What is the lift required to change ADCS connectors in Jamf Pro? The situation is that the current ADCS connector is in a dev environment but we want to switch to new prod ADCS connector going forward. Nothing about the certificates being assigned would change, just the connector itself. What would be involved with this? From what I can find, I would need to update the ADCS URL and upload the certificates generated on the new prod ADCS connector. Is that all? Also, what would the end user experience? Would they be prompted for anything or would the certificates automatically renew? Thanks.
Question
Changing ADCS connectors
+3
+6We're in exactly the same scenario right now. For some reason our systems engineering team built it in Dev in Azure instead of Prod and now we have to move it. Hopefully someone has gone through this and can help guide us :)
+14I think you just need to reinstall the ADCS Connector on your Windows 2016 server with your production Jamf URL. This will generate new certs that you would need to upload to your production Jamf Pro server.
+3That was my thought as well. We're not touching the actual cert templates or policies that get pushed to Macs so my hope is that end users don't notice anything.
+9Once you get that switched, you're going to want to confirm cert renewal works as expected. I think as long as you're using the same PKI config, you should be fine.
+14@abfajerman once you make the switch to your production server, your test server certs will most likely disappear/fail, because the connection to your CA has been cut short. Your users will notice if you've already deployed test certs to them. I suggest making the switch on a weekend and have them receive the new certs as they check-in.
+2Quick question - what is the expected behavior for certs deployed to registered devices, in case the CA server hostname changes (not ADCS Connector, but Issuing CA server hostname)? The CA itself stays the same, only the hostname changes.
Is cert re-issuance and re-reployment triggered, does JAMF treat this as a new CA and decides a re-push is needed? I've seen a similar behavior with other MDM platforms using NDES, if the SCEP URL would change, all certs would be re-issued and redeployed...
Thanks in advance for your help and support!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.