Newly enrolled computer now have "JSS Built-In Signing Certificate" installed, normal?


Newly enrolled computers now have "JSS Built-In Signing Certificate" installed along with the Device Certificate AND the "Company Name Certificate Authority". Is this normal and is anyone else seeing it?


New Contributor III

It's normal! The JSS uses its own internal PKI for Mac clients, to enable certificate authentication. The "JSS Built-In Signing Certificate" is just the JSS' public key certificate, which lets clients can verify communications with the JSS (if enabled), and encrypt their communications when talking to the JSS.

For Mac clients, you have to use the internal PKI on the JSS - there's no other option. For Mobile Clients, the JSS can act as an SCEP proxy. Check the Admin Guide for details on that, if you want to set it up.