Using signed third-party CA certificate during User-initiated enrolment

jwstyles
New Contributor II

Hi there,

We are using a managed Jamf Cloud instance and are looking at enrolling our iOS devices into our Jamf Cloud MDM using user-initiated enrolment.

During this enrolment, the step following authentication prompts the user to install a Trust Profile containing the built in JSS Built-in Certificate Authority certificate, which is self signed. This is (We believe?) then used to sign configuration profiles that are pushed to these devices, as well as the MDM profile. Once the JSS Built-in Certificate Authority certificate is installed, the MDM profile is pushed down, and has a green "verified" tag as it has been signed by the newly installed JSS Built-in Certificate Authority cert.

Our problem is that since the JSS Built-in Certificate Authority cert is self-signed, it is showing as "unverified" (in scary red letters) when it is first presented.

On our Jamf Cloud server, we see the following option in Global Management > User-Initiated Enrolment:

Use a third-party signing certificate
Ensure that the certificate signs configuration profiles sent to computers and mobile devices, and appears as verified to users during user-initiated enrollment.

This gives us the option to upload a .p12 certificate which will presumably be bundled into the Trust Profile during the user-initiated enrolment.

Our question is: Can we use a certificate signed by a trusted third party in this way so that the certificate in the Trust Profile is labelled as "Verified" (in reassuring, non-threatening green letters)?

Just wondering if anyone here has any experience with this - we are unsure what type of certificate would be required here. Is it just a basic/standard SSL certificate, should we use a code signing certificate, are there any special considerations/values required when generating the certificate, are there any additional steps required to ensure that this new certificate signs the configuration profiles, etc.

Any clarity or guidance on this would be immensely appreciated!!

5 REPLIES 5

eric_shrimer
New Contributor

Have you figured out what's needed to use a third-party signing certificate? I'm in the same boat at the moment... I want to have everything verified before the user installs the MDM profile.

chrismarciante
New Contributor

Working with Jamf support on this same issue. I have not yet been able to resole. 

 

So far I have purchased an SSL Cert from GoDaddy (shouldn't matter as long as its a trusted CA)

Used this to create a CSR and Private Key pair:

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

Generated the cert in GoDaddy using the CSR above

Downloaded the cert which contains 3 files (1st crt, pem, and 2nd crt but bundled both files)

Used the following to create the p12:

openssl pkcs12 -export -out YOURCERT.p12 -inkey privateKey.key -in YOURCERT.pem

Was prompted to choose a pssword and boom p12 made.

 

I imported this p12 into Keychain Access and confirmed it is being shown as "Verified" all green and looking good

Uploaded this p12 into Jamf Pro > Settings > Global Management > User-Initiated Enrollment > Use a third-party signing certificate (which then asked for the password)

Saved the settings in Jamf Pro

 

Took an iOS device that is not enrolled and used an invitation link to enroll, and still showing as Unverified in red .

Have you been able to get this working?

@chrismarciantedid you end up getting this worked out with JAMF support?

I'm guessing the GoDaddy CA or something else in the certificate chain wasn't trusted.  Did you ever resolve it?

fleish
New Contributor II

This works fine for me once you check the "Skip certificate installation" box which should not be needed for a publicly verifiable certificate.