This article explains how the JSS uses certificate-based authentication to verify that device certificates on Mac computers are valid.
Version 8.3 and later
As of v8.3, the JSS allows you to enable certificate-based authentication (formerly called "certificate-based communication") for Mac computers. This is an important security feature that allows the JSS to verify that device certificates on Mac computers are valid.
As of v8.4, a device certificate is installed on a computer when it is enrolled with the JSS. (In v8.3, a device certificate is only installed on a computer when certificate-based authentication is enabled.) The JSS tells the jamf binary that the computer needs a certificate, and the jamf binary creates a local keychain for the client using the API that is built into macOS. The new keychain is responsible for generating an RSA key pair, and the jamf binary sends the public key to the JSS. The JSS uses the public key to generate a device certificate, which it sends back to the computer. The computer stores its device certificate in its keychain, and the JSS also stores a copy of the device certificate.
For all subsequent communication with the JSS, the computer uses the private key in its keychain to sign any data that it sends. The signature is transmitted in an HTTP header. When certificate-based authentication is enabled, the JSS reads and verifies the signature by comparing it to the data that is attached. If the computer fails to properly sign its messages, it is unable to communicate with the JSS. This may occur if the computer’s keychain is removed or if the computer tries to use a keychain that was not created for it.
Jamf wants to hear your feedback around Jamf Pro: LDAP Servers and Reports!