populated and things work as expected.  
 

now, why jamf will not populate a usable ObjecSID variable for the user without having to do an inventory of the device to which the user is assigned is cumbersome, and I wish they would change that. 

Hello, not sure how long it takes for device to get inventoried. I have doing this for a week and it worked after that. i even had a call with jamf support during that 1 week time to resolve the issue. When you say inventoried , i guess you mean to run the sudo jamf recon and make the device synced with jamf? i have ran this command multiple times during the troubleshooting time. Fortunately now its working fine :) Thanks all for the inputs

Cool, happy it is working for you! - while it was not working, did you notice if the EA you had defined in Jamf was populated or blank?  Also, while it was not working, did you receive any error type 41’s in your windows system event logs on your NPS servers (mismatched SID on identity cert)? 

Yes, when it was not working, i can see the EA was blank for all laptops. But it was showing on my laptop as i was using jamfconnect. Also the error code was there in AD logs.