Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Certificate-Based Authentication for Mac Computers

Overview

This article explains how the JSS uses certificate-based authentication to verify that device certificates on Mac computers are valid.

Versions Affected

Version 8.3 and later

Explanation

As of v8.3, the JSS allows you to enable certificate-based authentication (formerly called "certificate-based communication") for Mac computers. This is an important security feature that allows the JSS to verify that device certificates on Mac computers are valid.

As of v8.4, a device certificate is installed on a computer when it is enrolled with the JSS. (In v8.3, a device certificate is only installed on a computer when certificate-based authentication is enabled.) The JSS tells the jamf binary that the computer needs a certificate, and the jamf binary creates a local keychain for the client using the API that is built into macOS. The new keychain is responsible for generating an RSA key pair, and the jamf binary sends the public key to the JSS. The JSS uses the public key to generate a device certificate, which it sends back to the computer. The computer stores its device certificate in its keychain, and the JSS also stores a copy of the device certificate.

For all subsequent communication with the JSS, the computer uses the private key in its keychain to sign any data that it sends. The signature is transmitted in an HTTP header. When certificate-based authentication is enabled, the JSS reads and verifies the signature by comparing it to the data that is attached. If the computer fails to properly sign its messages, it is unable to communicate with the JSS. This may occur if the computer’s keychain is removed or if the computer tries to use a keychain that was not created for it.

Procedure

  1. Log in to the JSS with a web browser.
  2. In the top-right corner of the page, click Settings.
  3. Click Computer Management.
  4. In the "Computer Management–Management Framework" section, click Security.
  5. Click Edit.
  6. Select the Enable certificate-based communication checkbox.
  7. Click Save.
Like Comment

Jamf wants to hear your feedback around Jamf Pro: LDAP Servers and Reports!