LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Enable Jamf Integration
  • API Connection
  • External CA Connection
  • Signing Certificate

Was this helpful?

  1. Certificate Management
  2. Jamf Pro

General Configuration

Last updated 13 days ago

Was this helpful?

SCEPman can be connected to Jamf Pro as an External CA via a SCEPman's dedicated Jamf endpoint allowing enrolled users and devices to obtain certificates. Jamf Pro acts as a SCEP Proxy, proxing communication between SCEPman and Jamf Pro devices.

Enable Jamf Integration

Jamf integration of SCEPman can be easily enabled via the following environment variables on SCEPman app service:

Setting
Description
Example

Do you want to use SCEPman with Jamf?

true

Jamf authenticates its certificate requests at SCEPman with this secure password.

max 32 character password

How many days shall certificates issued via Jamf be valid at most?

365

Enable this setting to save Jamf certificates in Certificate Master

true or false (default)

API Connection

SCEPman needs to be connected to the Jamf API to check the status of onboarded clients. This is used for the revocation of certificates.

on how to create an API role and API client. The API client must have a role with these permissions:

  • Read Mobile Devices

  • Read Computers

  • Read User

Please define the following environment variables in your SCEPman App Service:

Setting
Description
Example

The URL of your Jamf instance

https://contoso.jamfcloud.com

The identifier of the Jamf API client

The Client Secret value for the API Client configuration.

Jamf Pro's Classic API supports Bearer Authentication since version 10.35.0. There is a setting to disable the previous authentication method, Basic Authentication, since version 10.36.0. A future Jamf version scheduled for August-December 2022 will remove support for Basic Authentication. SCEPman 2.0 and lower support only Basic Authentication for the Classic API, while SCEPman 2.1 and higher uses Bearer Authentication. In order to use Bearer Authentication, you must upgrade to SCEPman 2.1 or higher.

External CA Connection

Open Jamf Pro settings and choose "PKI Certificates" under "Global Management":

Switch to tab "Management Certificate Template", "External CA" and activate edit mode. Please enable Jamf Pro as "SCEP Proxy for configuration profiles":

Please fill out the following fields and save the configuration:

Field
Description
Example/Value

URL

URL to SCEPman

Do NOT Forget the /jamf at the end

Name

name of instance

SCEPman Contoso

Subject

entities following X.500 standard

O=Contoso

Challenge Type

challenge type for verification of certificate issuing

Static

(Verify) Challenge

pre-shared secret (challenge)

Key Size

key size in bits

2048

Use as digital signature

Yes (if needed)

Use for key encipherment

Yes (if needed)

Fingerprint

Thumbprint of SCEPman CA-Cert (SHA-1)

visible via SCEPman dashboard ("CA Thumbprint")

Signing Certificate

When using an external CA, Jamf requires that you add the CA certificate so Jamf can compare whether the certificates are correctly signed. However, Jamf only allows adding a CA certificate if you also add a signing certificate with a corresponding private key. Jamf uses this signing certificate to sign certificate requests that are sent to SCEPman. However, SCEPman does not evaluate the signature on requests and accepts even unsigned requests (e.g. from Intune), because the request validity stems solely from using the right request challenge password configured in Jamf.

Hence, you may use any certificate you like as the signing certificate, for example you can generate a self-signed certificate with the following PowerShell command:

$cert = New-SelfSignedCertificate -Subject "CN=JAMF Signer Certificate for SCEPman" -CertStoreLocation "Cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(10)
$pfxBytes = $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pfx, "password")
[System.IO.File]::WriteAllBytes("c:\temp\jamf.pfx", $pfxBytes)

Then click on "Change Signing and CA Certificates" in the External CA configuration of Jamf

In the wizard, upload the PFX file with the signing certificate to Jamf when it asks for it (Note: Pkcs#12 and PFX are synonyms). In the next steps, enter the password for the PFX file and confirm the selection of the signing certificate. In the tab "Upload CA Certificate", you must upload the SCEPman CA certificate. You can obtain the SCEPman CA certificate by clicking on the link "Get CA Certificate" on the top right of the homepage of your SCEPman instance. Finally, confirm your changes.

Consider adding this as a secret in your SCEPman .

(optional)

(optional)

See

Consider adding this as a secret in your SCEPman .

See

defined in SCEPman via parameter

Refer to the Jamf documentation
Jamf ClientId
Jamf Client Secret
https://scepman.contoso.com/jamf
AppConfig:JamfValidation:Enabled
AppConfig:JamfValidation:RequestPassword
AppConfig:JamfValidation:ValidityPeriodDays
AppConfig:JamfValidation:EnableCertificateStorage
AppConfig:JamfValidation:URL
AppConfig:JamfValidation:ClientID
AppConfig:JamfValidation:ClientSecret
AppConfig
KeyVault
KeyVault