Note: As of October 1, 2019, Jamf Pro 10.15.0 or later will be required to integrate with GSX. If you are using an earlier version of Jamf Pro with a GSX integration, you must upgrade to Jamf Pro 10.15.0 or later to continue integrating with GSX.
You can integrate Jamf Pro 10.15.0 or later with Apple's Global Service Exchange (GSX).
Before you can integrate Jamf Pro with GSX, you must have the following:
- A GSX Account with the "Manager" or "Administrator" role, access to Web Services, and access to coverage/warranty information
- An Apple certificate
This article explains how to create a GSX account and obtain an Apple certificate.
Creating a GSX Account
- Go to http://www.apple.com/support/programs/ssa/ to apply for a GSX account.
Note: To apply for a GSX account, you must have a service contract with Apple. Contact your Apple Account Executive to learn more about GSX.
- Log in to your GSX account at https://myaccess.apple.com/
- Click on My Team.
- Select a user from the list.
- On the Account Details page, click Global Service Exchange.
- Click Update Access.
- In the Business role dropdown, choose "Manager."
- In the Optional Privilege(s) dropdown, select the Web Services and Warranty Lookup checkboxes.
- Click Submit.
Obtaining an Apple Certificate
Obtaining an Apple certificate involves the following steps:
- Generate a certificate signing request (CSR).
- Send the CSR and your GSX account information to Apple.
Apple sends back Apple certificates (.pem).
- Convert the Apple certificates to .p12 format.
- Upload the certificate to Jamf Pro.
Step 1: Generate a CSR
You can use OpenSSL to generate a CSR.
Note: You can also generate a CSR using Java Keytool.
- Log in to OpenSSL.
- Create a key pair by executing the following command:
openssl genrsa -aes256 -out privatekey.pem 2048
- Create a passphrase when prompted.
Note: This is the password you will use when accessing the private key.
- Create the CSR by executing the following command:
openssl req -new -sha256 -key privatekey.pem -out certreq.csr
- Enter the Country Name, State or Province Name, Locality Name, Organization Name, and Organizational Unit.
- When prompted to enter the Common Name, enter the following:
- For a test environment CSR: AppleCare-Partner-XXXXXXXXXX.Test.apple.com
- For a production environment CSR: AppleCare-Partner-XXXXXXXXXX.Prod.apple.com (For example, Applecare-Partner-0000098765.Prod.apple.com)
- When prompted for the email address, challenge password, and optional company name, do not enter any information. Press the Enter key for each prompt instead.
Step 2: Send the CSR and GSX Account Information to Apple
Attach the unsigned CSR to an email and provide the following GSX account information to email@example.com:
- Company name
- GSX Sold-To account number
- GSX Ship-To number (optional)
- Apple ID for GSX
- Environment: Production
- Primary IT contact name
- Primary IT contact email
- Primary IT contact phone number
- Outgoing static IP address of the server that sends requests to GSX Production
Note: If your environment is hosted on the Jamf Cloud, you must send all IP addresses for your region to Apple. For a full list of IP addresses, see the following Knowledge Base article:
Permitting Inbound/Outbound Traffic with Jamf Cloud
Apple will generate the Apple certificate (.pem) and send a signed certificate and a chain certificate back to you. (For example, AppleCare-Partner-xxxxxxxxxx.Prod.apple.com.cert.pem and AppleCare-Partner-xxxxxxxxxx.Prod.apple.com.chain.pem.)
Note: To make it easier to work with the signed certificate and chain certificate files in the following steps, it may be helpful to shorten them to be “cert.pem” and “chain.pem”. There may also be a file labeled “issuer” that is not needed for this process.
Step 3: Convert the Apple Certificate (.pem) to .p12 Format
Create a .p12 file using the private key and Apple certificates by executing the following command:
openssl pkcs12 -export -inkey privatekey.pem -in cert.pem -out GSX_Cert.p12
Note: The GSX_Cert.p12 file contains your signed GSX certificate.
If you do not specify a path before the file name when running the above command, the file will be in your working directory.
The certificate is saved as a .p12 file in the location you specified.
Note: The private key password is the password that you set when creating the CSR. You must also set an export password.
Step 4: Upload the .p12 File to Jamf Pro
You must use the previously set keystore password to build the .p12 file and set the Export password when prompted.
- Log in to Jamf Pro.
- Navigate to Global Management > GSX Connection.
- Upload the certificate.
- Enter the keystore password.
- Click Save.
For instructions on how to integrate Jamf Pro with GSX, see Integrating with GSX in the Jamf Pro