ad cs

Moving Away from AD CS: Certificate-Based Authentication with Azure AD & Jamf

Sam Metzler Education

Moving Away from AD CS: Certificate-Based Authentication with Azure AD & Jamf

Digital certificates are starting to take over as the preferred method of network authentication because of their proven superiority to passwords in security and user experience. Many organizations are wanting to migrate to the cloud to start implementing certificate-based solutions, but Microsoft AD environments are having a hard time making the transition.

The key to widespread implementation is using the best practices available to easily and securely enroll certificates onto devices. Different types of devices require different methods of enrollment, including BYODs and Managed Devices.

Many admins looking to transition to Azure are unsure how to implement a PKI on the cloud, or if it’s even possible. Microsoft AD CS won’t work without the on-premise Active Directory. Luckily with SecureW2, you can easily setup your own cloud PKI without needing to overhaul your entire network infrastructure. Our PKI Services allow you to generate your own CA, or use a Microsoft CA, enabling Azure AD environments to easily support certificate-based authentication.

Enrolling a certificate for each managed device can be a daunting task. Luckily, gateway APIs can be set up for MDMs so admins can easily and securely push out configuration policies so devices can auto-enroll for certificates. Below we will highlight how you can integrate Azure AD, Jamf, and SecureW2 to deliver certificate-based authentication on all your devices.

What is Jamf?

Jamf is the market leading MDM for Apple devices and is the enterprise standard for macOS and iOS managed devices. Jamf helped bring Mac to enterprises and educational institutions by creating an easier way to manage Mac devices in a secure and simple manner.

What is AD CS?

Using certificates for authentication requires a Public Key Infrastructure (PKI) setup in order to operate. Active Directory Certificate Services (AD CS) was developed by Microsoft to serve as a platform for organizations to build PKIs and deploy certificates. Setting up and running AD CS in your organization can be complicated, so we’ve compiled a list of best practices for AD CS configuration.

Integrating Jamf and AD CS

Since Jamf provides device management and AD CS provides PKI setup, it should be easy to integrate both and start distributing certificates. However, many Mac guides advise against binding Active Directory (AD) and Jamf because many organizations have reported issues when they bind their Active Directory with Jamf.

Why Organizations Are Moving Away From AD CS

AD CS is an on-premise PKI, that requires a physical server on your organization campus to manage certificate services. One of the reasons why Cloud-based PKI solutions are becoming more widely used, is due to their versatility and cost-effectiveness. On average, the SecureW2 Cloud PKI usually costs less than a third the amount an equivalent on-premise PKI would cost.

Active Directory Certificate Services also requires a lot of human resources to set up and manage. With the SecureW2 Cloud PKI, you don’t need a team of dedicated cryptography experts to leverage certificate-based security. No more manual certificate lifecycle management, software and Gateway APIs for BYOD and Managed Device certificate provisioning and installation, and much more.

AD CS also doesn’t come with any certificate management or reporting functionality. SecureW2 comes out of the box with robust certificate management and reporting features. Admins have full visibility with certificate enrollment and authentication logs and reports, manual certificate revocation, dynamic certificate templates, and many other features.

There’s a lot that goes into managing PKI certificates. That’s why SecureW2 offers a plethora of certificate management features, from issuance to revocation. Our software allows you to:

  1. Monitor network connections
  2. Troubleshoot errors in real time
  3. Determine life cycles and permissions of client certificates
  4. Validate or delete certificates at any time and place

Our service also provides Server Certificate Validation (SCV), which is key in protecting your network from over-the-air credential theft. Also, manual configuring SCV isn’t supported by Apple devices.

AD CS is becoming obsolete – any organization that’s not completely reliant on Microsoft products will experience issues, which we are seeing with Jamf as it operates on Apple devices. Instead of spending time troubleshooting issues to fix AD CS, organizations are looking for cloud PKIs that require less maintenance.

Issues with AD CS and Jamf macOS

A quick Google search of Jamf and AD CS will show many reasons why setting up Jamf and AD CS is unreliable at best and impossible at worst. At this point, a common best practice for Jamf macOS environments is to just not bind with AD.

To be clear, Jamf macOS can support binding with AD but many admins have reported it being too difficult to manage and clunky, instead opting for local user accounts.

Here are just a few issues Macs can run into when trying to bind AD and Jamf:

  1. Devices disconnect from AD due to macOS updates.
  2. Devices are connected, but not communicating with AD.
  3. Password changes disrupting keychains.
  4. New user devices are unable to be onboarded to the network.

One common problem is that Microsoft Group Policies (GPO) do not work on Mac devices, so admins are left looking for alternative solutions to push out configuration policies. The best idea is to avoid the bind altogether and use SecureW2’s industry-first technology allowing organizations to configure GPO to distribute configuration profiles for auto certificate enrollment.

Using the Jamf AD CS Connector

For the bind to work, you can use the original Jamf payload if your organization has SCEP. If not, the Jamf Pro connector allows you to add AD CS as a PKI provider and start deploying certificates and configuration profiles. When going the route of the Jamf Pro connector, be sure to follow these practices:

  1. Don’t reuse any certificate templates for your devices: duplicate them.
  2. Define all these elements in your profile: root CA, intermediate CA, network payloads, signed certificates.
  3. Set up WPA2-Enterprise and TLS in the network payload.
  4. Establish domain trust between CA and Windows 2016 server

Once the connector is installed, you will be able to connect Jamf Pro and AD CS to start distributing certificates.

The Benefits of Jamf Connect

The acquisition of NoMAD and rollout of Jamf Connect has helped address identity management issues making sure users are properly authenticated on the Jamf network. Jamf Connect can integrate with macOS database, meaning you don’t have to give admin rights to any users for any reason.

Jamf Connect removes the hassle of having multiple passwords for multiple platforms, instead coalescing into one set of identity credentials to unlock everything. Passwords are synchronized between your IDP and the local account and admins can see who’s on the network more easily.

This solution is perfect for Microsoft AD environments because you don’t need to sync your credentials with AD as Jamf Connect has got that part covered.

Easily Provision and Deploy Certificates with Jamf

For many admins, the concern lies how to get certificates onto all network devices. Not only is it a tall order for IT to configure every device, but can be risky by leaving the work to end users.

Onboarding software, like SecureW2’s JoinNow Suite, can automate the certificate enrollment and make it easy for end users to allow their device to self-service.

Certificates assign an identity to every network connection, improving an admin’s visibility. Investing in a PKI allows SSL decryption, ensuring every user follows your content policies and eliminating any SSL-encrypted malware from accessing the network.

Configuring a SCEP Gateway in Jamf

Enabling a SCEP gateway is the best choice for enrolling Jamf devices for certificates because of how easy and secure it is. Integrating with SecureW2 can help push out SCEP payloads to Jamf devices. Instead of you or end users having to configure every device, devices are enrolled automatically through the SCEP gateway to ensure every device is equipped with a certificate and network connected. SecureW2 makes it really easy to use a SCEP Gateway with our Managed Device Gateway APIs.

Configure Jamf with SecureW2 for SCEP Certificates

Many organizations are implementing WPA2-Enterprise EAP-TLS networks to authenticate devices and deploy certificates. This method eliminates password-based authentication and all of its drawbacks, such as over-the-air credential theft. WPA2-Enterprise EAP-TLS also improves identity context so admins are able to see everyone on the network.

SecureW2’s PKI services incorporate WPA2-Enterprise, EAP-TLS, and SCEP gateways for managed devices. By integrating a SCEP gateway, devices will automatically enroll themselves for certificates, meaning no end user interaction is necessary.

We made an integration guide for SCEP and Jamf that you can view here. By configuring certificate authorities and SCEP URLs with Jamf’s management portal, you will be able to set up the SCEP gateway in Jamf to push auto-enrollment policies onto all managed devices.

Instead of wasting your time trying to bind AD and Jamf in an effort to make AD CS work, try SecureW2’s cloud-based PKI solutions. Integrating our JoinNow Suite with Jamf will improve certificate management, certificate enrollment, and identity context. All these benefits come at an affordable price you can see here.


Learn About This Author

Sam Metzler

Sam (aka Slammin Salmon, Street Hustler Sam, Samilstilskin) is a Copywriter for SecureW2's marketing team and a man of many nicknames. He has a degree in Marketing from the University of North Texas and his previous experience involved mortgage marketing and obituary writing.