Help

Jamf pro cloud connection to on-prem Microsoft Certificate Authority

__AMM
New Contributor II

‎09-29-2021 02:56 AM - edited ‎09-29-2021 03:07 AM

Hi friends,

I am new at Jamf and appreciate your help.

We use Jamf Pro in the cloud and we have a local Microsoft CA server.

My goal is to install certificates from the local CA using Jamf pro cloud on the mac devices.

I understand there are two ways to do this:

1. Using Jamf ADCS Connector

2. Using Jamf SCEP with local NDES server

Am I right?

What is the right and secure way to do it?

We also have Azure and Intune if that can help. 

Thanks

 

 

0 Kudos
8 REPLIES 8

garybidwell
Contributor II

Posted on ‎09-29-2021 04:32 AM

AD-CS is the way forward, but if you have Azure we found it easier to create a Azure proxy connection to the server running the AD-CS connector and publish it out that way (that vey similar to how Intune provide its certificates from the premise CA using its own internal connector)

__AMM
New Contributor II
In response to garybidwell

Posted on ‎09-29-2021 04:52 AM

That way there will be no need to open ports out?

Is there a guide on how to do this?

Thanks.

0 Kudos

garybidwell
Contributor II

Posted on ‎09-29-2021 05:23 AM

There's still ports to setup for the proxy in Azure, but it meant I didn't have to deal with our network team at all and punch more holes in the firewall.
I don't have a guide for the Azure side, as my Azure SME did this part for me, but for the Jamf side I pieced information from both Travelling Tech Guy's blog
https://travellingtechguy.blog
and watching Laurent's JNUC presentation on AD-CS
https://www.youtube.com/watch?v=PbQOG5rJBcQ&t=1683s

Setup is really in two parts
1) getting the AD-CS connector installed and communicating with Jamf

2) setting ups PKI and certificate templates for the payloads to the clients

The best tip I can give for the latter what Laurent mentions in his presentation of don't use an existing certificate template being used for Windows but create a new one specifically for the Mac's
If I have listened to this first around it would of saved a whole lot of time troubleshooting

__AMM
New Contributor II

‎09-29-2021 06:28 AM - edited ‎09-29-2021 08:35 AM

Thank you @garybidwell .

1. I installed the connector, and for -fqdn I used the full name of the server:

.\deploy.ps1 -fqdn jamfadcs.contoso.lan -jamfProDn contoso.jamfcloud.com -cleanInstall

2. I installed the Azure Proxy connector

3. I am in the process of creating the app in azure and not sure what data I should give in the internal Url (localhost or the name of the server?) and how to configure the other settings.

 

 

Screen Shot 2021-09-29 at 18.20.04.png

0 Kudos

rseeley
New Contributor III
In response to __AMM

Posted on ‎03-24-2022 08:58 AM

My understanding is this doesnt work 
https://macnotes.wordpress.com/2020/11/10/can-jamf-adcs-connector-use-azure-web-app-proxy/
Azure Application Proxy decrypts and re-encrypts the traffic it proxies and the Azure/cloud version doesn’t have native support for the client-certificate based authentication used by Jamf ADCD Connector. 

0 Kudos

__AMM
New Contributor II

Posted on ‎10-03-2021 03:53 PM

I have not yet been able to make it work and if anyone can help it would be greatly appreciated. Thanks

0 Kudos

mbrown-ecri
New Contributor
In response to __AMM

Posted on ‎12-20-2021 06:49 AM

Just curious if you made any progress on this.  I am starting down the same path.

0 Kudos

Karl941
New Contributor III

Posted on ‎02-11-2022 10:53 AM

Any update, I am really curious too?

0 Kudos
Jamf helps organizations succeed with Apple. By enabling IT to empower end users, we bring the legendary Apple experience to businesses, education and government organizations. Learn about Jamf.