Issuing Symantec Certificates to Computers and Mobile Devices in Jamf Pro
This article explains how to issue Symantec certificates to computers and mobile devices in Jamf Pro using the Symantec Managed PKI Service.
Jamf Pro 9.98 or later
- Symantec Managed PKI service
- Web browser with the Symantec PKI Manager
- Symantec Administrator certificate added to a local keychain
- Push certificate configured in Jamf Pro
The procedure requires configuring Jamf Pro and the Symantec PKI Manager simultaneously. It is important to note that each configuration is unique to your environment, and additional steps may be necessary.
The procedure involves the following steps:
- Add new certificate profiles in the Symantec PKI Manager
- Configure a Certificate Authority in Jamf Pro
- Set up configuration profile payloads in Jamf Pro to issue Symantec certificates to devices
- Verify that Symantec certificates were properly issued to devices
- CA: Certificate Authority
- CSR: Certificate Signing Request
- RA: Registration Authority
- PKI: Public Key Infrastructure
- CN: Common Name
Step 1: Add new certificate profiles in the Symantec PKI Manager
- In the Symantec PKI Manager, navigate to Settings > Manage certificate profiles.
- Click Add certificate profile to set up a new certificate profile for the existing Symantec certificates in Jamf Pro and proceed with the onscreen instructions.
- Continue to add certificate profiles until a profile has been created for each Symantec certificate.
Step 2: Configure a Certificate Authority in Jamf Pro
- In Jamf Pro, navigate to Settings > System Settings > PKI Certificates.
- Click Add New Certificate Authority.
- Select "Symantec" as the PKI Provider and proceed with the help assistant.
a. When prompted, navigate to the Symantec PKI Manager website: https://pki-manager.symauth.com/pki-manager/.
-Enter your PIN and if necessary choose which certificate should be used for authentication.
-In Symantec, select Get an RA certificate.
-Paste the copied CSR from Jamf Pro, enter a certificate friendly name, and click Continue.
-Download the generated Symantec RA certificate and click Next.
b. In Jamf Pro, enter the "Symantec CA Configuration Name", paste the copied RA certificate from Symantec, and click Next.
-To copy the contents of the RA certificate, open the file with any text editor (i.e., "TextWrangler", "Atom", "Notepad").
c. Click Done. If the new Certificate Authority is configured successfully then it will be listed in the PKI Certificates table.
Step 3: Set up configuration profile payloads in Jamf Pro to issue Symantec certificates to devices
- In Jamf Pro, navigate to the configuration profile of the computer or mobile device that the Symantec certificate should be installed on.
- In the configuration profile Options tab, navigate to the Certificate payload and click Edit.
- Add a Certificate payload for each Symantec certificate:
-Specify how certificates should be issued to devices/usernames — either one certificate for each device in the scope, or one certificate used for all devices in the scope.
- Ensure the newly created Certificate payload is associated with the appropriate payload variables (i.e., "Wi-Fi", "VPN").
- (Optional) Click the Scope tab to configure the scope of the configuration profile.
- Click Save and select Distribute to All if you want to issue Symantec certificates to all devices.
Inventory information for a user must be complete to properly issue a Symantec certificate to a device. If there is incomplete data in inventory information for a user in Jamf Pro, Symantec certificates will be issued with "N/A" recorded for the missing attributes.
- Repeat the process for all configuration profiles that use the Symantec plug-in.
Step 4: Verify that Symantec certificates were properly issued to devices
To verify if a Symantec certificate was properly issued to a device, in Jamf Pro navigate to the management information for the device, click the Configuration Profiles category, and view the status for the profile containing the newly created Certificate payload. If the process was unsuccessful, you can view the failed configuration profile for more details.
- Symantec certificates are issued during configuration profile installation and it is not possible to re-deploy them for a specific device once user details are changed. If this data is changed after the configuration profile is installed on a computer or mobile device, then the only way to reissue a certificate is to redistribute it to all devices again. It is recommended that you delete the device configuration profile and reissue the certificates.
- Symantec certificates are issued multiple times to computers during profile re-enrollment.
If deleting an MDM profile from a computer or removing it by executing the command: sudo jamf removeframework, then during profile re-enrollment active Symantec certificates will be issued multiple times.
- When configuring the Wi-Fi payload in configuration profiles, Symantec certificates will not be displayed under "Trusted Certificates".