Help

Deploying AD Certificate

foreverkan
New Contributor III

Posted on ‎05-20-2024 04:12 AM

Hello Everybody,

 

Our Macbooks on the domain. So we are deploying AD certificate to our macbooks.  I have 2 question for this.

1- How this is working? For example, I'm login in a macbook nothing happens.(certificate not installed) But after reboot or log out then login, AD Certificate is installed. Why do i reboot or logout?

foreverkan_5-1716202915753.png

 

2- AD certificate is applying to all users. When we are  setting up a macbook, login with local account. So Jamf try to add AD certificate to local account. I dont want it. How do i set exclude for the local accounts? 

 

This is a local account and AD certificate always pending.

foreverkan_7-1716203429651.png

Thank you.

 

 

 

 

 

 

 

 

 

Labels:
0 Kudos
Reply
4 REPLIES 4

sdagley
Esteemed Contributor II

‎05-20-2024 04:56 AM - edited ‎05-20-2024 04:58 AM

@foreverkan If you deploy a certificate using a Configuration Profile targeted at User Level it will install into the user's login keychain. A Computer Level profile will install the certificate into the System keychain.

For User Level Configuration Profiles installation doesn't happen as quickly as for Computer Level profiles, and it usually coincides with some Jamf process that verifies the user that's logged in like a reboot.

0 Kudos
Reply

AJPinto
Esteemed Contributor

Posted on ‎05-20-2024 05:06 AM

I have linked some white pages that discuss ADCS certificate workflows for macOS and Jamf. Most of Jamfs current documentation is for their ADCS Connector rather than domain binding as domain binding is a dead function, but the general concepts are the same.

Active Directory Certificate MDM payload settings for Apple devices - Apple Support

Active Directory Certificate Services (AD CS) Overview - Technical Paper: Integrating with Active Di...

ol/adcsc/doc/Jamf ADCSC Implementation notes.pdf at master · jamf/ol · GitHub

 

Looks like you are trying to use user level Configuration Profiles. The workflow for user level Configuration Profiles is very convoluted. For the Configuration Profile to work the logged in user must be MDM Managed, which is likely why you are seeing the log out being necessary.

Computer Configuration Profiles - Jamf Pro Administrator's Guide | Jamf

 

I would suggest sticking to System Level Configuration Profiles, and Machine Certificates as well as moving to Jamf ADCS Connector instead of domain binding. Targeting users with things on macOS is usually not worth the effort as MDM is Device Management, not User Management. The ADCS Connector over Domain Binding, as Apple stopped developing macOS with Domain Binding in mind over a decade ago.

Reply

BeverlyLopez
New Contributor
In response to AJPinto

Posted on ‎06-12-2024 04:23 AM

Ok, thanks.

0 Kudos
Reply

foreverkan
New Contributor III

Posted on ‎10-21-2024 11:02 AM

Hello again, We have a problem. when we enroll new macbook to Jamf, Client cannot pull the AD Certificate sometimes. I couldnt find the main issue. I look the logs there is something like this.

Logs : 2024-10-10 10:12:23,782 [ERROR] [15-thread-1] [nsConnectionEventListener] - [apns] [JPROAPNS-004] connectFailed. Cause: Connect timed out
java.net.SocketTimeoutException: Connect timed out 

foreverkan_0-1729533602298.png

 

0 Kudos
Reply