Challenge - Using Computer-Based Certificate Authentication after Microsoft's’s Implementation of Strong Certificate Mapping while leveraging ADCS requires some extra steps to gather Computer Information from Active Directory.
As per Jamf Tech Document - Supporting Microsoft Active Directory Strong Certificate Mapping Requirements Microsoft implemented their changes on the 11th February 2025.
The existing article provides detailed guidance on how to overcome these changes and adhere to the new requirements from Microsoft.
The method provided via an LDAP Extension attribute works great for User-based certificates. The recon information is going to pull the SID for the user and not the computer.
We also have no way to query computer records from Entra ID or LDAP connection, as we using Inventory Update LDAP Connection to query user info only
When binding a Mac to Active Directory. A computer record is created which will contain the SID that is required to adhere to the new Strong Certificate Mapping. This is the information we need to populate in your ADCS Certificate or SCEP Certificate.
Here is the process I would like to share to resolve this challenge, especially for a mac that may not always be in the office.
Script to collect the Computer SID
Create a Jamf Pro Script
Settings > Computer Management > Scripts
Display Name Suggestion - AD Computer SID Collection.sh
#!/bin/bash
## This is an internal host record that is pingable to check that the device is on the internal network or able to reach internal resources such as your Active Directory Controller
host="internal.host"
## This is your KERBEROS REALM or Domain Name which will show in Active Director binding
domainname="DOMAINNAME"
## Check to see if connection to the internal host is possible
ping -c1 "$host" &> /dev/null
if [ $? -eq 0 ]; then
# Connection to Internal host is possible
Echo "Connected to Company Network Network"
check4ADtmp=`dsconfigad -show | grep "Active Directory Domain" | sed 's/Active Directory Domain//' | sed 's/=//'`
check4AD=${check4ADtmp//[[:space:]]/}
echo "Found AD: "$check4AD
check4ADaccttmp=`dsconfigad -show | grep "Computer Account" | sed 's/Computer Account//' | sed 's/=//'`
check4ADacct=${check4ADaccttmp//[[:space:]]/}
## Reading the computer infomation from DSCL to get the computer SID
SMBSID=`dscl "/Active Directory/$domainname/All Domains" -read /Computers/$check4ADacct SMBSID | awk 'BEGIN {FS=": "} {print $2}'`
echo "Found AD-Account: "$check4ADacct $SMBSID
## Creating a hidden file to record the Computer SID information
touch /Users/Shared/.SMBSID
## Writing the Computer SID to the
echo $SMBSID > /Users/Shared/.SMBSID
else
# connection is DOWN
Echo "Connected to External Network"
fiExtension Attribute to read the output of the Script
Create a Computer Extension Attribute to read the output of the successful script
Settings > Computer Management > Extension attributes
Display Name Suggestion - AD Computer SID
#!/bin/bash
## read the first line from the hidden file as created when the script successfully completes
if [[ -f /Users/Shared/.SMBSID ]];
then
SMBSID=`head -n 1 /Users/Shared/.SMBSID`
echo "<result>$SMBSID</result>"
else
echo "<result>No AD-Computer found</result>"
fiSmart group for checking computers with a missing or successful computer SID
You will want to create a smart group so you can target devices once this process is complete and possibly target the devices that may need more work or may have issues.
In this example, we are checking for devices that are bound to your active directory domain and Missing a valid SID. Based on testing the computer SID Should start “S-1-5-21” however it is recommended you check your environment.
Policy to run the Computer SID Collection Script
You will need to run this script on all your Macs which require a Compter SID. This will be your smart group created with all devices missing a computer SID
As we are scoping this to a smart group. Upon successful collection the computer will fail out of the scope of the policy and the policy will no longer run. As the Computer Record will not change until wipe and re-bind, this process is only required to run once successfully per computer. The reason for running this ongoing is a computer may not be in the office or able to connect to AD Domain to read its Computer SID info, so we need to keep trying until it is successful.
Create a new Computer Policy
General - Display Name - Collect AD Computer SID
General - Trigger - Recurring Check-in
General - Execution Frequency - Ongoing or Once Per Day
Add the Script as created earlier
Add Maintenance - Update Inventory
Scope to Target Smart Group - AD Bound With Missing SID
Now that you have successfully collected the computer SID you can create a new Certificate Config profile with the SAN URI tag:microsoft.com,2022-09-14:sid:$EXTENSIONATTRIBUTE_1 as per the original linked Jamf Tech Document - Supporting Microsoft Active Directory Strong Certificate Mapping Requirements
