Jamf Nation Community

Captainamerica · ‎05-20-2019

Is it possible to make a smart group based on certificate ?

We are applying user certificate through ADCS, but often I see that the certificates for whatever reason just are not installed on users computer

Each user have of course a different user certificate, but it is possible to still create a group based fx SAN - and just looking if any certificate exist that ends with @domain.com

mm2270 · ‎05-21-2019

Certificates are already natively captured in Jamf Pro, including user certificates, assuming the user is typically logged in when inventory occurs.
You can use them in Advanced Searches and Smart Groups. Just make sure you are looking at Advanced Criteria and choose "Certificate Name"
As for the text to input, you can use a regex match string or just use the "not like" operator and put in part of the certificate name. I would probably look at one of the machines with the proper cert in place on it to see how that particular certificate shows up, just to be sure you're using the right string to search for.
That should work for the most part for you to gather devices together that have the cert, or if you want to do the reverse, look for machines that do not have the cert installed.

Captainamerica · ‎05-28-2019

Thanks - actually I wrote some wrong information in my initial post
The issue is that the user certificate is like Firstname lastname( user Initials) - so there is no @domain

Is there any way to filter this out. I don't know if you in smart groups somehow can add that all certificates that has (%) is listed as this would then show the user certs. Base the smart group on first name last name and initials don't make sense as they are all different, so it is only the (-) that maybe can be used as trigger

mm2270 · ‎05-28-2019

@Captainamerica In that case, you may want to look at creating an Extension Attribute that looks at the installed certificates and greps for one that matches the primary user of the Mac, or whoever is logged in, to see if it matches, and if it finds one, reports back with a Yes or True or something like that.
Of course, that's assuming it actually matches their username. From the name format you mention above, I guess there's a possibility it doesn't match. But you would know for sure if that's the case or not.

Captainamerica · ‎05-29-2019

OK - Will try and do some seaching on this as my scripting skills is far away from creating something like that :(

mm2270 · ‎05-29-2019

OK, well, can you tell me if the usernames and certificate names are matching? Meaning, if a user name is something like "johndoe" does the certificate for them have the same name? If so, then this won't be that hard. If they aren't the same it will be trickier. And whether it's even possible to work around may depend on whether the Macs are joined to AD or something where lookups against their username can happen to locate what might be the name of the certificate.
I don't mind helping you write a script, but I know nothing about your environment, so it's a little hard to make any recommendations.

Captainamerica · ‎10-15-2019

@mm2270

Sorry - have never seen this update as I never managed to find a solution

Just to put up an example:
User name to login on the mac is jdoe

If checking the certificate it is standing like John Doe(jdoe)

Can you do something with that ?

KRIECCO · ‎09-01-2020

@mm2270 Was this ever solved ? - I could use similar option

We base our certificates from Jamf information that is at the backend on each client. So username like jdoe and full name John Doen
Certificate in keychain will then look like John Doen(jdoe)
But also looking for a way to see find if clients are missing their certificate

Jamf Nation Community

Smart group based on user Certificate