User Certificate - configuration profile

Captainamerica
Contributor II

We have set up ADCS and for machine certificates it work fine.
Our setup is that we have No ldap setup and mac´s are not bound to AD (using Nomad)
We also want user to be able to assign user certificates . But as we have no user assigned to the machine in Jamf but only are using local accounts, the certificate must be pushed out to the user logged in

As far I can read in the configuration profile in certificate payload, it should be possible to user "user level". Can anyone confirm if this can work as I cannot find much info on this

7 REPLIES 7

whitebeer
Contributor

I am also facing the same question with the same facts 👍

jameson
Contributor II

anyone has some input on this ?

jameson
Contributor II

Seems like nomad have some option with certificates. However, it is not what i can use as it is somehow wrapped into a private key in login items, and not as real user certificate in system keychain

Captainamerica
Contributor II

Have just tried the following setup412fa32c59ad4b9fa4d2de3a4e534828
b0b7b312c44e4ec3b99a1b216eb717ce

But nothing happens on the client and if checking the log for the configuration policy it is just empty with no information, even it is scoped to computers ?

If checking the server logs the following is listed(don´t know if this has to do with the actual policy)
2018-12-06 13:04:29,572 [WARN ] [na-exec-132] [Credentials ] - We don't want to return an X509 Cert from a PKCS12 data blob

bassic
New Contributor III

Hi @Captainamerica did you get anywhere with this? I am having the same issue...

mlambert
New Contributor III

Anyone end up finding a solution for this?

daniel_behan
Contributor III

Is the cert not being installed, or is the Configuration Profile not being applied? User-based Configuration Profiles get assigned to an MDM Capable User, which is where things get tricky. JAMF automatically enables domain/mobile accounts as being MDM Capable, but Apple suggests local accounts and using tools like JAMF Connect, Nomad, Enterprise Connect or the Kerberos SSO Extension to sync local and network accounts.