Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Issuing Symantec Certificates to Computers and Mobile Devices in Jamf Pro

Overview

This article explains how to issue Symantec certificates to computers and mobile devices in Jamf Pro using the Symantec Managed PKI Service.

Versions Affected

Jamf Pro 9.98 or later

Requirements

  • Symantec Managed PKI service
  • Web browser with the Symantec PKI Manager
  • Symantec Administrator certificate added to a local keychain
  • Push certificate configured in Jamf Pro

Procedure

The procedure requires configuring Jamf Pro and the Symantec PKI Manager simultaneously. It is important to note that each configuration is unique to your environment, and additional steps may be necessary.

The procedure involves the following steps:

  1. Add new certificate profiles in the Symantec PKI Manager
  2. Configure a Certificate Authority in Jamf Pro
  3. Set up configuration profile payloads in Jamf Pro to issue Symantec certificates to devices
  4. Verify that Symantec certificates were properly issued to devices

Glossary

  • CA: Certificate Authority
  • CSR: Certificate Signing Request
  • RA: Registration Authority
  • PKI: Public Key Infrastructure
  • CN: Common Name

Step 1: Add new certificate profiles in the Symantec PKI Manager

  1. In the Symantec PKI Manager, navigate to Settings > Manage certificate profiles.
  2. Click Add certificate profile to set up a new certificate profile for the existing Symantec certificates in Jamf Pro and proceed with the onscreen instructions.
  3. Continue to add certificate profiles until a profile has been created for each Symantec certificate.

Step 2: Configure a Certificate Authority in Jamf Pro

  1. In Jamf Pro, navigate to Settings > System Settings > PKI Certificates.
  2. Click Add New Certificate Authority.
  3. Select "Symantec" as the PKI Provider and proceed with the help assistant. a. When prompted, navigate to the Symantec PKI Manager website: https://pki-manager.symauth.com/pki-manager/. -Enter your PIN and if necessary choose which certificate should be used for authentication. -In Symantec, select Get an RA certificate. -Paste the copied CSR from Jamf Pro, enter a certificate friendly name, and click Continue. -Download the generated Symantec RA certificate and click Next. b. In Jamf Pro, enter the "Symantec CA Configuration Name", paste the copied RA certificate from Symantec, and click Next. -To copy the contents of the RA certificate, open the file with any text editor (i.e., "TextWrangler", "Atom", "Notepad"). c. Click Done. If the new Certificate Authority is configured successfully then it will be listed in the PKI Certificates table.

Step 3: Set up configuration profile payloads in Jamf Pro to issue Symantec certificates to devices

  1. In Jamf Pro, navigate to the configuration profile of the computer or mobile device that the Symantec certificate should be installed on.
  2. In the configuration profile Options tab, navigate to the Certificate payload and click Edit.
  3. Add a Certificate payload for each Symantec certificate: -Specify how certificates should be issued to devices/usernames — either one certificate for each device in the scope, or one certificate used for all devices in the scope.
  4. Ensure the newly created Certificate payload is associated with the appropriate payload variables (i.e., "Wi-Fi", "VPN").
  5. (Optional) Click the Scope tab to configure the scope of the configuration profile.
  6. Click Save and select Distribute to All if you want to issue Symantec certificates to all devices. Important Inventory information for a user must be complete to properly issue a Symantec certificate to a device. If there is incomplete data in inventory information for a user in Jamf Pro, Symantec certificates will be issued with "N/A" recorded for the missing attributes.
  7. Repeat the process for all configuration profiles that use the Symantec plug-in.

Step 4: Verify that Symantec certificates were properly issued to devices

To verify if a Symantec certificate was properly issued to a device, in Jamf Pro navigate to the management information for the device, click the Configuration Profiles category, and view the status for the profile containing the newly created Certificate payload. If the process was unsuccessful, you can view the failed configuration profile for more details.

Further Considerations

  • Symantec certificates are issued during configuration profile installation and it is not possible to re-deploy them for a specific device once user details are changed. If this data is changed after the configuration profile is installed on a computer or mobile device, then the only way to reissue a certificate is to redistribute it to all devices again. It is recommended that you delete the device configuration profile and reissue the certificates.
  • Symantec certificates are issued multiple times to computers during profile re-enrollment. If deleting an MDM profile from a computer or removing it by executing the command: sudo jamf removeframework, then during profile re-enrollment active Symantec certificates will be issued multiple times.
  • When configuring the Wi-Fi payload in configuration profiles, Symantec certificates will not be displayed under "Trusted Certificates".

Additional Information

Like Comment
Order by:
SOLVED Posted: by iordonez

Apparently Step 2 needs to be completed before Step 1 otherwise you'll get an error with a new Symantec Managed PKI instance.

Like
SOLVED Posted: by cj.krueger

@iordonez Good catch! The article has been updated.

Like

Jamf wants to hear your feedback around Jamf Pro: LDAP Servers and Reports!