Posted on 04-11-2023 06:00 AM
Hello Team,
I was looking for a way to deploy all my organisation's certificate automatically on mac after enrolment, please keep in mind that my JAMF is in cloud and Azure AD is integrated with JAMF. So in this case I cant use AD-CS connector. If I use config profile then the main issue is that auto renew is not possible after it gets expired, we need to remove the expired cert and upload the new certificate again in config profile for deployment. For on-prem JAMF we can use SCEP server to avoid this auto renew stuff or we can use AD-CS connector. But if my JAMF is in cloud and Azure AD is integrated and no on-prem AD is there, and think user are enrolling the mac from their home then how the mac device will get the certificates. Please help me out on this.
Posted on 04-11-2023 07:20 AM
Where is the CA for certificates? If you're running a VM in Azure that has the Enterprise CA services running, you can either setup an NDES server in Azure and still use SCEP, or you can use the Enterprise CA for certificate services as well via config profile. You'll just need to allow access to both from the internet.
You can use Azure App Proxy to proxy the connection to the NDES endpoint and that will provide some security. In addition you can setup the Jamf Pro server to be a SCEP proxy so that communications can be further locked down to just the IP addresses for Jamf Cloud.
https://macnotes.wordpress.com/2020/11/17/jamf-scep-proxy-vs-adcs-connector/
Posted on 04-11-2023 07:32 AM
I want to use Jamf Pro Built-in CA, now think a user enrolled a mac from home(out of office network) and to make a VPN connection mac need a certificate, now my question is, what is the solution here to get such certificate over internet. I can understand that if the certificate name is unique for all mac devices then I can use a config profile to push on mac devices over internet but if the certificate name depends on mac's hostname of or user's name/UPN then how we can proceed on further without going to office LAN.
NB:- What I know SCEP server is on-premise solutions. I will check Azure App Proxy, how does it help to deploy certificate on mac through NDES server
Posted on 04-11-2023 07:47 AM
If you're using the Jamf Pro Built-In CA you have to go through the process of getting your infrastructure to trust that CA as authoritative for those certs. It would make more sense to utilize your organization's existing PKI infrastructure if you already have that setup.
In order for a device at home to receive certificates you either need to have your certificate server externally facing or use a proxy of some sort. The Azure App Proxy allows for your NDES server to be internally facing only and the App Proxy will proxy the connection to the internal NDES server allowing you to utilize Jamf Pro as a SCEP Pro proxy and deliver certificates over the internet to your devices. You can utilize variables in the configuration profile payload to set values in the Subject of the certificate like the computer name ($COMPUTERNAME) or user name ($USERNAME) if you need those in the certificate.
Posted on 04-16-2023 06:34 AM
If we have SCEP server then we need to install cloud connector on an on-prem server running on DMZ so that it can speak to Azure AD app proxy service?
Second question all these stuff should be done by company's security team and I just need to configure SCEP and proxy server in JAMF console with a config profile for cert distribution?