Device Management Cert - Built-in CA to SCEP/ADCS Process?

alexjdale
Valued Contributor III

Our security policy has evolved to require all certificates issued by an application to be issued by one of our organization's CAs. We are already set for our SSL cert, but the certs issued by the Jamf Pro built-in CA for device management and MDM need to be changed out.

I get that we will need to re-enroll our devices for this, but I'm wondering just how bad this will be after making the change in the JSS and checking that box to use SCEP/ADCS for enrollment? If I can still run policies, I can at least script a nice walkthrough to help users re-enroll and approve MDM. If I can't run policies, then I basically need to get 8,000 users to take action on their own (and most don't have admin rights).

Has anyone gone through this? Have any tips or warnings to share?

2 REPLIES 2

sdagley
Esteemed Contributor II

@alexjdale Any chance you have a Jamf Premium Services contract? They have a tool for this and engineers familiar with its use. If not, contact your Customer Success Specialist and see if the tool is available without the PS support. (I don't have any specific tips to share as I'm in a similar situation, but looking at setting up a new JSS configuration to move machines to rather than changing the existing JSS in place)

alexjdale
Valued Contributor III

Do you know offhand what happens when you change the Management Certificate Template to start using an external CA, as it pertains to existing clients? Do existing clients with certs issued from the built-in JSS CA keep talking to the JSS and newly-enrolled devices simply receive certs from our PKI, or does this change orphan the previous devices because their management certs don't match the new issuer?

I'm having a hard time getting some info like this to evaluate my options.