Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Safely Configuring SSL Certificate Verification

Overview

Configuring the SSL Certificate Verification setting in Jamf Pro ensures that computers only communicate with a host server that has a valid SSL certificate. This prevents computers from communicating with an imposter server and protects against man-in-the-middle attacks. This article explains how to safely configure the SSL Certificate Verification setting.

Note: As of Jamf Pro 9.98, the Enable SSL Certificate Verification checkbox located in the Security settings in Jamf Pro has been changed to the SSL Certificate Verification pop-up menu. For more information on how this change may impact your environment, see Change to the SSL Certificate Verification Setting in Jamf Pro 9.98 or Later.

Procedure

To safely configure SSL Certificate Verification, do the following:

  1. Ensure the SSL certificate in Jamf Pro is valid. (On-premise instances only)
  2. Ensure that all computers verify the certificate.
  3. Configure SSL certificate verification.

Step 1: Ensure the SSL Certificate in Jamf Pro is Valid (On-premise Instances Only)

To ensure the SSL certificate in Jamf Pro is valid, log in to Jamf Pro and navigate to Settings > System Settings > Apache Tomcat Settings and verify that the SSL certificate has not expired.

If the SSL certificate has expired, see the SSL Certificate section in the Jamf Pro Administrator's Guide for instructions on creating or uploading a new SSL certificate.

Step 2: Ensure that all Computers Verify the Certificate

Before enabling the SSL Certificate Verification setting, use the Jamf Pro Certificate Validation extension attribute to collect the certificate verification status from each computer. Then, use a smart computer group to ensure all computers trust the certificate.

To create the Jamf Pro Certificate Verification extension attribute, do the following:
1. In Jamf Pro, navigate to Settings > Computer Management > Extension Attributes and click New From Template.
2. In the Jamf category, click the Jamf Pro Certificate Validation extension attribute.
3. Do not modify the default settings.
4. Click Save.

To create the smart computer group, do the following:
1. In Jamf Pro, navigate to Computers > Smart Computer Groups and click New.
2. Click Criteria > Add > Show Advanced Criteria and choose Jamf Pro Certificate Validation.
3. Choose "is not" from the Operator pop-up menu, and then type "Success" in the Value field.
4. Click Add.
5. Choose Last Inventory Update.
6. Choose "before yyyy/mm/dd" from the Operator pop-up menu, and then type a date after the Jamf Pro Certificate Verification extension attribute was created in the Value field.
7. Choose "or" from the And/Or column.
8. Click Save and then click View.

Computers that have not submitted an inventory update since the extension attribute was created return a blank certificate validation status. Including the Last Inventory Update criteria returns those computers in the smart computer group membership.

Verify that the inventory of all computers has been updated after creating the extension attribute to ensure an accurate amount of computers is returned.

If no computers are returned, all computers have verified the certificate and you can safely enable the certificate verification setting.

Important: If computers are returned, do not enable the SSL Certificate Verification setting. Contact your Jamf account representative for assistance.

Step 3: Configure SSL Certificate Verification

If you are using Jamf Pro 9.98 or later, do the following:
1. In Jamf Pro, go to Settings > Computer Management > Security > Edit.
2. Select an option from the SSL Certificate Verification pop-up menu and click Save.

Consider the following when configuring SSL Certificate Verification:

  • If you are using the self-signed certificate from Apache Tomcat that is built into Jamf Pro, you must select "Always except during enrollment".

  • If you are using an SSL certificate from an internal CA or a trusted third-party vendor, select either "Always" or "Always except during enrollment". It is recommended that you use "Always" if computers in your environment are configured to trust the certificate before they are enrolled.

If you are using Jamf Pro 9.97 or earlier, do the following:
1. In Jamf Pro, go to Settings > Computer Management > Security > Edit.
2. Select the Enable SSL certificate verification checkbox and click Save.

Additional Information

Change to the SSL Certificate Verification Setting in Jamf Pro 9.98 or Later
Learn about the change made to the SSL Certificate Verification setting in Jamf Pro 9.98 or later as well as how this change may impact your environment.

Securing Your Jamf Pro Server
Learn more about what is recommended to keep Jamf Pro and the underlying infrastructure up-to-date and secure.

Like Comment
Order by:
SOLVED Posted: by lunddal

The "Change to the SSL Certificate Verification Setting in the Casper Suite v9.98 or Later" link is not correct.

Like
SOLVED Posted: by nzmacgeek

Does the method proposed for the extension attribute work in environments authenticating users to the JSS using SAML2 SSO?

My curl result is empty, despite the SSL certificate being valid. When I increase the verbosity of my curl command to examine what is going on this is my output:

[vworp:~] 5m32s $ curl --verbose $JSSURL Trying <ip.addr>... TCP_NODELAY set Connected to JSSHOST (ip.addr) port 8443 (#0) TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Server certificate: JSSHOST Server certificate: QuoVadis Global SSL ICA G2 Server certificate: QuoVadis Root CA 2 > GET / HTTP/1.1 > Host: JSSHOST:8443 > User-Agent: curl/7.51.0 > Accept: / > < HTTP/1.1 302 Found < Server: Apache-Coyote/1.1 < X-FRAME-OPTIONS: SAMEORIGIN < Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0 < Set-Cookie: JSESSIONID=007DEC9E062224104E03A3EE19F67B6C; Path=/; Secure; HttpOnly < Location: https://JSSHOST:8443/saml/login < Content-Length: 0 < Date: Sun, 16 Apr 2017 08:34:34 GMT < Curl_http_done: called premature == 0 * Connection #0 to host JSSHOST left intact

JSS 9.98 on RHEL6.

UPDATE: I fixed this by making a slight change to make curl call the SSO failover URL. I put the solution in this GIST: https://gist.github.com/nzmacgeek/8a89182c497574c530779ca9397f63ea

Like