Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

[Solved] Jamf Casper Certificate Error

Apple devices and gadgets have been unparalleled in cutting-edge technology and customer satisfaction over the years. In a recent interview, the CIO of Jamf Linh Lam predicted Apple to reach the pinnacle of enterprise endpoint by 2030. On a similar line, Jamf has also been successful in keeping up with the pace of these emerging technologies by providing a holistic security framework for Apple devices.

Although Jamf is a superior UEM solution and is consistently rated highly by its customers, you might still face a few errors while integrating it with your device to issue digital certificates. So we have decided to help you figure out some prominent Jamf Casper (now Jamf Pro) Certificate errors you might encounter while integrating with Jamf Pro and their practical solutions.

1. Error: “Invalid Certificate” or “Invalid Profile” during MDM Enrollment

This is one of the most common errors customers face while enrolling in MDM (Mobile Device Management) profiles (Jamf Pro in this case) on their smartphones or mobile devices. There could be several reasons for these error messages, such as:

  • Jamf Pro was unable to establish trust with the mobile device for encrypted communication.
  • The SSL Certificate used in Jamf Pro might be self-signed.
  • The CA certificate might be missing on the device due to non-installation at the time of enrollment.

For self-signed certificate errors, we recommend the following measures as suggested by Jamf support:

  • Replace the server certificate from Jamf Pro’s integrated CA.
  • You can also use a reliable third-party CA for the same.

For the missing CA certificate, please use the following recommendation by Jamf Pro support:

Using Jamf’s built-in CA

  • Try Replacing the Web Server Certificate in Jamf Pro with the Certificate from the JSS’s Built-in CA. You can follow the given instructions:
    • Log in to Jamf Pro.
    • Click Settings.
    • Click System Settings.
    • Click Apache Tomcat Settings.
    • Click Edit.
    • Select Change the SSL certificate used for HTTPS.
    • Click Next.
    • Select Generate a certificate from the JSS’s built-in CA.
    • Click Next.
    • Click Done.
    • Restart Tomcat.
    • Refer to Starting and Stopping Tomcat for instructions.

Using Third-party CA

If you are going to install a public certificate from a third-party CA such as SecureW2’s JoinNow Connector PKI, you can follow these steps:

  • Log in to Jamf Pro.
  • Click Settings.
  • Click Global Management.
  • Click User-Initiated Enrollment.
  • Click Edit.
  • On the General pane, unselect the Skip certificate installation during enrollment.
  • Click Save.

You can minimize these errors by using SecureW2’s Managed PKI, which helps you manage and customize your CA, ensuring all your security needs. Our PKI services allow you to generate your own Root and Intermediate Certificate Authorities, so you can enable your Firewall to check the traffic it needs. It also assists you in generating different certificate templates (for numerous use cases) so that misconfiguration won’t be a problem.

2. Error: “An error occurred while processing your Single Sign-On request. Contact your administrator for assistance.”

This error is also caused by uploading an invalid signing certificate, or the certificate in use might have expired in due course. You may see the following error message in the Jamf Pro log: authentication.AuthenticationServiceException (Spring Security)

Fortunately, you can fix this error quickly by following the given instructions from Jamf support:

  • Verify the validity of the Jamf Pro certificate and your Identity Provider’s certificate.
  • Regularly refresh Jamf Pro’s metadata if you make any modifications.

3. Error: “Metadata file does not contain signing certificate information.”

You might encounter this frequent error while trying to upload a metadata file to the Jamf Pro server. You will get an error notification when the KeyDescriptor element in the metadata file could not locate the use=signing attribute.

We suggest you follow these instructions suggested by the Jamf Pro support team to resolve this error:

  • Open the metadata file after downloading it from Jamf Pro.
  • Under IDPSSODescriptor, find the KeyDescriptor.
  • Add the use=signing attribute to the KeyDescriptor.
  • Save the metadata file.
  • Upload the file again to the Jamf Pro server.

4. Certificate Authority (CA) Certificate Error

You can get a few CA Certificate Errors caused by one of the following issues:

  • There are multiple CA certificates in the database table.
  • There was an issue creating a new CA certificate.
  • There was a database error in locking, reading, or inserting the CA certificate.

Jamf Pro recommends contacting their support team if you run into this error. However, many of these errors could be prevented before they occur by using an easy, efficient, managed PKI such as SecureW2’s JoinNow Connector PKI.

SecureW2 Makes Certificate Management Easy with Jamf Pro

Jamf + SecureW2 Solution

Jamf is an excellent tool for managing your Apple devices, but confusing errors can occur in Jamf when you use secure certificate-based authentication. Fortunately, SecureW2’s JoinNow Connector PKI is designed to seamlessly integrate with all major MDMs, including Jamf. Our PKI smoothly combines Jamf’s optimized device management with certificate enrollment for a top-notch certificate management experience.

SecureW2 has even designed new features with Jamf in mind. Our new Jamf auto-revocation feature makes certificate revocation much simpler. Administrators can add devices to smart groups in Jamf, and our PKI can check those groups every several minutes, removing certificates belonging to devices in those groups. This means that the instant there are any changes to your organization, such as people leaving the company, our PKI can work with Jamf to ensure network access is updated instantly.

To find out if SecureW2’s how certificate solutions can support your Jamf network, feel free to visit our pricing page.

Key Takeaways:
  • SecureW2’s JoinNow Connector PKI is designed to seamlessly integrate with all major MDMs, including Jamf.
  • SecureW2's Jamf auto-revocation feature makes certificate revocation much simpler.
Learn about this author

Vivek Raj

Vivek is a Digital Content Specialist from the garden city of Bangalore. A graduate in Electrical Engineering, he has always pursued writing as his passion. Besides writing, you can find him watching (or even playing) soccer, tennis, or his favorite cricket.

[Solved] Jamf Casper Certificate Error