Hi all,We have a on-prem Microsoft certification authority server whose credentials are essential for connecting to wifi and VPN and we want to install these certificates on Macs run by Jamf Pro.The security requirements is not to open the local ca server to the Internet. And my question, is there a way Jamf can issue the certificates for the mac instead of the local ca? (subordinate CA)Or, Or is there another way to do it without making the local server accessible from the Internet? If that can help, we have Azure and Intune. Thanks. 🙏

Using Jamf Pro as subordinate CA

+25

sdagley
Jamf Heroes
Forum|Forum|4 years ago
November 18, 2021

@__AMM Take a look at the Jamf AD CS Connector , it allows you to deliver certificates via Jamf Pro. There's also an option to integrate with a Venafi system if you're using that for certificate management.

Like

_

+4

__AMM
Author
Contributor
Forum|Forum|4 years ago
November 18, 2021

@__AMM Take a look at the Jamf AD CS Connector , it allows you to deliver certificates via Jamf Pro. There's also an option to integrate with a Venafi system if you're using that for certificate management.

Hi @sdagley

This Connector requires opening the on-prem server to Internet, which I try to prevent.

Like

+25

sdagley
Jamf Heroes
Forum|Forum|4 years ago
November 18, 2021

Hi @sdagley

This Connector requires opening the on-prem server to Internet, which I try to prevent.

@__AMM Is your JSS Jamf Cloud hosted, or on-prem? Only the AD CS server has to be open to the Internet and only to your Jamf Cloud instance if the former. For the latter the connectivity would be entirely within your network. Or at least that's how the Venafi integration works.

Like

S

+8

SCCM
Valued Contributor
Forum|Forum|4 years ago
November 18, 2021

@__AMM if you want no servers on prem exposed to the internet, you cant use AD CS, this is just another server whcih you can install on prem which connects to your cert servers / jamf cloud. It wont work from a DMZ if they are behind f5's. If your network / cyber team can get it to work via a dmz you might be ok to use it. jamf itself cant work as a CA you need it to link to one if your trying to do 802.1x

Like

_

+4

__AMM
Author
Contributor
Forum|Forum|4 years ago
November 18, 2021

@__AMM Is your JSS Jamf Cloud hosted, or on-prem? Only the AD CS server has to be open to the Internet and only to your Jamf Cloud instance if the former. For the latter the connectivity would be entirely within your network. Or at least that's how the Venafi integration works.

@sdagley Cloud hosted. Where can I see the address and ports that should be open to the Internet?

Like

_

+4

__AMM
Author
Contributor
Forum|Forum|4 years ago
November 18, 2021

@__AMM if you want no servers on prem exposed to the internet, you cant use AD CS, this is just another server whcih you can install on prem which connects to your cert servers / jamf cloud. It wont work from a DMZ if they are behind f5's. If your network / cyber team can get it to work via a dmz you might be ok to use it. jamf itself cant work as a CA you need it to link to one if your trying to do 802.1x

Thanks @SCCM . Can you explain more why installing AD CS in DMZ will not work if there is f5?