JAMF / Intune SCEP Enrollment

Schmidt
New Contributor II

Hello Everyone, first time posting. Hopefully this question hasn't been asked before. If so, my apologize.

I am trying to find out if I can use the JAMF > Intune integration to deploy SCEP certs from Intune. We have a mixed environment of both Windows and Macs. Windows is working well with our internal CA and NDES account. However, our Macs are a hassle with manual challenge phrases, etc with JAMF in the cloud. I know that Intune can deploy certs using the "Intune Connector", which allows for communication from our Intranet SCEP server to the cloud. However, JAMF does not have a tool like this that I know of. We do not want to expose our SCEP server to the internet, or use an external/JAMF CA as we already have it working on Windows so the JAMF SCEP Proxy idea is out.

Are there limitations to what the JAMF/Intune Integration can do? Can I create a SCEP policy in Intune and have it work on Macs enrolled in JAMF? From what I read, it seems like its mostly just related to compliance/conditional access. Any help is appreciated!

Thanks!

4 REPLIES 4

JamieG
New Contributor II

Hi Schmidt,

Did you manage to get this working? I would like to do the exact same thing in order to have intune controlled SCEP certificates pushed onto the Macs. Like you, we don't expose SCEP/NDES to the internet, and instead rely on the msappproxy secured to just intune to make it work.

Would be interested to know how you progressed - I need certs pushed for;
User - VPN and WiFi (PEAP)
Machine - VPN and WiFi (Cert auth)

easyedc
Valued Contributor II

Just bumping this before I start going down the same path.  Did either of you all have any luck?

JamieG
New Contributor II

No - unfortunately best solution I could find was using the JAMF SCEP policy and proxying, via an msappproxy with restrictions for the IP address of my JAMF Pro instance (in the cloud).

Schmidt
New Contributor II

Hey easyedc,

     We are actually still looking into this (put on hold with COVID) but did find the below article that somewhat describes what JamieG mentions.

 

Support Tip - How to configure NDES for SCEP certificate deployments in Intune - Microsoft Tech Comm...

 

Although this is for Intune, the concept is the same for JAMF.  Basically has you create an AzureADProxy App in your intranet, which installs on a server, create an externally facing website in AzureAD as the Proxy, then use JAMF to point to that website.

 

The website for external IP's and Ports are:

Permitting Inbound/Outbound Traffic with Jamf Cloud - Technical Articles | Jamf

Network Ports Used by Jamf Pro - Technical Articles | Jamf