Skip to main content
Question

Anyone using SCEP with OS X clients?


Forum|alt.badge.img+19

Wondering if anyone is using the scep payload section in 10.7 configuration profiles with OS X, not iOS. If possible, I'd like to use that to enroll our macs with our Active Directory certificate authority . . . .

11 replies

Forum|alt.badge.img+1
  • New Contributor
  • 3 replies
  • February 29, 2012

I am very interested in this as well as my customers are not liking the alternative of setting up an auto-enrolling web interface to their CAs. I will be experimenting with this as soon as they bring up a SCEP-enabled CA!


Forum|alt.badge.img+9
  • Contributor
  • 124 replies
  • February 29, 2012

We are in this boat as well. We're working on a solution to use SCEP with User level certificates (Login.keychain) as well as the AD issued cert for the Machine level certificate (System.keychain).


Forum|alt.badge.img+17
  • Contributor
  • 352 replies
  • July 25, 2012

SCEP is working well for us. We are using it for the computer cert issued from the domain.

We needed to upgrade the JSS from 8.43 to 8.52 to use the variables.

If you're interested in checking out there are some useful variables that you can use in configuration profiles, there is a table on page 314 of the Casper Admin's guide:

http://www.jamfsoftware.com/libraries/pdf/products/documentation/Casper_Suite_8.5_Documentation.pdf


Forum|alt.badge.img+19
  • Author
  • Contributor
  • 437 replies
  • July 25, 2012

Hey cem, are you creating your scep configuration profile on the jss or profile manager on a lion server?
How are you delivering the profiles to the client machines? Jss push or ?
Thanks!


Forum|alt.badge.img+14
  • Honored Contributor
  • 351 replies
  • July 25, 2012

We are using it as well with Windows 2008 SCEP servers. We create our profiles using Lion Server's Profile Manager


Forum|alt.badge.img+19
  • Author
  • Contributor
  • 437 replies
  • July 25, 2012

cem or ooshnoo- did either of you try user certificates or are you both doing computer certs?
also, how are you integrating this into your imaging/deployment workflow?


Forum|alt.badge.img+17
  • Contributor
  • 352 replies
  • July 26, 2012

@nkalister
Simply using JSS SCEP config profile. It is now better with JSS6. As you get the dynamic Challenge option too.

We are using computer certs. But variables in JSS for SCEP should help for user certs too. But I didn't tried this.


  • 0 replies
  • December 14, 2012

When setting up the SCEP server in Global Management Frameworks, does the jss require the full path to the dll, or just the directory path for the Base URL for the SCEP server?

Option 1: https://ndesserver.corp.root/certsrv/mscep/mscep.dll Option 2: https://ndesserver.corp.root/certsrv/mscep/

I ask because I'm testing this with a Mac on 10.8.2, and the device doesn't appear to get a device certificate, but from a separate profile it does get our internal .p7b certificate chain.


Forum|alt.badge.img+17
  • Contributor
  • 352 replies
  • December 14, 2012

"Use External Certificate Authority" in "Global Management Frameworks"
Base URL for the SCEP Server: http://ndesserver.corp.root/certsrv/mscep/mscep.dll

NO https


  • 0 replies
  • March 7, 2013

Hi cem. Are there logs anywhere on the jss that can track errors in this process? I can validate that configuration profiles come down, but I can't get SCEP or AD certs to process. I have SCEP working with MobileIron for my iOS devices, so I know the configuration is correct, but couldn't ever get an SCEP cert (even a request to the server). I tried AD certs since they should be simpler, but again my certsrv isn't even getting the request, which means the profile isn't getting processed to the Mac.

Any help/suggestions appreciated.


Forum|alt.badge.img+17
  • Contributor
  • 352 replies
  • March 14, 2013

@mlinde ; sorry for the late reply... i am up to my eye balls at the minute... I am afraid no footprint for this in jamf.log. But you can try SCEP server logs and RADIUS Server logs.

Make sure put $COMPUTERNAME variable in to the SCEP payload as below (just replace "yourcompany.com" to your company domain). Also select "DNS Name" option under "Subject Alternative Name Type"

Subject:
CN=$COMPUTERNAME.yourcompany.com

Subject Alternative Name Value:
host/$COMPUTERNAME.yourcompany.com


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings