What is AD CS Connector used for? What is it's purpose?

tnielsen
Valued Contributor

I read through the documentation and could not find the PURPOSE of such an installation.
I'm assuming, from the name alone, it allows me to deploy root certificates from Active Directory? Is that all it does?

2 ACCEPTED SOLUTIONS

tnielsen
Valued Contributor

Thanks. I have been at the link above many times ... but never clicked "Introduction". Duh

Thanks.

http://docs.jamf.com/technical-papers/jamf-pro/integrating-ad-cs/10.6.0/Overview.html

"Jamf Pro allows you to add Active Directory Certificate Services (AD CS) as a PKI Provider in Jamf Pro. This allows you to use AD CS as the certificate authority (CA) for distributing certificates to computers and mobile devices via configuration profiles. "

View solution in original post

patgmac
Contributor III

@Jesper You would use the AD CS connector if your organization uses certs generated by AD and doesn't have SCEP or NDES enabled. To the client, there's not much difference between AD CS and SCEP. AD CS essentially replaces the AD profile payload and gets around the need for the client to be bound AND the need for the client to be able to reach AD directly when the 802.1x profile is installed, much like the SCEP proxy payload.

View solution in original post

22 REPLIES 22

philburk
New Contributor III

All? It's p significant for many.

http://docs.jamf.com/technical-papers/jamf-pro/integrating-ad-cs/10.6.0/Install_the_Jamf_AD_CS_Connector.html

patgmac
Contributor III

It is for deploying 802.1x machine certificates issued from an AD CA without the device having to contact the AD CA directly. Jamf Pro would instead "proxy" the certificate request via the AD CS connector which talks to the AD CA.

If you don't use AD certs, then this wouldn't apply to you.

tnielsen
Valued Contributor

Thanks. I have been at the link above many times ... but never clicked "Introduction". Duh

Thanks.

http://docs.jamf.com/technical-papers/jamf-pro/integrating-ad-cs/10.6.0/Overview.html

"Jamf Pro allows you to add Active Directory Certificate Services (AD CS) as a PKI Provider in Jamf Pro. This allows you to use AD CS as the certificate authority (CA) for distributing certificates to computers and mobile devices via configuration profiles. "

Jesper
New Contributor III

I have read through the documentation, but can't seem to figure out how AD CS Connector compares to the SCEP Proxy feature.

Can anyone explain to me the different use cases they solve, or are they identical in usage?

Thanks in advance.

patgmac
Contributor III

@Jesper You would use the AD CS connector if your organization uses certs generated by AD and doesn't have SCEP or NDES enabled. To the client, there's not much difference between AD CS and SCEP. AD CS essentially replaces the AD profile payload and gets around the need for the client to be bound AND the need for the client to be able to reach AD directly when the 802.1x profile is installed, much like the SCEP proxy payload.

Jesper
New Contributor III

@patgmac Thanks for the explanation.
Sounds like I am better of using JIM AD CS connector then, instead of setting up a JIM NDES + SCEP proxy.
I am about to setup the JIM anyway for LDAP proxy.

Do you know if the same JIM instance can be used for both LDAP proxy and AD CS?

Thanks.

patgmac
Contributor III

@Jesper No, the JIM is for LDAP only. You would still need and AD CS connector, I don't believe they can run on the same box but I'm not 100% sure. Our recent meeting for migrating to Jamf Cloud with our Jamf SE planned for having them separate, but I don't know if that was a technical requirement or just best practice. Either way, we didn't want a single box handling both if we didn't have to.

Jesper
New Contributor III

@patgmac I see my "plus-signs" were converted to underline :-)

I get the overall picture now, and I can always verify best practice with Jamf.

Thanks again.

rrwright
New Contributor

We bind our Macs to AD and are using the AD Certificate payload. Our only issue is with renewing expired certificates. Does the AD CS connector add any features to better manage expiring certificates?

patgmac
Contributor III

@rrwright Depends on what the cause is for the renewal failure. If it's because your machines might not have direct access to the CA's to get a new cert, then yes, the AD CS connector will help with that since you only need to be able to reach your Jamf server.

tnielsen
Valued Contributor

Thanks a ton for this information, Pat. Very very helpful. +1 internet points for you.

Not applicable

I note Machine Certificates is listed above, what about User Certificates. This is something we're really trying to get auto renewal for in our AD environment, but reading info from Apple it seems User Certs can't be auto renewed (if i'm reading correctly.)

patgmac
Contributor III

@sjones4 The AD CS connector only works with machine certs.

dpratl
Contributor II

Hi all,

Would this also allow a binding to the active directory even when the MacBook is not inside the company network?

Thanks
BR
Daniel

patgmac
Contributor III

@dpratl No. One of the main reasons for using AD CS is so you don't have to bind anymore to get a cert.

dpratl
Contributor II

Hi @patgmac,

Thank you for your answer.
But that's all that is possible, right?
We also use AD Accounts (as mobile accounts) on your MacBooks. As far as i understand the documentation this will not be possible to get Userinformation about the AD CS?

Thank you
BR
Daniel

patgmac
Contributor III

@dpratl you will want to use NoMAD or Enterprise Connect to get user information.

prbsparx
Contributor II

Why does AD CS Connector only work for Computer certs? What is the technical limitation that prevents using it for users?
Is it because of "request on behalf of"/"Enrollment Agent" isn't an option?

cjatsbm
New Contributor II

So, does the ADSC also act as a proxy for enrollment certificates? Or does the internal JSS CA still handle that?

patgmac
Contributor III

@cjatsbm There is no change to Jamf enrollment certificates. That is still handled via the Jamf CA.

jrobb311
New Contributor

Can you run ADCS and Jamf Pro on the same server?

patgmac
Contributor III

@jrobb311 No.