what is best practice to deploy cert to macOS

KittyGoyenk
New Contributor III

hi all, i need some advise input from anyone about my environment. we just recently build a new NDES Cert server and we use Azure App proxy pointing to our NDES to deploy 802.1x certificate to allow our azure joined windows devices access to our wifi (we use Cisco ISE for authentication and authorization). We currently have our macs bound to the domain to allow cert request (so it can request cert from the old CA if its in office). We recently got our Jamf Connect setup and have no reason to bind to domain anymore. I want to ask anyone advise of what is the best practice for us to deploy our 802.1x cert to our mac that will be Jamf Connect only? is it possible to integrate our Jamf cloud with our Azure app proxy for certificate deployment (just like intune - windows)?
Or do i need to go with Jamf AD CS Connector? or do i go with setup Jamf SCEP so it can point to my NDES server (on prem)? i prefer not to do this as I want to limit the amount of network connection between my NDES servers to the internet and outside

1 ACCEPTED SOLUTION

benleroy
New Contributor II

If you already have the Azure app proxy in place then I would simply use it as the gateway to your existing NDES Server, this is what we are doing in our environment as well.  I also would recommend setting up your JAMF Pro server as the SCEP Proxy in this scenarios as well - https://learn.jamf.com/en-US/bundle/technical-paper-scep-proxy-current/page/Enabling_as_SCEP_Proxy_for_Configuration_Profiles.html.   This allows the profile for SCEP/802.1X to deploy even if the certificate can't be immediately issued for some reason.  Also if you use the blog post above make sure to read the note about the “Validate Backend SSL Certificate” in the comments.  If you leave that enabled SCEP will fail running through the app proxy due to the gateway pinning an azure SSL certificate into the middle of the SCEP process.

View solution in original post

3 REPLIES 3

SCCM
Contributor III

https://macnotes.wordpress.com/2020/11/11/configuring-azure-web-application-proxy-for-jamf-pro-scep-...
Your better off logging a call with jamf. When we previously asked the recommended pki platform, or ad cs, but that advise might have changed now.

AJPinto
Honored Contributor III

This is more a question of what certificate you need to use to keep your NPS policy happy and how to get it to your devices. Jamf does offer an ADCS certificate connector, which can be used with Jamf Cloud if placed in your DMZ. There are also other solutions, depending on what exactly you need to do.

benleroy
New Contributor II

If you already have the Azure app proxy in place then I would simply use it as the gateway to your existing NDES Server, this is what we are doing in our environment as well.  I also would recommend setting up your JAMF Pro server as the SCEP Proxy in this scenarios as well - https://learn.jamf.com/en-US/bundle/technical-paper-scep-proxy-current/page/Enabling_as_SCEP_Proxy_for_Configuration_Profiles.html.   This allows the profile for SCEP/802.1X to deploy even if the certificate can't be immediately issued for some reason.  Also if you use the blog post above make sure to read the note about the “Validate Backend SSL Certificate” in the comments.  If you leave that enabled SCEP will fail running through the app proxy due to the gateway pinning an azure SSL certificate into the middle of the SCEP process.