Help

Requesting WiFi/VPN Certificates from Server via JAMF

stutz
Contributor

Posted on ‎01-08-2015 09:20 AM

Does anyone else use JAMF to request a certificate for their WiFi/VPN environments? We are moving away from user authentication to machine authentication and we need to be able to request certificates from our certificates server via a profile in JAMF.

Has anyone been successful in doing this?
Besides setting up an AD Certificate in JAMF (assuming thats all I need) are there any other settings I need to be aware of for this to work?
Where does the certificate get installed? Keychain Access?

I've been using this site as a reference but it pertains to Profile Manager which we obviously don't use
http://support.apple.com/en-us/HT5357

0 Kudos
Reply
4 REPLIES 4

daniel_behan
Contributor III

Posted on ‎01-09-2015 10:01 AM

I was able to get this to work by packaging the profile I created in profile manager and then installing the profile via Casper. I like this method because in the past I've had machines on WiFi via Casper Configurations that loose their connection when they re-enroll due to the profile reinstalling.

0 Kudos
Reply

davidacland
Honored Contributor II

Posted on ‎01-09-2015 10:49 AM

We are using the full MDM method at a few of our sites, with the AD certificate and the WiFi payload in the same profile.

All ok once you get it working but you definitely need the admin of the wireless network and the CA on your side (unless thats you!).

Odd symptoms we've seen when something is wrong:

  • Profile installs then disagerai immediately - This was an error in the config (noted in System log and JAMF log). It looked like a bug but was just user (or IT admin) error.
  • Lots of certificates building up in the keychain - If you change the settings of the profile it re-deploys to the client, which causes the client to get a new certificate, leaving the old one in the keychain. The main problem is that they are called the same thing. Someone has told me that there is an option on the certificate template to correct this but I haven't had a chance to look into it. We scripted a cleanup of all but the necessary (last valid) certificate in the keychain and ran it as a regular policy instead.

Other than that it all works like a charm (last tried on 10.9). I have heard lots of people having new issues with 10.10 but thats another story.

0 Kudos
Reply

KSchroeder
Contributor

Posted on ‎12-15-2015 08:54 AM

Better late than never...but you can do this with the recent releases using the "AD Certificate" payload with a Computer level on the Options page of the Profile

I'm struggling with how to issue user certificates (x509) from our MS ADCS PKI server. We could do this easily with AirWatch, though it has a very different approach (where the AW infrastructure server (ACC) proxies the certificate request to the PKI server on behalf of the user). I've created a User level profile and configured the AD Certificate payload with the PKI server, Issuing CA name, and the template name. I've tried setting the Username field to %username%, leaving it blank and checking the "prompt for credentials" box, though that says that it can't be used for pushed profiles. Do I just need to go back and RTFM?

0 Kudos
Reply

szultzie
Contributor II

Posted on ‎05-04-2020 12:10 PM

Sorry to resurrect an old thread, but i haven't been able to figure this out or find any documentation on it.

Is it possible to have Jamf use a Configuration profile to request a Certificate from a Windows CA for a Palo Alto VPN? I found a Palo write up how to do it manually but my CA admin sys they would have to create a different cert for each computer based on those directions.

I assume the way this would work is the mac request the cert based on a a template.

So just wanted to see if anybody has done this and its working for them with no major issues. I need to be able to do this machine based as well, not user based. Also do the macs have to be joined to AD?

0 Kudos
Reply