Help with 2nd NDES server for Jamf SCEP profiles.

New Contributor II

I've done a ton of searching and still haven't come up with the answers I need. 

I'm looking for a document/web page that tells me exactly how to setup a 2nd NDES server with App Proxy and get it working with Jamf, including how to setup the config profile for iOS and MacOS.  We have moved to Cisco ISE and it requires certs to access the network.  We do have NDES/SCEP working with Intune, but there aren't many documents on how to setup a 2nd one to work with Jamf.

We've tried several documents and everything looks fine, but the iOS profile won't load on the device.  I feel like there's probably something easy that needs to be done on the NDES server, but I can't figure it out.  

***We are using profiles and not setting up Jamf to be a SCEP Proxy.  Not my decision.  And our network team says they can't do the network integration into Cisco ISE.  Again, not my decision.***

And before anyone suggests it, I have worked with Jamf Support.  They have been really great in helping me troubleshoot, but I think this might be a Microsoft issue.

Here is the current setup:

We have a primary NDES server that connects to Intune, thru Azure AD App Proxy.  We use it for SCEP and it pulls the certs with no issue.  It was setup using Microsoft's instructions, which are geared towards Intune only.

I setup a 2nd NDES server for Jamf and connected it thru App Proxy.  The fingerprint/password web page comes up, but the profile fails to load on any devices.  I was getting a pending message on the profile, until I changed the NDES server to show the password.  Now it fails.


So I'm getting to the point that I need to get this done in order to certify Jamf as our Apple MDM solution going forward.  Network connectivity is pretty important, so I really need some help with this.  I can post my profile if needed.


Esteemed Contributor II

@robertb2 Personally I'd recommend reaching out to the management above your network team, which hopefully is related to your management, and point out that if network security is a true requirement for your org that the network team can't simply ignore the Jamf Pro integration. And speaking as someone in a  Very Large Org that uses ISE that integration is fairly straightforward.

On the NDES front I can't offer any advice because we utilize a different certificate system, but the MacNotes blog has some useful posts on that subject: