Using Jamf Pro as subordinate CA

__AMM
New Contributor II

Hi all,

We have a on-prem Microsoft certification authority server whose credentials are essential for connecting to wifi and VPN and we want to install these certificates on Macs run by Jamf Pro.

The security requirements is not to open the local ca server to the Internet.

 

And my question, is there a way Jamf can issue the certificates for the mac instead of the local ca? (subordinate CA)

Or, Or is there another way to do it without making the local server accessible from the Internet?

 

If that can help, we have Azure and Intune.

 

Thanks. 🙏 

8 REPLIES 8

sdagley
Esteemed Contributor II

@__AMM  Take a look at the Jamf AD CS Connector , it allows you to deliver certificates via Jamf Pro. There's also an option to integrate with a Venafi system if you're using that for certificate management. 

__AMM
New Contributor II

Hi @sdagley 

This Connector requires opening the on-prem server to Internet, which I try to prevent.

sdagley
Esteemed Contributor II

@__AMM  Is your JSS Jamf Cloud hosted, or on-prem? Only the AD CS server has to be open to the Internet and only to your Jamf Cloud instance if the former. For the latter the connectivity would be entirely within your network. Or at least that's how the Venafi integration works.

__AMM
New Contributor II

@sdagley Cloud hosted. Where can I see the address and ports that should be open to the Internet?

sdagley
Esteemed Contributor II

@__AMM  Jamf has a couple of KB articles you'd want to look at for that info:

Permitting Inbound/Outbound Traffic with Jamf Cloud 

Network Ports Used by Jamf Pro 

SCCM
Contributor III

@__AMM if you want no servers on prem exposed to the internet, you cant use AD CS, this is just another server whcih you can install on prem which connects to your cert servers / jamf cloud. It wont work from a DMZ if they are behind f5's. If your network / cyber team can get it to work via a dmz you might be ok to use it. jamf itself cant work as a CA you need it to link to one if your trying to do 802.1x

__AMM
New Contributor II

Thanks @SCCM . Can you explain more why installing AD CS in DMZ will not work if there is f5?

SCCM
Contributor III

@__AMM it will work, but other things to consider have a read of this: Installing and troubleshooting the Jamf ADCS connector - Travelling Tech Guy
AD CS Connector Experience, Tips, and Lessons Lear... - Jamf Nation Community - 177003
If however you dont want to open things to the web it might get rejected