All? It's p significant for many.

http://docs.jamf.com/technical-papers/jamf-pro/integrating-ad-cs/10.6.0/Install_the_Jamf_AD_CS_Connector.html

It is for deploying 802.1x machine certificates issued from an AD CA without the device having to contact the AD CA directly. Jamf Pro would instead "proxy" the certificate request via the AD CS connector which talks to the AD CA.

If you don't use AD certs, then this wouldn't apply to you.

Thanks. I have been at the link above many times ... but never clicked "Introduction". Duh

Thanks.

http://docs.jamf.com/technical-papers/jamf-pro/integrating-ad-cs/10.6.0/Overview.html

"Jamf Pro allows you to add Active Directory Certificate Services (AD CS) as a PKI Provider in Jamf Pro. This allows you to use AD CS as the certificate authority (CA) for distributing certificates to computers and mobile devices via configuration profiles. "

I have read through the documentation, but can't seem to figure out how AD CS Connector compares to the SCEP Proxy feature.

Can anyone explain to me the different use cases they solve, or are they identical in usage?

Thanks in advance.

@Jesper You would use the AD CS connector if your organization uses certs generated by AD and doesn't have SCEP or NDES enabled. To the client, there's not much difference between AD CS and SCEP. AD CS essentially replaces the AD profile payload and gets around the need for the client to be bound AND the need for the client to be able to reach AD directly when the 802.1x profile is installed, much like the SCEP proxy payload.

@patgmac Thanks for the explanation.
Sounds like I am better of using JIM AD CS connector then, instead of setting up a JIM NDES + SCEP proxy.
I am about to setup the JIM anyway for LDAP proxy.

Do you know if the same JIM instance can be used for both LDAP proxy and AD CS?

Thanks.

@Jesper No, the JIM is for LDAP only. You would still need and AD CS connector, I don't believe they can run on the same box but I'm not 100% sure. Our recent meeting for migrating to Jamf Cloud with our Jamf SE planned for having them separate, but I don't know if that was a technical requirement or just best practice. Either way, we didn't want a single box handling both if we didn't have to.

@patgmac I see my "plus-signs" were converted to underline :-)

I get the overall picture now, and I can always verify best practice with Jamf.

Thanks again.

We bind our Macs to AD and are using the AD Certificate payload. Our only issue is with renewing expired certificates. Does the AD CS connector add any features to better manage expiring certificates?

@rrwright Depends on what the cause is for the renewal failure. If it's because your machines might not have direct access to the CA's to get a new cert, then yes, the AD CS connector will help with that since you only need to be able to reach your Jamf server.

Thanks a ton for this information, Pat. Very very helpful. +1 internet points for you.

I note Machine Certificates is listed above, what about User Certificates. This is something we're really trying to get auto renewal for in our AD environment, but reading info from Apple it seems User Certs can't be auto renewed (if i'm reading correctly.)

@sjones4 The AD CS connector only works with machine certs.

Hi all,

Would this also allow a binding to the active directory even when the MacBook is not inside the company network?

Thanks
BR
Daniel

@dpratl No. One of the main reasons for using AD CS is so you don't have to bind anymore to get a cert.

Hi @patgmac,

Thank you for your answer.
But that's all that is possible, right?
We also use AD Accounts (as mobile accounts) on your MacBooks. As far as i understand the documentation this will not be possible to get Userinformation about the AD CS?

Thank you
BR
Daniel

@dpratl you will want to use NoMAD or Enterprise Connect to get user information.

Why does AD CS Connector only work for Computer certs?
What is the technical limitation that prevents using it for users?
Is it because of "request on behalf of"/"Enrollment Agent" isn't an option?

So, does the ADSC also act as a proxy for enrollment certificates? Or does the internal JSS CA still handle that?

@cjatsbm There is no change to Jamf enrollment certificates. That is still handled via the Jamf CA.

Can you run ADCS and Jamf Pro on the same server?

@jrobb311 No.