AD Computer Certificates

gjackson
New Contributor

Fellow JAMF admins,

I have a Palo Alto VPN client that I need to get set up on the Macs in an automated fashion regarding certificates. On the Windows side I can set up the machines to automatically retrieve a cert from the internal CA here but cannot figure a way to get this configured on Casper. Every cert will be generated differently based on the computer itself so just pushing out the same cert to each machine won't fly. I was thinking the AD Certificate payload would do it but it doesn't appear so.

Does anyone have any ideas? Thanks.

Gary

5 REPLIES 5

ooshnoo
Valued Contributor

That's how we do it...AD Certificate payload...and it works just fine. We have also previously used SCEP payload too without issues.

Hard to say where the issue lies as we don't know how your CA is configured.

gjackson
New Contributor

Thanks. It's an Enterprise CA Windows 2008 and I have a Mac template set up. In the Cert payload I have our sccm service account that has permission to generate a cert with it. I'm getting this error when scoped to a Mac.

Install Configuration Profile Certificate 7 minutes ago 6 minutes ago The 'Active Directory Certificate' payload could not be installed. The certificate request failed.

davidacland
Honored Contributor II
Honored Contributor II

I've seen that error at a few places. Its usually either an incorrect template name, a space in the template name (which isn't allowed), or incorrect ACLs on the template on the CA.

I've had issues in the past with the built-in templates on the CA so always create new ones specifically for the purpose.

Kumarasinghe
Valued Contributor

bentoms
Release Candidate Programs Tester

@gjackson Not sure if you had any success with the cert, but I've been speaking to some people at Palo Alto VPN client:

On short, we might go the VPN Profile X-Auth route:

Palo Alto Global Protect VPN Client for Mac: ME: It does not appear to be manageable using MCX (mac GPO’s) or config profiles. Is there a way to populate the server & user name fields without writing a script? Palo Alto rep: You are correct here, there is no current way to deploy mac GPO’s or config profiles without writing a script to perform this functionality. It's a shame it isn’t a seamless installation process like with Windows MSI’s at present. So it's going to be a fairly manual process for now. ME: On 1st launch for each user on the mac, you are asked to enter an Administrative username & password to edit the keychain. I guess this is to install the vpn cert & to allows access to the Macs issued cert. Is there a way to stop those prompts? How is this handled in environments where users are not admins. (See: https://live.paloaltonetworks.com/docs/DOC-5059) Palo Alto Rep: It’s mac security posture which is enforcing this and you will not be able to install the agent without admin privileges to complete the setup correctly. If users are not admin’s then this is typically managed by the IT support staff to roll out and implement through their software management service. And the work around within DOC-5059 is the only work around I know of as well.