Help

Deploying AD Certificate

foreverkan
New Contributor III

2 weeks ago

Hello Everybody,

 

Our Macbooks on the domain. So we are deploying AD certificate to our macbooks.  I have 2 question for this.

1- How this is working? For example, I'm login in a macbook nothing happens.(certificate not installed) But after reboot or log out then login, AD Certificate is installed. Why do i reboot or logout?

foreverkan_5-1716202915753.png

 

2- AD certificate is applying to all users. When we are  setting up a macbook, login with local account. So Jamf try to add AD certificate to local account. I dont want it. How do i set exclude for the local accounts? 

 

This is a local account and AD certificate always pending.

foreverkan_7-1716203429651.png

Thank you.

 

 

 

 

 

 

 

 

 

Labels:
0 Kudos
2 REPLIES 2

sdagley
Esteemed Contributor II

2 weeks ago - last edited 2 weeks ago

@foreverkan If you deploy a certificate using a Configuration Profile targeted at User Level it will install into the user's login keychain. A Computer Level profile will install the certificate into the System keychain.

For User Level Configuration Profiles installation doesn't happen as quickly as for Computer Level profiles, and it usually coincides with some Jamf process that verifies the user that's logged in like a reboot.

0 Kudos

AJPinto
Honored Contributor II

2 weeks ago

I have linked some white pages that discuss ADCS certificate workflows for macOS and Jamf. Most of Jamfs current documentation is for their ADCS Connector rather than domain binding as domain binding is a dead function, but the general concepts are the same.

Active Directory Certificate MDM payload settings for Apple devices - Apple Support

Active Directory Certificate Services (AD CS) Overview - Technical Paper: Integrating with Active Di...

ol/adcsc/doc/Jamf ADCSC Implementation notes.pdf at master · jamf/ol · GitHub

 

Looks like you are trying to use user level Configuration Profiles. The workflow for user level Configuration Profiles is very convoluted. For the Configuration Profile to work the logged in user must be MDM Managed, which is likely why you are seeing the log out being necessary.

Computer Configuration Profiles - Jamf Pro Administrator's Guide | Jamf

 

I would suggest sticking to System Level Configuration Profiles, and Machine Certificates as well as moving to Jamf ADCS Connector instead of domain binding. Targeting users with things on macOS is usually not worth the effort as MDM is Device Management, not User Management. The ADCS Connector over Domain Binding, as Apple stopped developing macOS with Domain Binding in mind over a decade ago.

0 Kudos