Wondering if anyone is using the scep payload section in 10.7 configuration profiles with OS X, not iOS. If possible, I'd like to use that to enroll our macs with our Active Directory certificate authority . . . .
I am very interested in this as well as my customers are not liking the alternative of setting up an auto-enrolling web interface to their CAs. I will be experimenting with this as soon as they bring up a SCEP-enabled CA!
We are in this boat as well. We're working on a solution to use SCEP with User level certificates (Login.keychain) as well as the AD issued cert for the Machine level certificate (System.keychain).
SCEP is working well for us. We are using it for the computer cert issued from the domain.
We needed to upgrade the JSS from 8.43 to 8.52 to use the variables.
If you're interested in checking out there are some useful variables that you can use in configuration profiles, there is a table on page 314 of the Casper Admin's guide:
Simply using JSS SCEP config profile. It is now better with JSS6. As you get the dynamic Challenge option too.
We are using computer certs. But variables in JSS for SCEP should help for user certs too. But I didn't tried this.
When setting up the SCEP server in Global Management Frameworks, does the jss require the full path to the dll, or just the directory path for the Base URL for the SCEP server?
Option 1: https://ndesserver.corp.root/certsrv/mscep/mscep.dll Option 2: https://ndesserver.corp.root/certsrv/mscep/
I ask because I'm testing this with a Mac on 10.8.2, and the device doesn't appear to get a device certificate, but from a separate profile it does get our internal .p7b certificate chain.
Hi cem. Are there logs anywhere on the jss that can track errors in this process? I can validate that configuration profiles come down, but I can't get SCEP or AD certs to process. I have SCEP working with MobileIron for my iOS devices, so I know the configuration is correct, but couldn't ever get an SCEP cert (even a request to the server). I tried AD certs since they should be simpler, but again my certsrv isn't even getting the request, which means the profile isn't getting processed to the Mac.
Any help/suggestions appreciated.
@mlinde ; sorry for the late reply... i am up to my eye balls at the minute... I am afraid no footprint for this in jamf.log. But you can try SCEP server logs and RADIUS Server logs.
Make sure put $COMPUTERNAME variable in to the SCEP payload as below (just replace "yourcompany.com" to your company domain). Also select "DNS Name" option under "Subject Alternative Name Type"
Subject Alternative Name Value: