Requesting WiFi/VPN Certificates from Server via JAMF

I was able to get this to work by packaging the profile I created in profile manager and then installing the profile via Casper. I like this method because in the past I've had machines on WiFi via Casper Configurations that loose their connection when they re-enroll due to the profile reinstalling.

We are using the full MDM method at a few of our sites, with the AD certificate and the WiFi payload in the same profile.

All ok once you get it working but you definitely need the admin of the wireless network and the CA on your side (unless thats you!).

Odd symptoms we've seen when something is wrong:

• Profile installs then disagerai immediately - This was an error in the config (noted in System log and JAMF log). It looked like a bug but was just user (or IT admin) error.
• Lots of certificates building up in the keychain - If you change the settings of the profile it re-deploys to the client, which causes the client to get a new certificate, leaving the old one in the keychain. The main problem is that they are called the same thing. Someone has told me that there is an option on the certificate template to correct this but I haven't had a chance to look into it. We scripted a cleanup of all but the necessary (last valid) certificate in the keychain and ran it as a regular policy instead.

Other than that it all works like a charm (last tried on 10.9). I have heard lots of people having new issues with 10.10 but thats another story.

Better late than never...but you can do this with the recent releases using the "AD Certificate" payload with a Computer level on the Options page of the Profile

I'm struggling with how to issue user certificates (x509) from our MS ADCS PKI server. We could do this easily with AirWatch, though it has a very different approach (where the AW infrastructure server (ACC) proxies the certificate request to the PKI server on behalf of the user). I've created a User level profile and configured the AD Certificate payload with the PKI server, Issuing CA name, and the template name. I've tried setting the Username field to %username%, leaving it blank and checking the "prompt for credentials" box, though that says that it can't be used for pushed profiles. Do I just need to go back and RTFM?

Sorry to resurrect an old thread, but i haven't been able to figure this out or find any documentation on it.

Is it possible to have Jamf use a Configuration profile to request a Certificate from a Windows CA for a Palo Alto VPN? I found a Palo write up how to do it manually but my CA admin sys they would have to create a different cert for each computer based on those directions.

I assume the way this would work is the mac request the cert based on a a template.

So just wanted to see if anybody has done this and its working for them with no major issues. I need to be able to do this machine based as well, not user based. Also do the macs have to be joined to AD?