Let’s Talk About Certificates

Ben Toms, Senior Infrastructure Analyst at Pentland Brands, describes the vital role certificates play when securing your JAMF Software Server (JSS) or authenticating users for network services.

October 14 2015 by

As Ben Toms, Senior Infrastructure Analyst at Pentland Brands in London, AKA JAMF Nation Dean @macmule, puts it: certificates play a vital role, whether it’s securing your JAMF Software Server (JSS) or authenticating users for network services.

In today’s JAMF Nation User Conference (JNUC) session, Toms demystified certificate acronyms, and covered all topics from Root and Intermediary certificate authorities to PKI usage and SCEP. Here’s a short summary, but the video will be well worth the wait.

Trust, Identification, and a little bit of encryption.
Through a fun analogy Toms explains the notion of trust, (plumbers, the need to check ID and credentials — you really need to watch the video when it comes out in a couple of weeks to get the full benefit of his gifs, it’ll be worth it.)

CSR (Certificate Signing Request)
Simply put, an application form.

SCEP – Simple Certificate Enrollment Protocol
The JSS leverages SCEP to issue and revoke certs to devices enrolled into it.  One of the nice things about SCEP is that it auto-renews, again lessening the faff.

ADCS - Active Directory Certificate Services
This allows clients to request a certificate from their organizations' Active Directory bound Certificate Authority.

APNS – Apple Push Notification Service
The JSS requires a valid push certificate to communicate with APNs. This communication is required to do the following:
• Send OS X configuration profiles and OS X remote commands to computers
• Distribute Mac App Store apps to computers
• Enroll and manage iOS devices

In Q4, a new certificate authority will be launched called letsencrypt.org sponsored by some very well known tech organizations. Let’s Encrypt is a free certificate authority, built on a foundation of cooperation and openness that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.

Finally, in a JNUC first, a special thanks to everyone that contributed to the ‘JNUC needs MacMule’ GoFundMe. Ben’s blog says it all

What a community!

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.