AD Certificate Deployment via JSS MobileConfig

cainehorr
Contributor III

So this particular thread is two-fold...

I have a Microsoft Active Directory 2012 infrastructure. I have a Microsoft Certificate Server. I have a JSS 9.24 installation. All Macs are bound to Active Directory.

My JSS Configuration Profile for end-user certificates is configured as such...

GENERAL
Name: User Certificate

AD CERTIFICATE
Description: User Certificate
Certificate Server: cert_server_name.domain.com
Certificate Authority: cert_server_name
Certificate Template: User_Certificate
Username: <blank>
Password: <blank>
Verify Password: <blank>

SCOPE
Target Computers: Specific Computers
Target: Active Directory - Bound
Type: Smart Computer Group
Exclusion: All Managed Servers
Type: Smart Computer Group

HOW IT WORKS
When a user logs in using their Active Directory credentials, their Mac that is bound to Active Directory auto-authenticates to the cert server via Kerberos then downloads and installs the user cert if it's not present. This is fairly straight forward

PROBLEM 1
Any Mac running OS X that is older than 10.9 will not install the certificate. Even going into the JSS and attempting to download and manually install the certificate fails.

Perhaps the format of the MobileConfig being created by the JSS is not backward compatible?

PROBLEM 2
This isn't so much of a problem as it's more of a questioning whether this is possible.

AD user certificates as generated by my Microsoft Cert Server expire 1-year from the date of issue. Once a cert is installed via the JSS, the cert will work for one year. Once the year is up, the certificate no longer functions. It needs to be replaced.

Is there a way to have the JSS monitor each user's user certificate as deployed via MobileConfig or even some shell script that queries the user's login keychain file that will report back to the JSS letting me know when users are about to expire (ie: 30 days or less)?

Is there a way to have the JSS take action and auto-remove the existing MobileConfig and/or certificate within the login keychain and re-issue a new one based on this 30-day threshold?

I'm guessing I could possibly leverage JSS Extension Attributes for this but not entirely sure.

Any ideas are greatly appreciate!

4 REPLIES 4

nkalister
Valued Contributor
Is there a way to have the JSS monitor each user's user certificate as deployed via MobileConfig or even some shell script that queries the user's login keychain file that will report back to the JSS letting me know when users are about to expire (ie: 30 days or less)?

You can track the expiration of the cert pretty easily either by generating files that record the installation and expiration time when you install the cert (and then scraping those files with a script and extension attribute), or by extracting the expiration date from the keychain via script and extension attribute. None of that is built in functionality, you'll build it yourself.
You also won't be able to automate the renewal but you can nag your end users using a smart group based on the extension attribute.

I actually don't even use MDM or apple's method to request the certificate . . . I use my own script for the request, then shove the certificate into a mobileconfig profile before installing it. That lets me be a little more flexible than either JAMF or Apple's way of doing this- I can do certificates for 10.6 machines as well as macs that aren't bound to AD.

(OT)
Also it was good to see you at the Apple briefing on Wednesday!!

haircut
Contributor

@nkalister Would you mind sharing that script? My mobile configs using the ADCertificatePlugin payload consistently fail. I have a ticket open with JAMF right now but we're coming up bust. I'd really appreciate a look at your approach!

Chris
Valued Contributor
PROBLEM 1 Any Mac running OS X that is older than 10.9 will not install the certificate. Even going into the JSS and attempting to download and manually install the certificate fails.

This might be due to "Increased Security" being enabled by default on 2012 CAs.
Mavericks supports that, older versions don't.
[
http://technet.microsoft.com/en-us/library/dn473011.aspx#BKMK_Security](
http://technet.microsoft.com/en-us/library/dn473011.aspx#BKMK_Security)

sumit_batra
New Contributor

"When a user logs in using their Active Directory credentials, their Mac that is bound to Active Directory auto-authenticates to the cert server via Kerberos then downloads and installs the user cert if it's not present. This is fairly straight forward"

How are you getting this done? Need help as i am unable to achive this.

Thanks in anticipation.

Sumit