Hi everyone :)
I'm currently testing Jamf ADCS within my environment.
Our Mac's are NOT bound to AD and I would like to use ADCS for certbased Wifi connections.
Btw: I'm using a Microsoft PKI/CA environment which we used to have for a while now and which I also use for our Windows Clients.
So the ADCS is working as expected and I've created a "Certificate"-Payload profile.
SAN = UPN = "$USERNAME"
Wifi Authentication also works fine - Just awesome.
I've now created another local user on my machine and named it like the CEO of my company. My Mac did now receive a certificate in the name of my CEO. With this Certificate I'm not only able to login against Wifi (Which works) but also into a few other systems which allow cert authentication.
We do use NPS for Wifi authentication and there does not seem to be any way except using the Username/UPN within the SAN in order to authenticate against the NPS?!
(Since the Macs aren't bound to the AD of course).
From my current point of view, this is definitely not how it should work and I really do hope, that I'm missing something here on my side.
Another very critical thing for me: I'm able to export the certificates with the Private key and I also don't see any way to block this. Except of course if the Mac's are bound to AD.
Please help :D
Thanks in advance ;)
Actually we are running the exact same setup as you describe without AD etc
And those issues your write about has actually not yet come to my mind and don't think there is any official solution for this that can just fix this. So think there need to be added an additional software like Jamf connect, so users only can login with their credentials - and then block new users creation on the Mac
But maybe some other has some info on this
The export of cert I was actually sure of was not possible - but I can see it is. I don´t know if there is a way to block this without need of implementing other solution
But overall of course it is security issue, that certificates can be created and exported that really can gives problems if some wants to abuse this, even we don´t have that much running on certs yet
Yes indeed - I've just exported it ... :O (It is not even asking me to enter a password when exporting it)
I've NOT ticket "Allow all apps access" within the Certificate Payload. Your computer is also not bound to the AD right?
Are you using a computer or user profile for this purpose?
The ADCS connector will happily hand off any certificates you configure a profile for and it’s typically used for machine certificates. It sounds like you should be requiring authentication in order to install a user certificate. NoMad or Enterprise Connect both have built in options to do that so I’d give one of those a try.
I'll definitely look into Jamf Connect but I've thought that this Product could work here as well.
It would be great if we could use machine certificates but I don't see any way to let them within our Wifi via NPS on a secure channel.
If there is anything in combination of NPS and Computer Based certificates, I'll take it ;)
Hi @fabian.fasshuber Something to clarify, the ADCS Connector payload when pushing out a certificate will prevent the export of the private key but not the certificate.
If you export the certificate that would be the equivalent of exporting a username but not the password, one way to confirm is if you export your certificate without the key so a .cer or .crt format instead of a .p12, remove the issued cert from the machine by unscoping the profile, and then try and use the exported certificate to connect to the wifi are you able to?
if you are using User based certificates and the devices are able to communicate to the CA then you can use something like NoMAD or Enterprise Connect, for multi user machines that you don't wish to bind then would recommend looking at Jamf Connect or NoMAD Login depending on your environment and lock down permission to create accounts.
For further assistance reach out to support or your TAM
You guys have been completely right. I'm not able to export the certificate including the private key.
What I still see as cirtical, is the following part:
1.) I could removed the .AppleSetupDone file, Reboot and create another (e.g. Donald.Trump) and receive his certificate
2.) Within the DEP enrollment I could simply choose another username (e.g. Donald Trumpse) and again I would receive his certificate
For now I've choosen to use Device Certifcates (I grep all DEP serial numbers, create Active Directory Computer Dummy accounts, allow NPS for them and publish the profile for the devices). Far t from perfect, but the usercertificates are a bit worse in my eyes.
I'll have a look into NoMad and Enterprise Connect in order to provide SSO with User Certificates in the future.
Thanks very much for all the help ;)
Hi @fabian.fasshuber Did you ever get any further with the Jamf Connector?
We are trying to get a Device certificate for a non AD bond Mac, and came to the same conclusions you did with deleting the .AppleSetupDone file. Technically a hacker can rename computer remove the file and get a cert for any computer name they want potentially hijacking a server.
Hey @szultzie :)
I also had a ticket with Jamf and yes - It is like it is :D
At the end, I've decided to use a different approach:
I've created Active Directory computer objects based on the Serial number of all my MacBooks (I create them automatically if we receive new devices thanks to DEP and the Jamf API - There is no connection those are just dummy accounts)
Now I'm creating a computer certificate with the Serial number as Subject/SAN and authenticate through that against NPS -> And it works since the Serial number computer object dummy exists :) No one will be able to use the certificate for anything bad -> The export of the private key anyway would not work.
(Theoretically, I would know a way to still export it - but you'll need to put a lot of effort into it)
Let me know if you need more details
@szultzie Yes it happens fully automated with the Jamf ADCS and a configuration Profile. (The ADCS Server works actually without a single outage for about one year)
I deploy the configuration profile to all my devices:
Certificate: Subject: CN=$SERIALNUMBER Subject alternative name: $SERIALNUMBER
The configuration profile also includes the Wifi-payload: Username: $SERIALNUMBER$ Identity certificate: The certificate from above