- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-31-2018 09:10 AM
I read through the documentation and could not find the PURPOSE of such an installation.
I'm assuming, from the name alone, it allows me to deploy root certificates from Active Directory? Is that all it does?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-31-2018 09:11 PM
Thanks. I have been at the link above many times ... but never clicked "Introduction". Duh
Thanks.
http://docs.jamf.com/technical-papers/jamf-pro/integrating-ad-cs/10.6.0/Overview.html
"Jamf Pro allows you to add Active Directory Certificate Services (AD CS) as a PKI Provider in Jamf Pro. This allows you to use AD CS as the certificate authority (CA) for distributing certificates to computers and mobile devices via configuration profiles. "
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-05-2018 03:49 AM
@Jesper You would use the AD CS connector if your organization uses certs generated by AD and doesn't have SCEP or NDES enabled. To the client, there's not much difference between AD CS and SCEP. AD CS essentially replaces the AD profile payload and gets around the need for the client to be bound AND the need for the client to be able to reach AD directly when the 802.1x profile is installed, much like the SCEP proxy payload.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-31-2018 10:50 AM
All? It's p significant for many.
http://docs.jamf.com/technical-papers/jamf-pro/integrating-ad-cs/10.6.0/Install_the_Jamf_AD_CS_Connector.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-31-2018 01:18 PM
It is for deploying 802.1x machine certificates issued from an AD CA without the device having to contact the AD CA directly. Jamf Pro would instead "proxy" the certificate request via the AD CS connector which talks to the AD CA.
If you don't use AD certs, then this wouldn't apply to you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-31-2018 09:11 PM
Thanks. I have been at the link above many times ... but never clicked "Introduction". Duh
Thanks.
http://docs.jamf.com/technical-papers/jamf-pro/integrating-ad-cs/10.6.0/Overview.html
"Jamf Pro allows you to add Active Directory Certificate Services (AD CS) as a PKI Provider in Jamf Pro. This allows you to use AD CS as the certificate authority (CA) for distributing certificates to computers and mobile devices via configuration profiles. "
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-03-2018 06:55 AM
I have read through the documentation, but can't seem to figure out how AD CS Connector compares to the SCEP Proxy feature.
Can anyone explain to me the different use cases they solve, or are they identical in usage?
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-05-2018 03:49 AM
@Jesper You would use the AD CS connector if your organization uses certs generated by AD and doesn't have SCEP or NDES enabled. To the client, there's not much difference between AD CS and SCEP. AD CS essentially replaces the AD profile payload and gets around the need for the client to be bound AND the need for the client to be able to reach AD directly when the 802.1x profile is installed, much like the SCEP proxy payload.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-05-2018 04:02 AM
@patgmac Thanks for the explanation.
Sounds like I am better of using JIM AD CS connector then, instead of setting up a JIM NDES + SCEP proxy.
I am about to setup the JIM anyway for LDAP proxy.
Do you know if the same JIM instance can be used for both LDAP proxy and AD CS?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-05-2018 04:14 AM
@Jesper No, the JIM is for LDAP only. You would still need and AD CS connector, I don't believe they can run on the same box but I'm not 100% sure. Our recent meeting for migrating to Jamf Cloud with our Jamf SE planned for having them separate, but I don't know if that was a technical requirement or just best practice. Either way, we didn't want a single box handling both if we didn't have to.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-05-2018 04:30 AM
@patgmac I see my "plus-signs" were converted to underline :-)
I get the overall picture now, and I can always verify best practice with Jamf.
Thanks again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-05-2018 08:08 AM
We bind our Macs to AD and are using the AD Certificate payload. Our only issue is with renewing expired certificates. Does the AD CS connector add any features to better manage expiring certificates?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-05-2018 09:39 AM
@rrwright Depends on what the cause is for the renewal failure. If it's because your machines might not have direct access to the CA's to get a new cert, then yes, the AD CS connector will help with that since you only need to be able to reach your Jamf server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-06-2018 08:26 AM
Thanks a ton for this information, Pat. Very very helpful. +1 internet points for you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-08-2018 03:35 PM
I note Machine Certificates is listed above, what about User Certificates. This is something we're really trying to get auto renewal for in our AD environment, but reading info from Apple it seems User Certs can't be auto renewed (if i'm reading correctly.)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-09-2018 05:54 AM
@sjones4 The AD CS connector only works with machine certs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-10-2018 01:24 AM
Hi all,
Would this also allow a binding to the active directory even when the MacBook is not inside the company network?
Thanks
BR
Daniel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-11-2018 09:49 AM
@dpratl No. One of the main reasons for using AD CS is so you don't have to bind anymore to get a cert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-22-2018 03:41 AM
Hi @patgmac,
Thank you for your answer.
But that's all that is possible, right?
We also use AD Accounts (as mobile accounts) on your MacBooks. As far as i understand the documentation this will not be possible to get Userinformation about the AD CS?
Thank you
BR
Daniel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-22-2018 05:08 AM
@dpratl you will want to use NoMAD or Enterprise Connect to get user information.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-28-2018 11:18 AM
Why does AD CS Connector only work for Computer certs?
What is the technical limitation that prevents using it for users?
Is it because of "request on behalf of"/"Enrollment Agent" isn't an option?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-18-2018 10:34 AM
So, does the ADSC also act as a proxy for enrollment certificates? Or does the internal JSS CA still handle that?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-19-2018 05:44 AM
@cjatsbm There is no change to Jamf enrollment certificates. That is still handled via the Jamf CA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-29-2019 08:59 AM
Can you run ADCS and Jamf Pro on the same server?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-30-2019 07:13 AM
@jrobb311 No.