In the digital world, trust is key to accomplishing many tasks you encounter every day. Whether it is browsing the internet, logging in to an email service, or even connecting to a network, trust must be established to confidently proceed.
Basic username and password are no longer sufficient enough to establish trust and prevent unauthorized intrusion into protected systems. Certificates make it possible to verify identity, establish trust, and pass encrypted data between devices and servers.
Certificates and Jamf Pro
Within Jamf Pro, you may encounter times where certificates play an important role in the functions needed for device management. Most of you are probably familiar with the Tomcat SSL certificate used by the web server to demonstrate a trusted site to a computer or device that attempts to connect to the Jamf Pro URL. What occurs from a high level is the device is confirming that the website has been verified by a recognized trusted source — a Root Certificate Authority (CA) — before allowing the browser to connect to the website.
Similarly, mobile device management (MDM) relies on certificate-based communication to establish a connection between devices and the Jamf Pro server. With MDM in place, you open a pathway for the remote device management capabilities of Jamf Pro.
As an admin, you may need to allow for a trusted communication between your devices and another service or website. Jamf Pro can be leveraged to install certificates on your devices through the use of configuration profiles. Configuration profiles are XML files that allow you to define settings for your managed Apple devices. Let’s walk through three use cases:
- Deploying a single certificate
- Using an AD server to connect to VPN
- Leveraging SCEP server to authenticate to a wireless network (802.1x)
1. Deploying a single certificate
Deploying a single certificate can be accomplished within a configuration profile with the certificate payload configured with an uploaded certificate file. Once these are uploaded, the profile can be scoped to devices or groups that need to receive the certificate. For macOS profiles, consideration should be given to whether the certificate would need to be within the System container of Keychain Access (computer-level configuration profile) or within the Login container (user-level configuration profile).
2. Using an AD server to connect to VPN
To configure a profile with VPN that requires the user to receive a certificate from AD in order to connect, you can create a profile with both a VPN payload and an AD certificate payload. Both payloads must be within the same configuration profile in order for the connection to happen without user interaction. Profiles from Jamf Pro can also use variables to populate information about the certificate. More information about variables for iOS and macOS can be found in the Jamf Pro Administrator’s Guide.
3. Leveraging SCEP server to authenticate to a wireless network
Enterprise-level network connectivity typically leverages the 802.1x standard to provide a level of security to wired and wireless connections. Within Jamf Pro, you can deploy a profile to add a network connection to a device and provide instructions for the device to install a certificate issued by a SCEP (Simplified Certificate Enrollment Protocol) server to issue certificates to devices at scale.
Jamf Pro uses SCEP during the device enrollment process to issue certificates to devices. You can view certificates issued by Jamf Pro under the PKI Certificates section of System Settings of Jamf Pro. There are additional options to set up an External Certificate Authority to use for issuing certificates, as well as the ability to set up Jamf Pro to be a SCEP proxy that can be explored further depending on your environment. Jamf offers native integration with Symantec PKI and Entrust SCEP.
Certificates are a major component of any IT strategy. Jamf Pro can form the core of your certificate deployment and lifecycle management.
Not already a Jamf Pro customer? Request a free trial today.