Help

SCEP setup with Dynamic-Microsoft CA not working

LangStefan
New Contributor III

Posted on ‎07-02-2020 03:24 AM

Hey all,

we have the SCEP running with a configuration profile and the challenge type is static. That's working for us.
But we want to change the challenge type to Dynamic-Microsoft CA

When changing it to Dynamic-Microsoft CA, we run into the known PI-005716 and the config file stays on pending.

Does anyone has an idea, what needs to be done to make the setup running with the dynamic setting? The configuration on Jamf is easy going forward for me. But do we need to change also a setting on the CA? I can't find any documentation on that.

0 Kudos
5 REPLIES 5

plannue
New Contributor

Posted on ‎12-17-2020 11:04 AM

We have this working. One of the hang-up's we ran into... Depending on the number of iPads you're pushing certs to, you'll want to increase the number of cached passwords that the SCEP server holds onto, to give JAMF enough time to use the passwords.

We found that JAMF pushes the certs nearly immediately, so the default of 5 cached passwords is not enough and NDES will freeze any additional requests after the initial 5. We increased to the amount of maxpasswords to 100, which is working so far... see this IBM doc on the process: https://www.ibm.com/support/knowledgecenter/SS8H2S/com.ibm.mc.doc/ce_source/tasks/ce_ca_increase_pw_ndes.htm

0 Kudos

bcbackes
Contributor III

Posted on ‎12-20-2020 06:52 PM

I've been trying to set this up in my DEV environment and have the configuration profile scoped to two Macs. Both show pending and doesn't change. I have a ticket open with Jamf trying to find out why the profile shows "pending" in Jamf Pro and won't install. Haven't been able to find the reason on why it won't install the profile. Macs I'm testing on are running Mojave and Catalina.

0 Kudos

unclekev
New Contributor II

Posted on ‎12-20-2020 08:48 PM

I had managed to get SCEP working with the Dynamic Microsoft CA after struggling for a long time with it, But then our cloud instance was updated to 10.26.0 and ever since then it has stopped working and has the same issue you describe above (profiles stuck in pending state)

According to our Microsoft guys who looked at the IIS logs on the NDES server the JAMF server started sending invalid requests shortly after our cloud instance was upgraded on the weekend of the 12th december.

Wonder if anyone else had it working and it broke after that update.

0 Kudos

MatG
Contributor III

Posted on ‎01-04-2022 05:35 AM

PI-005716 is still open, almost two years since this thread was started.
Any workarounds?

0 Kudos

PhillyPhoto
Valued Contributor

‎08-07-2023 07:35 AM - edited ‎08-07-2023 07:36 AM

Putting this out there in case anyone else is having this issue. We had a call with our account rep last week and we got the diagram below. It's for using Jamf as the SCEP proxy, but we're using an Azure App Proxy, so only steps 3&4 are relevant.

SCEPProxy.png

We have a Jamf cloud instance and the important takeaway was that the Jamf server needs to be able to talk to the NDES server to handle the dynamic challenge. It then injects the one time use code into the profile before delivering it to the Mac which then runs the CSR steps (5-7). Our testing had all been using our internal DNS URLs and as soon as we switched to our Azure App Proxy it worked!

0 Kudos