Home Knowledge Base Documentation Dynamic SCEP Jamf Configuration Guide

Dynamic SCEP Jamf Configuration Guide

Are you using Jamf for managing your endpoints and fear of impersonation attack while adopting SCEP for distributing X.509 certificates? Then this configuration is for you.

We in SecureW2 have understood this security concern of our Jamf customers and have devised a double protection solution – Jamf account lookup while issuing certificates with a SCEP challenge that is dynamic. Read on further to protect all your managed devices.

Configuring JoinNow Management Portal

The following steps outline the process of setting up Jamf account lookup for certificate enrollment with a dynamic SCEP challenge in SecureW2’s JoinNow.

Creating an Intermediate CA for SCEP Gateway Integration

SecureW2 recommends creating a new intermediate CA for enrolling devices through SCEP Gateway integration with Jamf for easier management.

To create a new intermediate CA:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Dynamic PKI > Certificate Authorities.
  3. Click Add Certificate Authority.
  4. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
  5. From the Type drop-down list, select Intermediate CA.
  6. From the Certificate Authority drop-down list, select the default Root CA that comes with your organization.
  7. For the Common Name field, enter a name. SecureW2 recommends a name that includes “SCEP.”
  8. From the Key Size drop-down list, select 2048 for the CA certificate key pair.
  9. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  10. In the Validity Period field, enter the validity period for the Intermediate CA in terms of the number of years.
  11. In the Notifications section:
    1. From the Expiry Notification Frequency (in days) drop-down list, select the frequency interval for which a certificate expiration notification should be sent to users.
    2. Select the Notify user on the successful Enrollment checkbox to notify users after a successful enrollment.
    3. If the RFC has a valid email address, the user will receive the certificate issued or expired notification; otherwise, they will not receive the notification.
  12. In the Revocation section:
    1. In the Revoke Certificate if unused for field, select the number of days after which an unused certificate can be revoked.
      • Since last usage – Select this checkbox to revoke the certificate after a specified number of days if it remains unused.
      • Since certificate issuance – Select this checkbox to revoke the certificate after a specified number of days after it is issued.
    2. From the Reason Code drop-down list, select any one of the following reasons for which the certificate is revoked.
      • Certificate Hold
      • AA Compromise
      • Privilege Withdrawn
      • Unspecified

  13. Click Save. This generates the new intermediate CA.

Creating a Certificate Template for Jamf

A certificate template determines the information to be encoded in the certificate issued by the Certificate Authority.

To create a Jamf Certificate Template for account lookup:

  1. Navigate to Dynamic PKI > Certificate Authorities.
  2. Scroll to the Certificate Templates section and click Add Certificate Template.
  3. In the Basic section, enter the name of the certificate template in the Name field.
  4. In the Subject field, enter CN=${/device/clientId:/csr/subject/commonname}. This fetches the common name configured in the Jamf.
  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  7. In the Override Validity Period field, choose a specific date to bypass the validity period.
  8. From the Signature Algorithm drop-down list, select SHA-256 as the signature algorithm for the certificate signing request.
  9. In the SAN section:
    • In the Other Name field, enter ${/device/userDescription:/csr/san/othername}
    • In the RFC822 field, enter ${/device/userDescription:/csr/san/rfc822name}
    • In the DNS field, enter ${/device/buildModel:/csr/san/dnsname}

  10. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.
  11. Click Save.

Creating a Signing Certificate for Jamf

Jamf requires a signing certificate to sign custom configuration profiles and packages. These profiles are then automatically trusted when installed on managed devices.

The signing certificate can be created from the JoinNow Management Portal using the Create Certificate option.

To create a Jamf signing certificate:

  1. Navigate to Dynamic PKI > Create Certificate.
  2. In the Device Info section, from the Operating System drop-down list, select an operating system.
  3. In the User Description field, enter a suitable description.
  4. In the MAC Address field, enter a unique MAC address.
  5. In the Certificate Signing Request section, select the Generate Keypair and CSR option to generate a keypair and CSR file, and create client certificates.
  6. From the Algorithm drop-down list, select RSA.
  7. From the Key Size drop-down list, select 2048.
  8. In the Subject field, enter the common name (the recommended name format for the certificate is “Jamf Signing Certificate”. This helps in easy identification of the CA).
  9. In the Other Name field, enter the same value as in the Subject field. Ignore the other fields.
  10. In the Certificate Issuance Policy section, from the Certificate Authority drop-down list, select the intermediate CA created earlier for issuing certificates to clients using SCEP (refer to the Creating an Intermediate CA for SCEP Gateway Integration section).
  11. From the Use Certificate Template drop-down list, select the certificate template created in the section Creating a Certificate Template for Jamf.
  12. Select the Include Entire Certificate Chain checkbox. This is mandatory.
  13. In the Distribution section, select PKCS12 from the Format field.
  14. In the Receive via field, select Download.
  15. Click the Create button, and a Password for private key pop-up window opens. Enter the password for the certificate file and click Submit.

Creating a Signal Source for Jamf Lookup

To create a Signal Source to perform lookup with Jamf:

  1. Navigate to Integrations Hub > Core Platforms.
  2. Click Add.
  3. In the Basic section, in the Name field, enter the name of the Signal Source.
  4. In the Description field, enter a suitable description for the Signal Source.
  5. From the Type drop-down list, select JAMF Identity Lookup.
  6. Click Save. The page refreshes and opens the Configuration, Attribute Mapping, and Groups tab.
  7. Click the Configuration tab.
  8. From the Authentication Type drop-down list, select the required authentication type for Lookup. Below are the provided options:
    1. Bearer Token – Authentication is done using Jamf user credentials.
      1. For Provider URL, enter the JAMF URL of the organization.
      2. For the Username and Password fields, enter the JAMF credentials.
      3. Click Validate to check your connection with JAMF.

    2. Client Credentials – Authentication is done using Client credentials.
      1. For Provider URL, enter the JAMF URL of the organization.
      2. For the Client ID field, enter the client ID from Jamf.
      3. For the Client Secret field, enter the client secret from Jamf.
      4. Click Validate to check your connection with JAMF.

  9. Set up required attributes in the Attribute Mapping tab.
  10. Create required groups in the Groups tab.
  11. Click Update.

Creating a Device Management Platform

The SCEP URL serves as an endpoint using which managed devices can connect with the SCEP server and enroll for certificates. The secret is also passed to Jamf’s external CA to authenticate these certificate requests.

A SCEP URL and secret can be generated by creating a Device Management Platform in the JoinNow Management Portal.

Additionally, the tokens created for SCEP Enrollment can be used in Policy Management to assign a user/device role based on the token in the incoming request.

To create a Device Management Platform, perform the following steps:

  1. Navigate to Integrations Hub > Device Management Platforms.
  2. Click Add.
  3. In the Basic section, enter the name of the Device Management Platform in the Name field.
  4. In the Description field, enter the description for the Device Management Platform.
  5. From the Type drop-down list, select SCEP Enrollment Token.
  6. From the Vendor drop-down list, select JAMF.
  7. From the Certificate Authority drop-down list, select the Intermediate CA created in the Creating an Intermediate CA for SCEP Gateway Integration section. If you do not select a CA, by default, the organization CA is chosen.
  8. From the Challenge Type drop-down list, select the Dynamic option. The Dynamic Challenge Type generates a unique challenge for each enrollment request internally, providing an additional layer of security.
  9. From the JAMF Signal Source drop-down list, select the JAMF Identity Lookup Provider created in the Creating a Signal Source for Jamf Lookup​ section.
  10. The URL used for authentication is displayed in the Challenge URL field.
  11. Click Save. A .csv file containing the API secret and Enrollment URL is downloaded, and the Enrollment URL is displayed on the screen.

    NOTE: Save this file securely. It is downloaded only once during token creation. If you lose it, you can not retrieve the secret.

  12. The page refreshes, and the Attribute Mapping tab is displayed.
  13. Click the Attribute Mapping tab to configure the required attributes for SCEP and click Update.

    NOTE: You can also refer to the steps in Device Management Platform (SCEP Enrollment Token) in the JoinNow MultiOS and Connector Configuration Guide, which is available in the Management Portal.

Policy Management

This section describes the configuration process for different policies concerning certificate enrollment and network access. Through Policy Management, diverse rules can be set for each policy, which helps in selecting the correct certificate template for issuing the appropriate certificate to users. Likewise, Network Policy allows for the configuration of various rules to be applied based on user and device roles during network authentication.

When these rules align with the configured attributes during network authentication, suitable network attributes can be applied to the devices.

Creating a Security Signal Source

The Security Signal Source can be mapped with the Jamf Signal Source created earlier for device lookup.

To create a Security Signal Source, perform the following steps:

  1. Navigate to Policy Management > Security Signal Sources.
  2. Click Add Security Signal Source.
  3. In the Basic section, enter the name of the Security Signal Source in the Name field.
  4. Lookup Purpose – Purpose of Account Lookup
    1. Certificate Issuance– To lookup user/device account during Enrollment.
    2. RADIUS Authentication – To lookup user/device account during RADIUS Authentication.

  5. Click Save. The page refreshes, and the Conditions and Settings tabs are displayed.
  6. Under the Settings section, from the Provider drop-down list, select the Signal Source created in the previous section (see the Creating a Signal Source for Jamf Lookup section).
  7. From the Lookup Type drop-down list, select the lookup type:
    1. Auto: The system automatically uses identity as the Lookup attribute.
    2. Device: The Identity drop-down list is displayed. Select a device identity for lookup.
    3. User: The Identity drop-down list is displayed. Select a user identity for lookup.
  8. Select the Revoke On Failure checkbox to automatically revoke a certificate if an account lookup fails, if necessary.
  9. Click Update.

Creating a Policy Workflow

To configure a Policy Workflow:

  1. Navigate to Policy Management > Policy Workflows.
  2. Click Add Policy Workflow.
  3. In the Basic section, enter the name of the Policy Workflow in the Name field.
  4. In the Display Description field, enter a suitable description for the policy workflow.
  5. Click Save.
  6. The page refreshes, and the Conditions tab is displayed.
  7. Click the Conditions tab.
  8. From the Identity Provider drop-down list, select the Device Management Platform you created earlier (see the Creating a Device Management Platform section).
  9. Select the Security Vendor Integration checkbox to integrate the security vendor platform and configure the Policy Workflow with the Security Risk Level to assess the device’s risk score from the security vendor (refer to the Endpoint Protection Platform Integration for Device On-boarding & WiFi Access document for Security Vendor Crowdstrike integration).
  10. Click Update.

Creating an Enrollment Policy

To add an Enrollment Policy, perform the following steps:

  1. Navigate to Policy Management > Enrollment.
  2. Click Add Enrollment Policy.
  3. In the Basic section, enter the name of the enrollment policy in the Name field.
  4. In the Display Description field, enter a suitable description for the enrollment policy.
  5. Click Save.
  6. The page refreshes, and the Conditions and Settings tabs are displayed.
  7. Click the Conditions tab.
  8. In the Conditions section, from the Role drop-down list, select the role policy you created earlier (see the Configuring a Policy Workflow section).
  9. From the Device Role drop-down list, select DEFAULT DEVICE ROLE POLICY.
  10. Select the Settings tab.
  11. In the Settings section, from the Use Certificate Authority drop-down list, select the intermediate CA you created earlier (see the Creating an Intermediate CA for Jamf SCEP Gateway Integration section).
  12. From the Use Certificate Template drop-down list, select the template you created earlier (see the Creating a Jamf Certificate Template section).
  13. In the other settings, retain the default values.
  14. Click Update.

Setting up Certificate Enrollment via SCEP on Jamf

Setting up SCEP in Jamf requires configuring SecureW2’s Certificate Authority as an External Certificate Authority in Jamf. To configure external CA in Jamf:

  1. Log in to the Jamf Pro console.
  2. Navigate to Settings > Global.
  3. Click PKI certificates.
  4. Select the Management Certificate Template tab, select External CA, and click Edit.
  5. Select the Enable Jamf Pro as SCEP Proxy for configuration profiles checkbox.
  6. In the URL field, enter the new SCEP URL you saved in the CSV file (refer to the Creating a Device Management Platform section).

    NOTE: You can also refer to the steps in Configuring Device Management Platform (SCEP Enrollment Token) in the JoinNow MultiOS and Connector Configuration Guide available in the Management Portal.”

  7. In the Name field, enter the name of the certificate issuing CA created in the JoinNow Management portal.
  8. In the Subject field, enter “CN=$DEVICENAME
  9. From the Subject Alternative Name Type drop-down list, select None.
  10. From the Challenge Type drop-down list, select Dynamic.
  11. From the Key Size drop-down list, select 2048. SecureW2 does not recommend selecting 1024.
  12. Click Save.
  13. Under the Signing Certificate section, click Change Signing and CA Certificates to upload the signing certificate you created in “Creating a Signing Certificate for Jamf”.
  14. On the Upload Keystore step, click Choose File and upload the PKCS12 file you downloaded in “Creating a Signing Certificate for Jamf”.
  15. Click Next.
  16. On the Enter Password step, enter the password you entered in the Password for private key prompt in the Creating a Signing Certificate for Jamf section when you created the certificate.
  17. Click Next.
  18. On the Choose Certificate step, verify that the correct CA certificate is selected from the Choose Certificate drop-down list and that the correct certificate chain is displayed.
  19. Click Next.
  20. On the Upload CA Certificate step, click Next to skip the upload. The CA certificate is already present in PKCS12.
  21. On the Complete step, click Done.

Configuring Webhook in Jamf

The webhook setting in Jamf sends a request to JoinNow CloudConnector for a challenge. The JoinNow CloudConnector validates the user in Jamf by performing a lookup, and upon successful validation, a dynamic challenge is issued to Jamf.

To configure a webhook, perform the following steps:

  1. Log in to the Jamf Pro console.
  2. Navigate to Settings > Global.
  3. Click Webhooks.
  4. Click New.
  5. In the Name field, enter the display name of the webhook.
  6. In the Webhook URL field, enter the Challenge URL obtained from the Creating a Device Management Platform section.
  7. From the Authentication Type drop-down list, select the Header Authentication option.
  8. In the Header Authentication field, enter {“Authorization”:”Bearer <secret>”}

  9. In the Content Type field, select any one of the options for sending the webhook information:
    • JSON
    • XML
  10. From the Webhook Event drop-down list, select SCEPChallenge to trigger the Webhook event.
  11. Click Save.

Configuration in Jamf Portal

Configuration profiles are XML files that are pushed to end-user devices along with certificates. These configuration files help Jamf MDM effectively manage mobile devices, computers, and users.

This section explains how to set up Jamf configuration profiles for iOS and macOS.

Setting up of Jamf Configuration Profiles

For iOS

To set up a Jamf configuration profile for iOS, perform the following steps:

  1. From your Jamf Pro console, go to Devices > Configuration Profiles.
  2. Click New. To update an existing configuration profile, click Edit for the profile.
  3. Select Options > General.
  4. In the Name field, enter a name that can reflect the profile for the specific OS.
  5. In the Description field, enter a descriptive text explaining the purpose of this configuration.
  6. From the Distribution Method drop-down list, select Install Automatically or Make Available in Self-Service.

For macOS

To set up a Jamf configuration profile for macOS:

  1. From your Jamf Pro console, go to Computers > Configuration Profiles.
  2. Click New. To update an existing configuration profile, click Edit for the profile.
  3. Select Options > General.
  4. In the Name field, enter a name for the OS profile. E.g. MacOS_Office.
  5. In the Description field, enter a description for the configuration profile.
  6. From the Level drop-down list, select Computer Level.
  7. From the Distribution Method drop-down list, select Install Automatically or Make Available in Self Service.

Setting up the JAMF as SCEP Proxy for Configuration Profiles

Jamf can deploy configuration profiles that install certificates for users to access wireless networks. By setting up Jamf as the SCEP proxy in the configuration profile, Jamf communicates with the SCEP server to download and install the certificate directly on macOS or iOS devices.

This section explains how to set up Jamf as a SCEP proxy for the iOS and macOS configuration profiles.

To set up Jamf as a SCEP proxy, perform the following steps:

  1. From your Jamf Pro console, go to Options > SCEP. The steps are similar for both the iOS and macOS configuration profiles.
  2. Click Configure.
  3. Select the Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile checkbox.
  4. In the Name field, enter the common name of the intermediate CA that will issue the certificate for the client. The common name can be found in the JoinNow Management Portal.
  5. From the Redistribute Profile drop-down list, select the desired number of days.
  6. In the Subject field, enter a value to help administrators identify the device. You can make this a static value if you wish.Examples:
    • CN=$DEVICENAME
    • CN=$UDID
    • CN=$SERIALNUMBER

    NOTE: What you enter as Subject and Subject Alternative Name are referred to as payload variables and define the common name that you want to be encoded on certificates. You can find available iOS payload variables here: https://docs.jamf.com/9.9/casper-suite/administrator-guide/iOS_Configuration_Profiles.html

  7. From the Subject Alternative Name Type drop-down list, select the RFC 822 Name option.
  8. In the Subject Alternative Name Value field, use the appropriate variables as required. The recommended attributes are:
    • $UDID
    • $SERIALNUMBER
    • $DEVICENAME

  9. Click Save.
  10. Navigate to the Scope section and update the scope for the devices to which the configuration profile will be pushed.

NOTE: If you want to change Jamf as an SCEP proxy in Settings > Global > PKI Certificates > Management Certificate Template > External CA, first disable the Use the External Certificate Authority settings to enable Jamf Pro as an SCEP proxy for this configuration profile checkbox. If you proceed without disabling this, it will affect the corresponding profile using Jamf as an SCEP proxy.

Setting up the Certificate Payload for RADIUS Connections

This section explains setting up the certificate payload to validate your RADIUS server. If your RADIUS server certificate also has one or more intermediate CA certificates as part of the certificate chain, you can add those certificates (Root and Intermediate) to this payload.

NOTE: Do not upload the actual RADIUS server certificate here.

This section explains how to set up a Certificate Payload for RADIUS Connections. It applies to both iOS and macOS configuration profiles.

To set up a certificate payload, perform the following steps:

  1. From your Jamf Pro console, go to Devices > Configuration Profiles. The steps 2 to 10 are similar for both the iOS and macOS configuration profiles.
  2. Click Edit for the configuration profile you want to configure.
  3. Select Options > Certificate.
  4. Click Configure.
  5. In the Certificate Name field, enter the name of the added certificate. This will be the Common Name (Issued To).
  6. From the Select Certificate Option drop-down list, select Upload.
  7. Click Upload Certificate.
  8. On the Certificate pop-up window, click Choose File and upload the issuing Root CA from the JoinNow Management portal under PKI > Certificate Authorities.
  9. Click Upload.
  10. After the certificate uploads, click Save.

NOTE: If the setup has more than one RADIUS server for validation, you can add more than one Common Name with the same certificate payload configuration.

Setting up the Wi-Fi Payload

WiFi profile/payload helps in configuring the device to connect to the preferred secure network. Jamf includes built-in Wi-Fi settings that the admin can configure and deploy to the devices in your organization. This Wi-Fi profile can be assigned based on different Device users and Device groups.

This section explains how to set up Wi-Fi Payload for iOS and macOS devices.

To set up the Wi-Fi Payload for iOS, perform the following steps:

  1. From your Jamf Pro console, go to Devices > Configuration Profiles. For macOS devices, navigate to Computers > Configuration Profiles > Edit > Options > Network. Steps 4 to 16 are similar for both the iOS and macOS configuration profiles.
  2. Click Edit for the configuration profile you want to configure.
  3. Select Options > Wi-Fi.
  4. Click Configure.
  5. In the Service Set Identifier (SSID) field, enter the name of the secure network.
  6. Select other applicable settings as per the organization’s requirements.
  7. From the Security Type drop-down list, select WPA2 Enterprise (iOS 8 or later except Apple TV).
  8. Under the Network Security Settings section, select the Protocols tab.
  9. In the Accepted EAP Types section, select the TLS checkbox.
  10. Click the Trust tab.
  11. In the Trusted Certificates section, select the checkbox for the certificate you uploaded.

    NOTE: Along with validating a RADIUS server by certificates, specify the RADIUS server certificate names for validation as an additional security measure. This is available in the Wi-Fi payload when the uploaded certificate is enabled.
  12. In the CERTIFICATE COMMON NAME section, click Add.
  13. In the field that appears, enter the name of the RADIUS server used for validation, and then click Save.
  14. Navigate back to the Protocols tab.
  15. From the Identity Certificate drop-down list, select the CA from the SCEP payload.
  16. Click Save to save the Wi-Fi payload.

When a device successfully enrolls, the Configuration Profiles table shows an increased value for Completed.

Configuration of Auto Revocation Based on Computer/Device Groups in Jamf

JoinNow Management Portal facilitates auto-revocation of the certificates based on device groups configured in the Jamf portal. There are two kinds of groups you can create and add mobile devices and computers to the Revocation Group list:

  1. Smart Device/Computer Groups (Revocation of devices/computers is based on set criteria)To add Smart Device Groups:
    1. From your Jamf Pro console, go to Devices > Smart Device Groups. For Smart Computer Groups, click on Computers. Steps b to h are similar for both Smart Device Groups and Computer Groups.
    2. Click + New.
    3. Under the Mobile Device Group tab, in the Display Name field, enter a name for your group.
    4. Navigate to the Criteria tab and click Add. You can establish a set of criteria for a group and add devices when they meet the specified conditions.
      In the following example, the criterion used is the Last Inventory Update.Jamf synchronizes with managed devices regularly. If an update between a device and Jamf has not occurred within the configured time interval, Jamf verifies that the criteria have been met and automatically moves the device to this group. The relevant device information is then shared with the JoinNow Management Portal, and the corresponding certificate on the device is automatically revoked.

      Please refer to https://docs.jamf.com/10.42.0/jamf-pro/documentation/Smart_Groups.html for more information on Smart Device/Computer group configurations.

    5. Click Choose.
    6. From the OPERATOR drop-down list, choose the period type/date based on which revocation should be applied.
    7. In the VALUE field, enter the date/number of days. In our example, the OPERATOR selected is more than x days ago, and the VALUE is entered as “10”.So, if an update between Jamf and the device has not occurred for more than 10 days. All certificates in the device will be revoked.
    8. Click Save. The Smart Device Group is created.
  2. Static Device/Computer Groups (Revocation of devices/computers is automatic when added to these groups)
    1. From your Jamf Pro console, go to Devices > Static Device Groups. For Static Computer Groups, click on Computers. Steps b to f are similar for both Static Device Groups and Computer Groups.
    2. Click + New.
    3. Under the Mobile Device Group tab, in the Display Name field, enter a name for your group.
    4. Navigate to the Assignments tab.
    5. Select the devices you want to add to this group by clicking the checkbox.
    6. Click Save.

Creating a Read-Only user in Jamf

To create a Read Only user in Jamf:

  1. From your Jamf Pro console, go to Settings > User accounts and groups.
  2. Click the + New button.
  3. On the Choose an Action step, select the Create Standard Account option and click Next.
  4. In the Account tab:
    1. In the Username field, enter a username for the account.
    2. From the Privilege Set drop-down list, select Custom.
    3. Enter the other details, such as email address, password, and so on, in the respective fields.
  5. Click the Privileges tab and select the READ checkbox for the following items.
    • Mobile Devices
    • Smart Computer Groups
    • Smart Mobile Device Groups
    • Static Computer Groups
    • Static Mobile Device Groups
    • Computers
  6. Click Save.

Certificate Issuance

After completing the steps above, the device now connects with the Jamf. The organization’s SCEP profile is pushed and device is looked up which triggers enrollment.

Jamf Configuration profile log:

SecureW2 JoinNow portal General Events:

SecureW2 Admins can check for successful certificate enrollment under Data and Monitoring > General Events. The device enrolled will display a “Certificate Issued” message.


Now that you’ve completed this configuration you can protect your organization from any potential hackers who try and compromise your Certificate Authorities and issue themselves certificates.

More JAMF Explainers