- Jamf Nation Community
- Products
- Jamf Pro
- Re: Using Jamf Pro as subordinate CA
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Using Jamf Pro as subordinate CA
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-18-2021 04:25 AM
Hi all,
We have a on-prem Microsoft certification authority server whose credentials are essential for connecting to wifi and VPN and we want to install these certificates on Macs run by Jamf Pro.
The security requirements is not to open the local ca server to the Internet.
And my question, is there a way Jamf can issue the certificates for the mac instead of the local ca? (subordinate CA)
Or, Or is there another way to do it without making the local server accessible from the Internet?
If that can help, we have Azure and Intune.
Thanks. 🙏
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-18-2021 08:49 AM
@__AMM Take a look at the Jamf AD CS Connector , it allows you to deliver certificates via Jamf Pro. There's also an option to integrate with a Venafi system if you're using that for certificate management.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-18-2021 08:52 AM
Hi @sdagley
This Connector requires opening the on-prem server to Internet, which I try to prevent.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2021 08:59 AM - edited 11-18-2021 08:59 AM
@__AMM Is your JSS Jamf Cloud hosted, or on-prem? Only the AD CS server has to be open to the Internet and only to your Jamf Cloud instance if the former. For the latter the connectivity would be entirely within your network. Or at least that's how the Venafi integration works.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-18-2021 11:52 AM
@sdagley Cloud hosted. Where can I see the address and ports that should be open to the Internet?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-18-2021 12:59 PM
@__AMM Jamf has a couple of KB articles you'd want to look at for that info:
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-18-2021 09:54 AM
@__AMM if you want no servers on prem exposed to the internet, you cant use AD CS, this is just another server whcih you can install on prem which connects to your cert servers / jamf cloud. It wont work from a DMZ if they are behind f5's. If your network / cyber team can get it to work via a dmz you might be ok to use it. jamf itself cant work as a CA you need it to link to one if your trying to do 802.1x
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-18-2021 11:56 AM
Thanks @SCCM . Can you explain more why installing AD CS in DMZ will not work if there is f5?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-19-2021 01:25 AM - edited 11-19-2021 01:27 AM
@__AMM it will work, but other things to consider have a read of this: Installing and troubleshooting the Jamf ADCS connector - Travelling Tech Guy
AD CS Connector Experience, Tips, and Lessons Lear... - Jamf Nation Community - 177003
If however you dont want to open things to the web it might get rejected
