Home Knowledge Base SecureW2 Documentation Dynamic ACME DA Jamf Configuration Guide

Dynamic ACME DA Jamf Configuration Guide

Introduction

SecureW2’s ACME service can cryptographically prove a device is a genuine Apple Product, and confirm its Serial Number using Apple Managed Device Attestation (MDA). MDA is what allows JoinNow Connector to validate a device’s identity and cross-reference it with your MDM to ensure only trusted devices can enroll for certificates. 

Traditional SCEP implementations only require a pre-shared key for certificate issuance. With ACME, organizations can ensure that only trusted, managed devices obtain and maintain certificates that are used to access critical resources. This guide describes the steps to integrate Jamf MDM with JoinNow’s Cloud Connector to allow devices, such as macOS, iOS, iPadOS, and tvOS, to enroll for digital certificates via an ACME (Automated Certificate Management Environment) Client Certificate Enrollment token.

Prerequisites

The following are the prerequisites to set-up ACME based enrollment:

  1. iOS devices that support ACME protocol.(version 16 and above)
  2. Subscription to Jamf Portal.
  3. JoinNow active subscription along with Enterprise Enrollment and Attestation (EEA).

Set-up ACME with JoinNow

To set-up ACME based enrollment in SecureW2, the following high-level steps are required:

  1. Creating an Intermediate CA
  2. Creating a Certificate Template
  3. Creating Key Attestation Provider
  4. Creating ACME API Gateway
  5. Creating an Identity Lookup Provider 
  6. Creating Policies Management

Creating an Intermediate CA

It is recommended to have a new intermediate CA for enrolling devices using ACME Gateway integration with Jamf for easy management. 

To create a new intermediate CA:

  1. From your JoinNow Management Portal, go to Dynamic PKI > Certificate Authorities.
  2. Click Add Certificate Authority.
  3. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
  4. From the Type drop-down list, select Intermediate CA.
  5. From the Certificate Authority drop-down, select the default Root CA that comes with your organization.
  6. For the Common Name field, enter a name. It is recommended to include “ACME” in the name.
  7. Click Save.

Creating a Certificate Template for Jamf 

A certificate template determines how information is encoded in the certificate to be issued by the Certificate Authority. It will consist of a list of certificate attributes and how the information must be encoded in the attribute values. 

It is recommended to create a separate template for each MDM platform for easier identification of different values being passed.  To create an Jamf Certificate Template:

  1. Navigate to Dynamic PKI > Certificate Authorities
  2. Click Add Certificate Template.
  3. In the Basic section, for the Name field, enter the name of the certificate template.
  4. Subject field can be configured to source values from the Jamf.

          a. To use the attributes sent from Jamf, enter CN=${/csr/subject/commonname}

  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  7. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  8. In the SAN section:

          a. In the Other Name field, enter ${/csr/san/othername}

          a. In the RFC822 field, enter ${/csr/san/rfc822name}

          c. In the DNS field, enter ${/csr/san/dnsname}

  9. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.
  10. Click Save.

Creating a Key Attestation Provider

A Key Attestation Provider in JoinNow helps set up device attestation services for iOS devices. To create a Key Attestation platform:

  1. Log in to JoinNow Management Portal.
  2. Navigate to Integrations Hub > Key Attestation Platforms.
  3. Click Add.
  4. In the Name field, enter a name for your Key Attestation Provider.
  5. In the Display Description field, enter a description (Optional).
  6. From the Type drop-down, select Apple.
  7. Click Save.

Creating a Device Management Platform in JoinNow

To generate an ACME Certificate Enrollment Token from JoinNow:

  1. Navigate to Integrations Hub > Device Management Platforms.
  2. Click Add.
  3. In the Name field, enter a name for your API Token.
  4. In the Display Description field, enter a description (Optional).
  5. From the Type drop-down, select ACME Client Certificate Enrollment Token.
  6. From the Vendor drop-down, select Jamf.
  7. Click Save. A .mobileconfig file is downloaded.

Creating a Core Platform in JoinNow

To create an Core Platform for Jamf ACME based enrollment:

  1. Navigate to Integrations Hub > Core Platforms.
  2. Click Add.
  3. Enter a Name and Description for the IDP in the respective fields.
  4. From the Type drop-down list, select Jamf Identity Lookup.
  5. Click Save. The page refreshes and opens the Configuration, Attribute Mapping, and Groups tab. 
  6. Click on the Configuration tab.
  7. From the Authentication Type drop-down, select the required authentication type for Lookup. Below are the provided options:a. Bearer Token – Authentication is done using Jamf user credentials. i. For Provider URL, enter the JAMF URL of the organization.

    ii. For the Username and Password fields, enter the JAMF credentials.

    iii. Click Validate to check your connection with JAMF

          b. Client Credentials – Authentication is done using Client credentials

    i. For Provider URL, enter the JAMF URL of the organization.

    ii. For the Client ID field, enter the client ID from Jamf.

    iii. For the Client Secret field, enter the client secret from Jamf

    iv. Click Validate to check your connection with JAMF.

  8. Set up required attributes in the Attribute Mapping tab.
  9. Create required groups in the Groups tab.
  10. Click Update.

Policy Management in JoinNow

Policy Management allows us to create specific Lookup policies, roles for user and device groups, which can be used in SecureW2 to create custom certificate enrollment policies. 

Creating a Security Signal Source:

A security signal source can be mapped along with the Jamf Identity Lookup provider created earlier for device lookup.

    1. From the JoinNow Management Portal, go to Policy Management > Security Signal Sources.
    2. Click Add Security Signal Source.
    3. In the Basic tab, enter a Name and Description in respective fields.
    4. Lookup Purpose – Purpose of Account Lookup 

            a. Certificate Issuance – To lookup user/device account during Enrollment.

            b. RADIUS Authentication       – To lookup user/device account during RADIUS Authentication
    5. Click Save. The page refreshes and the Settings tab is displayed.
    6. Under the Settings section, from the Identity Provider Lookup drop-down list, select the Identity Lookup Provider created in the previous section (see the 3.5 Creating an Identity Lookup Provider in JoinNow section).
    7. From the Lookup Type drop-down list, select the lookup type: 
       
      a. Auto: The system automatically uses identity as the Lookup attribute.

      b. Device: The Identity drop-down list is displayed. Select a device identity for lookup.
      c. User: The Identity drop-down list is displayed. Select a user identity for lookup

    8. Select the Revoke On Failure checkbox to automatically revoke a certificate if an account lookup fails, if necessary.
    9. Click Update.

Creating a Policy Workflow

  1. Go to Policy Management > Policy Workflows.
  2. Click Add Policy Engine Workflows.
  3. In the Basic section,a. In Name field, enter a name for the policy.

    b. In the Description field, enter a description for the policy.

  4. Click Save.The page refreshes and automatically selects the Conditions tab.
  5. In the Conditions section, click the Core Provider drop-down and select the Identity Lookup Provider you created in the earlier section.
  6. Click Update.

Creating a Device Role Policy

Device Role Policy helps in mapping the attestation provider in JoinNow for device attestation.

  1. From the JoinNow Management Portal, go to Policy Management > Device Roles.
  2. Click Add Device Role Policy.
  3. In the Basic tab, for Name, enter a name.
  4. For Description, enter a description.
  5. Click Save. The page refreshes and the Conditions tab opens.
  6. Click on the Conditions tab.
  7. From the Identity drop-down, select the Key Attestation Provider created in section.
  8. Click Update.

Creating an Enrollment Policy

  1. From the JoinNow Management Portal, go to Policy Management > Enrollment.
  2. Click Add Enrollment Policy.
  3. In the Basic tab, for Name, enter a name.
  4. For Description, enter a description.
  5. Click Save. The page refreshes and displays the Conditions and Settings tab.
  6. In the Conditions section, for Role, select the user role policy you created in the 3.6.2 Creating a Policy Workflow section.
  7. For Device Role, select the device role created in 3.6.3 Creating a Device Role Policy section.
  8. Click on the Settings tab.
  9. From the Use Certificate Authority drop-down, select the Certificate Authority created for ACME.
  10. From the Use Certificate Template drop-down, choose the certificate template created for ACME.

  11. Click Update.

Setting Up Certificate Enrollment via ACME on Jamf

In order to initiate the ACME certificate enrollment on the client devices, a .mobileconfig file should be created in JoinNow and pushed to the required devices/device groups via Jamf. 

  1. Log in to the Jamf portal.
  2. Navigate to Devices > Configuration Profiles.


    NOTE:     Devices refer to creating configuration profiles of iOS Mobile devices and iPad. For mac OS, upload Mobileconfig via Computers > Configuration Profiles.

  3. Click Upload.

  4. Click Choose File.
  5. From your computer, upload the .Mobileconfig file acquired from JoinNow.

  6. Click Upload. A new Mobile Device Configuration Profile opens.
  7. In the General tab, in the Name field, enter a name for your profile.
  8. Click Save.
  9. Click on the Scope tab.
  10. Click the edit icon

  11. Add required devices/device groups to which the configuration profiles should be deployed.
  12. Click Done and then click Save.

Configuring ACME Certificate in Jamf

  1. Navigate to Devices > Configuration Profiles.

    NOTE: Devices refer to creating configuration profiles of iOS Mobile devices and iPad. For mac OS, upload Mobileconfig via Computers > Configuration Profiles.
  2. Click + New.

  3. Click on ACME Certificate.
  4. Click + Add.

  5. In the ACME directory URL field, enter the “Directory URL” value from the .mobileconfig file downloaded in 3.4 Creating an API Gateway in JoinNow section.

  6. In the Client Identifier field, enter the value corresponding to “ClientIdentifier” in the .mobileconfig file.

  7. In the Key Size field, enter “384”.
  8. From the Key Type drop-down list, select ECSECPrimeRandom.
  9. For the Hardware Bound toggle switch, select True.
  10. In the Subject field,  enter the value corresponding to “Subject” in the .mobileconfig file. The value must be added as”/CN=value” format.

  11. Configure further settings as required and click Save.

Certificate Issuance

After completing the steps above, the device now connects with the Jamf.  The organization’s ACME profile is pushed which triggers enrollment via ACME. Refer to the below  screenshots for the successful enrollments in Jamf under completed status:

More JAMF Explainers