Skip to main content

Introducing the Jamf Certificate SDK

Posted in: Jamf Pro, Enterprise

The Jamf Certificate SDK makes it easy to distribute certificates into non-Apple iOS apps with the help of Jamf Pro. If you build iOS apps for the enterprise market or in-house apps for your own company, and you want to use certificates in those apps, then you could benefit from the Jamf Certificate SDK.

A brief history of certificates on iOS

iOS devices have been able to install profiles containing certificates ever since iOS 2. Jamf Pro v8 (known at the time as Casper Suite) could use mobile device management (MDM) to put those profiles onto managed iOS devices over the air starting with iOS 4. The certificates provided by MDM profiles are installed into the system keychain, and are available for use with Apple’s apps. This allows awesome things like secure certificate-based access to wireless and wired networks, single sign-on in Safari to websites that use client certificate authentication, and the ability to trust internal certificates used to protect some HTTPS traffic on corporate web servers.

However, those MDM installed certificates are not available for use in third-party applications. This means your own apps can’t have that same level of security without a lot of work on your part to manage the certificate creation, distribution and renewal processes.

Enter the Jamf Certificate SDK

The primary goal for the Jamf Certificate SDK is to make it extremely easy for iOS app developers to request certificates from Jamf Pro. The SDK provides all of the networking and encryption code needed to securely connect to Jamf Pro from a managed device and request a certificate from the PKI provider that is configured within Jamf Pro.

As an iOS app developer, you include the SDK framework in your app, implement a couple of required delegate methods in your code, instantiate an object from the SDK, and start the request. The SDK takes care of all the networking and certificate processing in the background, and it calls your delegate with progress status, any errors that occur, and the certificate when the request is completed. Your code then makes use of the certificate in whatever way makes sense. Typical usage would be to store the certificate in your app’s keychain, then present the certificate in response to network challenges when accessing online services.

The SDK makes use of Managed AppConfig to allow a Jamf Pro administrator to set up the secure connection to Jamf Pro and to configure the certificate request as needed by their organization. Your iOS app code doesn’t need to know the URL or credentials to a Jamf Pro server or how to generate the appropriate certificate for that user on that device; those decisions are made within the configuration of your app within Jamf Pro. For more information about app distribution using Jamf Pro, see App Distribution in the Jamf Pro Administrator's Guide.

What about certificate renewal?

Certificates are only valid for a particular amount of time which is decided by the PKI provider configuration and determined when the certificate is created. The Jamf Certificate SDK doesn’t handle PKI renewal of an existing certificate, but instead our recommendation is to request a new certificate in the same way as the original request. There are a couple different ways an iOS app developer can make this happen.

Your app could automatically start a new certificate request when it detects that the current certificate is close to its expiration date. When you get the new certificate, simply replace the current certificate in your app’s keychain. This is a great choice for apps that both request the certificate and use it because the user will enjoy uninterrupted access to the certificate protected content.

Another option would be to schedule a local notification to prompt the user to renew their certificate. This is a great choice for login/setup apps that may be used as part of a suite of apps from the same developer. The login app is not used often by the end user, but is responsible for certificate acquisition by integrating the Jamf Certificate SDK and saving the certificate into a group keychain. Other apps from the same developer can use the certificate, and when it is not present or not valid, they could prompt the user to open the login app. The scheduled local notification prompts the user to renew their certificate before it expires.

How do I get the Jamf Certificate SDK?

The Jamf Certificate SDK is distributed by Jamf’s Developer Relations team. You can find more information on the requirements for using the SDK and how to gain access to it on the Jamf Pro Developer Portal.

Not already a Jamf Pro customer?

Take our best-of-breed Apple management solution for a free test drive and start putting these workflows in place.