Jamf pro cloud connection to on-prem Microsoft Certificate Authority

New Contributor II

Hi friends,

I am new at Jamf and appreciate your help.

We use Jamf Pro in the cloud and we have a local Microsoft CA server.

My goal is to install certificates from the local CA using Jamf pro cloud on the mac devices.

I understand there are two ways to do this:

1. Using Jamf ADCS Connector

2. Using Jamf SCEP with local NDES server

Am I right?

What is the right and secure way to do it?

We also have Azure and Intune if that can help. 





Contributor II

AD-CS is the way forward, but if you have Azure we found it easier to create a Azure proxy connection to the server running the AD-CS connector and publish it out that way (that vey similar to how Intune provide its certificates from the premise CA using its own internal connector)

New Contributor II

That way there will be no need to open ports out?

Is there a guide on how to do this?


Contributor II

There's still ports to setup for the proxy in Azure, but it meant I didn't have to deal with our network team at all and punch more holes in the firewall.
I don't have a guide for the Azure side, as my Azure SME did this part for me, but for the Jamf side I pieced information from both Travelling Tech Guy's blog
and watching Laurent's JNUC presentation on AD-CS

Setup is really in two parts
1) getting the AD-CS connector installed and communicating with Jamf

2) setting ups PKI and certificate templates for the payloads to the clients

The best tip I can give for the latter what Laurent mentions in his presentation of don't use an existing certificate template being used for Windows but create a new one specifically for the Mac's
If I have listened to this first around it would of saved a whole lot of time troubleshooting

New Contributor II

Thank you @garybidwell .

1. I installed the connector, and for -fqdn I used the full name of the server:

.\deploy.ps1 -fqdn jamfadcs.contoso.lan -jamfProDn contoso.jamfcloud.com -cleanInstall

2. I installed the Azure Proxy connector

3. I am in the process of creating the app in azure and not sure what data I should give in the internal Url (localhost or the name of the server?) and how to configure the other settings.



Screen Shot 2021-09-29 at 18.20.04.png

New Contributor III

My understanding is this doesnt work 
Azure Application Proxy decrypts and re-encrypts the traffic it proxies and the Azure/cloud version doesn’t have native support for the client-certificate based authentication used by Jamf ADCD Connector. 

New Contributor II

I have not yet been able to make it work and if anyone can help it would be greatly appreciated. Thanks

Just curious if you made any progress on this.  I am starting down the same path.

New Contributor III

Any update, I am really curious too?