Jamf Nation Community

I want to use Jamf Pro Built-in CA, now think a user enrolled a mac from home(out of office network) and to make a VPN connection mac need a certificate, now my question is, what is the solution here to get such certificate over internet. I can understand that if the certificate name is unique for all mac devices then I can use a config profile to push on mac devices over internet but if the certificate name depends on mac's hostname of or user's name/UPN then how we can proceed on further without going to office LAN.

NB:- What I know SCEP server is on-premise solutions. I will check Azure App Proxy, how does it help to deploy certificate on mac through NDES server

If you're using the Jamf Pro Built-In CA you have to go through the process of getting your infrastructure to trust that CA as authoritative for those certs. It would make more sense to utilize your organization's existing PKI infrastructure if you already have that setup. 

In order for a device at home to receive certificates you either need to have your certificate server externally facing or use a proxy of some sort. The Azure App Proxy allows for your NDES server to be internally facing only and the App Proxy will proxy the connection to the internal NDES server allowing you to utilize Jamf Pro as a SCEP Pro proxy and deliver certificates over the internet to your devices. You can utilize variables in the configuration profile payload to set values in the Subject of the certificate like the computer name ($COMPUTERNAME) or user name ($USERNAME) if you need those in the certificate.

If we have SCEP server then we need to install cloud connector on an on-prem server running on DMZ so that it can speak to Azure AD app proxy service?  

Second question all these stuff should be done by company's security team and I just need to configure SCEP and proxy server in JAMF console with a config profile for cert distribution?