Jamf and PKI: A strong foundation for Zero Trust security

Apple device management systems like Jamf Pro serve as important puzzle pieces in your Zero Trust ecosystem. Along with an IAM (Azure AD, Okta, Ping, Google, etc.), digital certificates can uniquely provide device and user trust as part of a wealth of information that can be used to enforce Zero Trust within your organization. This is exactly why the National Institute of Standards and Technology (NIST) has stated that a public key infrastructure (PKI) is a core component of Zero Trust architecture.

The certificates issued by your PKI serve as the backbone for driving fully context-aware decision-making. They allow you to utilize information from your Jamf Pro environment along with the identity provider for real-time authentication purposes, such as allowing or denying access to your Wi-Fi, apps, ZTNA and VPN.

Certificates pave the way

PKIs have historically been a challenge to set up, requiring a high degree of specialization and skill to implement and maintain. This no longer is the case as technologies have evolved; furthermore, tying a PKI to your information sources like Jamf Pro and your IDP doesn’t have to be a challenge.

Typically, organizations will use an API to auto-enroll and revoke their Jamf Pro managed devices, and will integrate identity provider authorizations to enable unmanaged devices to enroll themselves for certificates. Both Jamf Pro managed and unmanaged devices are often enrolled for certificates to enforce Zero Trust for some key reasons:

• Differentiated Wi-Fi/wired access for Jamf Pro managed and unmanaged devices
• Preventing access to various applications for noncompliant devices and users

Modern certificate-driven infrastructure needs a modern network authentication platform, so the Cloud RADIUS service was built to ensure that your access is derived from real-time data. For example, Cloud RADIUS can combine certificate information in Jamf Pro for contextual user/device information plus information gathered in real time from the Microsoft Graph API to provide rich Zero Trust decision-making.

Jamf Pro certificate integration with auto-revocation

In the past, one of the main hurdles to certificate-based authentication has been getting those certificates onto your devices. Fortunately, this process becomes fairly easy with modern solutions, regardless of whether the devices on your network are spread across cities, countries, continents or even the entire globe.

Consider how our PKI will work with Jamf Pro to send out configuration profiles that direct managed devices to automatically enroll for certificates. Absolutely no end-user interaction is necessary; this whole process can occur after employees are logged out for the day.

Things can get a bit trickier for devices not managed by Jamf Pro. Expecting users of varying levels of technical literacy to enroll their unmanaged devices for certificates is a recipe for disaster, while using onboarding applications streamlines the process and prevents misconfiguration.

Enrolling devices for certificates is only one side of the coin; the other is revoking those certificates when you no longer want a device to have access. This is why JoinNow Connector PKI has a built-in Jamf auto-revocation feature. Administrators can create groups of devices in Jamf that the JoinNow PKI services will check every 10 minutes. Devices with IDs found in those groups will have their certificates automatically revoked, ensuring that your network access is always up to date.

Build a solid foundation for Zero Trust architecture with SecureW2 and Jamf

Zero Trust isn’t as simple as implementing one security solution and then calling it a day. There are many pieces that go into any Zero Trust architecture. However, using digital certificates to segment users and devices on your network will go a long way towards building a strong, secure foundation.

Fortunately, there are now tools that simplify certificates and make them accessible for all businesses. With an MDM like Jamf and a PKI like JoinNow, you can automatically push your managed devices to enroll for certificates. Zero Trust doesn’t have to be difficult – in fact, with solutions like these, it can be stunningly simple to achieve.