Hi everyone,
We have a WPA2/WPA3-Enterprise network, and I am wondering if it is possible to use Jamf’s built-in CA to push certificates to end devices, so that users can be authenticated for Wi-Fi using those certificates.
Additionally, what is the typical approach for this setup? I see docs recommend using AD CS, but our organization uses Azure rather than on-premises Active Directory.
I would appreciate any guidance from someone with experience in this area. Thank you.
+24What are you using for RADIUS auth? I’m pretty sure you don’t want to use the built-in CA for anything other than device communication to the binary.
If you want to move to the ACME protocol, check out Small Step for this. If not, use jamf as a SCEP proxy and go to something like digicert. If not either of those, then stand up ADCS and host your CA on prem and go that route.
+11`Hi
Hi, if the Jamf’s built-in CA is not recommended, I was wondering what would be the costless and jamf friendly solution to this. Thank you.
+11Well if you can find any free PKI server, that might do the trick. Or the other solution chubs refers to, that jamf step proxy
+17What are the pitfalls? I know my network admin has talked about doing this. Right now we use WPA2-Enterprise but we have certificate based networking with our Windows computers. I’m not a certificate master but there’s been dragging of heals about using SCEP. I don’t know why, but my network admin has wondered about using Jamf built-in certificate too.
+11Well for instance you jamf certificates expire after a rather short time, so you need to script to refresh your eap settings and trust. And that trust setting is not easy to manage properly.
And expired jamf certificates block a Mac from network - you may want to send it to a guest network or something. Else you may need to run around a lot to find those Macs
+24If you’re already a MS shop, a “cost effective” way is to host your PKI on site. Keep in mind, this is just up front cost. Maintenance costs over time will rat you alive.
Also certificate distribution using this method is only valid on premise. If you have a modern workforce and need to distribute certificates for other things, then I’m still going to recommend a cloud PKI that will “cost you more” up front.
You have to weigh cost against product AND support. Not just product. Hopefully that makes sense.
… and I hope soon (very soon?) we will be moving to a mTLS world where there will be no more passwords, only certificates.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.