[Webinar]: See how SecureW2 + Okta continuously verify certificate trust and enforce policies in real time.
Register Now
Home Knowledge Base Documentation Dynamic ACME DA Kandji Configuration Guide

Dynamic ACME DA Kandji Configuration Guide

Introduction

SecureW2’s ACME service can enroll Apple devices with certificates. It can cryptographically prove that a device is a genuine Apple product, and confirm its serial number using Apple Managed Device Attestation (MDA). MDA is what allows JoinNow CloudConnector to validate a device’s identity and cross-reference it with your MDM to ensure that only trusted devices can enroll for certificates.

This guide describes the steps to integrate Kandji MDM with JoinNow Cloud Connector to allow devices, such as macOS, iOS, iPadOS, and tvOS, to enroll for digital certificates via ACME.

Prerequisites

  • Active Kandji subscription
  • Active JoinNow CloudConnector subscription along with the Enterprise Enrollment and Attestation (EEA) add-on
  • iOS or macOS devices (that support the ACME protocol) actively managed in Kandji

Configuring JoinNow Management Portal

To configure ACME-based enrollment with the JoinNow portal, the following high-level steps are required:

  • Create an Intermediate CA
  • Create a Kandji Certificate Template
  • Create an ACME API Token
  • Create a Generic HTTP Identity Lookup Provider
  • Create Policies

Creating an Intermediate CA for Kandji SCEP Gateway Integration

As a best practice, it is recommended to have a new intermediate CA for ACME Gateway based integrations with Kandji.

To create a new intermediate CA:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to PKI > Certificate Authorities.
  3. Click Add Certificate Authority.
  4. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
  5. From the Type drop-down list, select Intermediate CA.
  6. From the Certificate Authority drop-down list, select the default Root CA that comes with your organization.
  7. From the Generate via drop-down list, select Internal system.
  8. For the Common Name field, enter a name.  It is recommended to use a name that includes ‘ACME’.
  9. From the Key Size drop-down list, select 2048 for the CA certificate key pair.
  10. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  11. In the Validity Period (in years) field, enter the validity period of the CA certificate.
  12. Click Save.

The new intermediate CA is generated.

Creating a Certificate Template for Kandji

A certificate template determines how information is encoded in the certificate to be issued by the Certificate Authority. The template consists of a list of certificate attributes and how the information must be encoded in the attribute values. This information is provided by the Admin in the JoinNow Management Portal.

It is recommended to create a separate template for each MDM platform for easier identification of different values being passed. To create a Kandji certificate template:

  1. Navigate to PKI > Certificate Authorities.
  2. Click Add Certificate Template.
  3. Under the Basic section, in the Name field, enter the name of the certificate template.
  4. Subject field can be configured to source values from the Jamf.

    To use the attributes sent from Jamf, enter CN=${/csr/subject/commonname}
  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  7. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  8. In the SAN section:
    a. In the Other Name field, enter ${/csr/san/othername}
    b. In the RFC822 field, enter ${/csr/san/rfc822name}
    c. In the DNS field, enter ${/csr/san/dnsname}
  9. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.
  10. Click Save.

Creating an ACME API Gateway

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Identity Management > API Gateways.
  3. Click Add API Gateway.
  4. In the Basic section, enter the name of the API Gateway in the Name field.
  5. In the Description field, enter a suitable description for the API token.
  6. From the Type drop-down list, select ACME Client Certificate Enrollment Token.
  7. From the Vendor drop-down list, select Kandji.
  8. Click Save. A .mobileconfig file is downloaded.

Creating a Generic HTTP Identity Lookup Provider

With JoinNow, you can create a Generic HTTP-based Identity lookup provider. This is necessary to configure a device lookup with Kandji during ACME certificate enrollment.

  1. Navigate to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. Enter a name and description for the Lookup IDP in the respective fields.
  4. From the Type drop-down list, select Generic HTTP.
  5. Click Save.
  6. On the displayed page, click the Configuration tab.
  7. From the Authentication Method drop-down list, select Bearer Token.
  8. In the Bearer Token field, enter the token value obtained from Kandji.
  9. Click the API tab.
  10. In the URI field, enter the organization’s API URL (obtained in step 3a in the Creating a Token in Kandji section).
  11. In the Response Validation section,  click Add.
    a. In the Response Path field, enter data[0].serial_number
    b. From the Condition drop-down list, select Exists.
    c. In the Expected result field, enter a valid device serial number.
    d. Click Validate to check if the configuration is correct.
  12. Click Update.

Creating a Key Attestation Provider

A Key Attestation Provider in JoinNow helps set up device attestation services for iOS devices. To create an Key Attestation Provider:

  1. Log in to JoinNow Management Portal.
  2. Navigate to Identity Management > Key Attestation Provider.
  3. Click Add Key Attestation Provider.
  4. In the Name field, enter a name for your Key Attestation Provider.
  5. In the Display Description field, enter a description (Optional).
  6. From the Type drop-down, select Apple.
  7. Click Save.

Policy Management in JoinNow

Policy management helps admins define and create various policies that associate rules with identity providers. These rules are configured for user authentication via network profiles.

Creating an Account Lookup Policy

The Account Lookup policy can be mapped along with the Generic HTTP Identity Lookup provider created earlier for device lookup.

  1. Go to Policy Management > Account Lookup Policies.
  2. Click Add Account Lookup Policy.
  3. In the Basic section, enter a name and description in the respective fields.
  4. Click Save. On the displayed page, click the Settings tab.
  5. From the Identity Provider Lookup drop-down list, select the Generic HTTP Lookup IDP created earlier.
  6. From the Lookup Type drop-down list, select Custom.
  7. From the Identity drop-down list, select Computer Identity.
  8.  Lookup Purpose – Purpose of Account Lookup
    a. Certificate Issuance – To lookup user/device account during Enrollment.
    b. RADIUS Authentication – To lookup user/device account during RADIUS Authentication

  9. Click Update.

Creating a Policy Engine Workflow

To configure a Policy Engine Workflow:

  1. Navigate to Policy Management > Policy Engine Workflows.
  2. Click Add Policy Engine Workflow.
  3. In the Basic section, enter the name of the role policy in the Name field.
  4. In the Display Description field, enter a suitable description for the policy engine workflow.
  5. Click Save.
  6. The page refreshes, and the Conditions tab is displayed. Select the Conditions tab.
  7. From the Identity Provider drop-down list, select the identity provider you created earlier in section 3.4 Creating a Generic HTTP Identity Lookup Provider.
  8. In the Attributes/Groups section, for the Attribute field, retain ANY.
  9. Click Update.

Creating a Device Role Policy

Device Role Policy helps in mapping the attestation provider in JoinNow for device attestation.

  1. From the JoinNow Management Portal, go to Policy Management > Device Roles Policies.
  2. Click Add Device Role Policy.
  3. In the Basic tab, for Name, enter a name.
  4. For Description, enter a description.
  5. Click Save. The page refreshes and the Conditions tab opens.
  6. Click on the Conditions tab.
  7. From the Identity drop-down, select the Key Attestation provider created in 3.5 Creating a Key Attestation Provider.
  8. Click Update.

Creating an Enrollment Policy

  1. Go to Policy Management > Enrollment Policies.
  2. Click Add Enrollment Policy.
  3. In the Basic section, in the Name field, enter a name for the policy.
  4. In the Description field, enter a description for the policy.
  5. Click Save.
  6. On the displayed page, click the Conditions tab.
  7. From the Role drop-down list, select the Role policy you created earlier.
  8. From the Device Role drop-down list, select the Default Device Role policy.
  9. Click the Settings tab.
  10. From the Use Certificate Authority drop-down list, select the Intermediate CA created in 3.1 Creating an Intermediate CA for Kandji SCEP Gateway Integration.
  11. From the Use Certificate Template drop-down list, choose the certificate template you created earlier.
  12. Click Update.

Configuring Kandji

Configuring Kandji for certificate enrollment via ACME requires:

  • Creating a New Blueprint
  • Creating a New Library
  • Enrolling the Devices to Kandji MDM

Creating a New Blueprint

  1. In the Kandji portal, on the left pane, click BLUEPRINTS.
  2. At the top-right corner, click New Blueprint. Select New Classic Blueprint.
  3. On the displayed window, click +New Blueprint.
  4. Enter the Blueprint name and Blueprint description in the corresponding fields.
  5. Click Create Blueprint.

Creating A Kandji Library

  1. To map the Blueprint to the profile, on the left pane, click LIBRARY and then click Add new.
  2. On the displayed page, click Custom profile and then click the Add & Configure button.
  3. Near the gear symbol, enter a name for the profile.
  4. In the Assignment section, from the Blueprint drop-down list, select the Blueprint you created in Section 4.1 (Creating a New Blueprint)
  5. From the Install on drop-down list, select the devices for enrollment.
  6. In the Settings section, in the Profile section, upload/drag and drop the .mobileconfig file obtained from the Management Portal.
  7. Click Save.

Adding Devices to Kandji MDM

  1. To add the devices in the MDM, on the left pane, click ADD DEVICES. In the Add Devices section, from the Blueprint drop-down list, select the Blueprint and click Download.
  2. In the Enrollment Portal section, Copy the Enrollment Portal Link which is to be sent to users to self-enroll their devices.
  3. Copy the Enrollment code which is used during the enrollment process to map the Blueprint used for device enrollment.

    The user should access the URL and fill in the Enrollment Code specific to the required blueprint to enroll devices in Kandji.
  4. On the left pane, click DEVICES and the devices added in the Blueprint are displayed on the page.
  5. Click the added device.
  6. On the displayed page, at the top-right corner, click the Ellipses icon.
  7. Click Edit Blueprint Assignment.
  8. On the displayed window, from the Assign device to the Blueprint drop-down list, select the Blueprint you added.
  9. Click Change. The profile is pushed to the device automatically and a success message is displayed.

Certificate Issuance

After completing the steps above, the profile is pushed to the device followed by certificate enrollment.

 JoinNow Admins can check for successful certificate enrollment under Data and Monitoring > General Events. A Certificate Issued event should be displayed when device certificate enrollment is successful.

 

More Kandji Explainers