Jamf Nation Community

tnielsen · ‎08-31-2018

I read through the documentation and could not find the PURPOSE of such an installation.
I'm assuming, from the name alone, it allows me to deploy root certificates from Active Directory? Is that all it does?

tnielsen · ‎08-31-2018

Thanks. I have been at the link above many times ... but never clicked "Introduction". Duh

Thanks.

http://docs.jamf.com/technical-papers/jamf-pro/integrating-ad-cs/10.6.0/Overview.html

"Jamf Pro allows you to add Active Directory Certificate Services (AD CS) as a PKI Provider in Jamf Pro. This allows you to use AD CS as the certificate authority (CA) for distributing certificates to computers and mobile devices via configuration profiles. "

View solution in original post

patgmac · ‎09-05-2018

@Jesper You would use the AD CS connector if your organization uses certs generated by AD and doesn't have SCEP or NDES enabled. To the client, there's not much difference between AD CS and SCEP. AD CS essentially replaces the AD profile payload and gets around the need for the client to be bound AND the need for the client to be able to reach AD directly when the 802.1x profile is installed, much like the SCEP proxy payload.

View solution in original post

philburk · ‎08-31-2018

All? It's p significant for many.

http://docs.jamf.com/technical-papers/jamf-pro/integrating-ad-cs/10.6.0/Install_the_Jamf_AD_CS_Connector.html

patgmac · ‎08-31-2018

It is for deploying 802.1x machine certificates issued from an AD CA without the device having to contact the AD CA directly. Jamf Pro would instead "proxy" the certificate request via the AD CS connector which talks to the AD CA.

If you don't use AD certs, then this wouldn't apply to you.

tnielsen · ‎08-31-2018

Thanks. I have been at the link above many times ... but never clicked "Introduction". Duh

Thanks.

http://docs.jamf.com/technical-papers/jamf-pro/integrating-ad-cs/10.6.0/Overview.html

"Jamf Pro allows you to add Active Directory Certificate Services (AD CS) as a PKI Provider in Jamf Pro. This allows you to use AD CS as the certificate authority (CA) for distributing certificates to computers and mobile devices via configuration profiles. "

Jesper · ‎09-03-2018

I have read through the documentation, but can't seem to figure out how AD CS Connector compares to the SCEP Proxy feature.

Can anyone explain to me the different use cases they solve, or are they identical in usage?

Thanks in advance.

patgmac · ‎09-05-2018

@Jesper You would use the AD CS connector if your organization uses certs generated by AD and doesn't have SCEP or NDES enabled. To the client, there's not much difference between AD CS and SCEP. AD CS essentially replaces the AD profile payload and gets around the need for the client to be bound AND the need for the client to be able to reach AD directly when the 802.1x profile is installed, much like the SCEP proxy payload.

Jesper · ‎09-05-2018

@patgmac Thanks for the explanation.
Sounds like I am better of using JIM AD CS connector then, instead of setting up a JIM NDES + SCEP proxy.
I am about to setup the JIM anyway for LDAP proxy.

Do you know if the same JIM instance can be used for both LDAP proxy and AD CS?

Thanks.

patgmac · ‎09-05-2018

@Jesper No, the JIM is for LDAP only. You would still need and AD CS connector, I don't believe they can run on the same box but I'm not 100% sure. Our recent meeting for migrating to Jamf Cloud with our Jamf SE planned for having them separate, but I don't know if that was a technical requirement or just best practice. Either way, we didn't want a single box handling both if we didn't have to.

Jesper · ‎09-05-2018

@patgmac I see my "plus-signs" were converted to underline :-)

I get the overall picture now, and I can always verify best practice with Jamf.

Thanks again.

rrwright · ‎09-05-2018

We bind our Macs to AD and are using the AD Certificate payload. Our only issue is with renewing expired certificates. Does the AD CS connector add any features to better manage expiring certificates?

patgmac · ‎09-05-2018

@rrwright Depends on what the cause is for the renewal failure. If it's because your machines might not have direct access to the CA's to get a new cert, then yes, the AD CS connector will help with that since you only need to be able to reach your Jamf server.

tnielsen · ‎09-06-2018

Thanks a ton for this information, Pat. Very very helpful. +1 internet points for you.

Report Inappropriate Content · ‎10-08-2018

I note Machine Certificates is listed above, what about User Certificates. This is something we're really trying to get auto renewal for in our AD environment, but reading info from Apple it seems User Certs can't be auto renewed (if i'm reading correctly.)

patgmac · ‎10-09-2018

@sjones4 The AD CS connector only works with machine certs.

dpratl · ‎10-10-2018

Hi all,

Would this also allow a binding to the active directory even when the MacBook is not inside the company network?

Thanks
BR
Daniel

patgmac · ‎10-11-2018

@dpratl No. One of the main reasons for using AD CS is so you don't have to bind anymore to get a cert.

dpratl · ‎10-22-2018

Hi @patgmac,

Thank you for your answer.
But that's all that is possible, right?
We also use AD Accounts (as mobile accounts) on your MacBooks. As far as i understand the documentation this will not be possible to get Userinformation about the AD CS?

Thank you
BR
Daniel

patgmac · ‎10-22-2018

@dpratl you will want to use NoMAD or Enterprise Connect to get user information.

prbsparx · ‎11-28-2018

Why does AD CS Connector only work for Computer certs? What is the technical limitation that prevents using it for users?
Is it because of "request on behalf of"/"Enrollment Agent" isn't an option?

cjatsbm · ‎12-18-2018

So, does the ADSC also act as a proxy for enrollment certificates? Or does the internal JSS CA still handle that?

patgmac · ‎12-19-2018

@cjatsbm There is no change to Jamf enrollment certificates. That is still handled via the Jamf CA.

jrobb311 · ‎08-29-2019

Can you run ADCS and Jamf Pro on the same server?

patgmac · ‎08-30-2019

@jrobb311 No.

Jamf Nation Community

What is AD CS Connector used for? What is it's purpose?