Jamf and SCEP server

jelockwood
Contributor

Jamf like all MDM systems that are compatible with Apple devices has a built-in SCEP server to enable the enrollment of devices.

Jamf like all MDM systems that are compatible with Apple's MDM approach also allows using a SCEP server in profiles to generate certificates for inclusion in those profiles for uses like VPN or 802.1x certificate authentication for network access.

Last time I checked (some time ago) however Jamf like Apple's own Profile Manager for some insane reason lock down their built-in SCEP server so it cannot be used to generate certificates for these other purposes, thereby forcing you to also have a separate third-party SCEP server.

Whilst many people succeed - since they have no choice, in using a third-party SCEP server being separate at a minimum loses all the potential advantages of a tightly integrated solution ala Jamf.

I also get the impression that the choice of suitable SCEP servers is very limited basically boiling down to Microsoft's SCEP Server. (One can criticise Microsoft over many issues but they have and do a brilliant job in providing a full range of Enterprise tools.)

As per this page [https://www.jamf.com/blog/the-ins-and-outs-of-scep-for-casper-suite-administrators/](link URL) Jamf clearly understand the need for using a SCEP server so presuming it is still the case that Jamf effectively cripple their own SCEP server I have to ask the question - Why?

Note: In a previous case I was involved with Jamf lost a government sale and this was one of the reasons although not the only one. The sale probably could have been won if it had had this capability despite those other reasons.

Whilst as mentioned using Microsoft's SCEP server works fine as a solution it is increasingly common to encounter organisations which do not use Microsoft servers and therefore cannot use the Microsoft SCEP server.

Presuming it is indeed still the case that one cannot use the Jamf SCEP server for this purpose and the fact that one cannot in these cases use the Microsoft SCEP server, are there any suggestions for non-Windows based SCEP servers that work effectively with Jamf? For example running on Linux.

I would also suggest everyone giving Jamf a collective kick up the backside. ;)

For what it's worth I believe Cisco Meraki System Manager an alternative MDM system does solve this problem as long as your network infrastructure is also Meraki, you then get the aforementioned tight integration. See [https://documentation.meraki.com/MR/Encryption_and_Authentication/Certificate-based_WiFi_authentication_with_Systems_Manager_and_Meraki_APs](link URL)

5 REPLIES 5

Not applicable

.

ftiff
Contributor

Hi @jelockwood

Sorry to ask so bluntly: What is your point?
What do you need? What are you suggesting?

Thank you,
François

jelockwood
Contributor

@ftiff

Sorry to ask so bluntly: What is your point? What do you need? What are you suggesting?

I am asking :-

  1. Does Jamf now allow using their built-in SCEP server to generate certificates for other uses
  2. If not for Jamf to implement this
  3. If not in the interim for suggestions for alternative non-Windows based SCEP servers

I thought this was pretty clear.

ftiff
Contributor

Not for me!

What would be the use of the certificate? What do you have in mind? Would you want to use Jamf as a PKI?

What PKI do you currently use?

fxnikon
New Contributor II

.