Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Branding
Branding Branding
Login Check our Prices

Integrating Jamf with JoinNow for ACME Based Issuance

Introduction

SecureW2’s ACME service can cryptographically prove a device is a genuine Apple Product, and confirm its Serial Number using Apple Managed Device Attestation (MDA). MDA is what allows JoinNow Connector to validate a device’s identity and cross-reference it with your MDM to ensure only trusted devices can enroll for certificates.

Traditional SCEP implementations only require a pre-shared key for certificate issuance. With ACME, organizations can ensure that only trusted, managed devices obtain and maintain certificates that are used to access critical resources. This guide describes the steps to integrate Jamf MDM with JoinNow’s Cloud Connector to allow devices, such as macOS, iOS, iPadOS, and tvOS, to enroll for digital certificates via an ACME (Automated Certificate Management Environment) Client Certificate Enrollment token.

Prerequisites

The following are the prerequisites to set-up ACME based enrollment:

  • iOS devices that support ACME protocol.(version 16 and above)
  • Subscription to Jamf Portal.
  • JoinNow active subscription along with Enterprise Enrollment and Attestation (EEA).

Setting up ACME with JoinNow

To set-up ACME based enrollment in SecureW2, the following high-level steps are required:

  1. Creating an Intermediate CA
  2. Creating a Certificate Template
  3. Creating Key Attestation Provider
  4. Creating ACME API Gateway
  5. Creating an Identity Lookup Provider
  6. Creating Policies Management

Creating an Intermediate CA

It is recommended to have a new intermediate CA for enrolling devices using ACME Gateway integration with Jamf for easy management.

To create a new intermediate CA:

  1. From your JoinNow Management Portal, go to PKI > Certificate Authorities.
  2. Click Add Certificate Authority.
  3. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
  4. From the Type drop-down list, select Intermediate CA.
  5. From the Certificate Authority drop-down list, select the default Root CA that comes with your organization.
  6. For the Common Name field, enter a name. It is recommended to include “ACME” in the name.
  7. Click Save.

Creating a Certificate Template for Jamf

A certificate template determines how information is encoded in the certificate to be issued by the Certificate Authority. It will consist of a list of certificate attributes and how the information must be encoded in the attribute values.

It is recommended to create a separate template for each MDM platform for easier identification of different values being passed. To create an Jamf Certificate Template:

  1. Navigate to PKI > Certificate Authorities.
  2. Click Add Certificate Template.
  3. In the Basic section, for the Name field, enter the name of the certificate template.
  4. Subject field can be configured to source values from the Jamf. To use the attributes sent from Jamf, enter CN=${/csr/subject/commonname}
  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  7. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  8. In the SAN section:
  • In the Other Name field, enter ${/csr/san/othername}
  • In the RFC822 field, enter ${/csr/san/rfc822name}
  • In the DNS field, enter ${/csr/san/dnsname}

  1. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.
  2. Click Save.

Creating a Key Attestation Provider

A Key Attestation Provider in JoinNow helps set-up device attestation services for iOS devices. To create an Key Attestation Provider:

  1. Log in to JoinNow Management Portal.
  2. Navigate to Identity Management > Key Attestation Provider.
  3. Click Add Key Attestation Provider.
  4. In the Name field, enter a name for your Key Attestation Provider
  5. In the Display Description field, enter a description (Optional).
  6. From the Type drop-down, select Apple.
  7. Click Save.

Creating an API Gateway in JoinNow

To generate an API Gateway from JoinNow:

  1. Navigate to Identity Management > API Gateways.
  2. Click Add API Gateway.
  3. In the Name field, enter a name for your API Token.
  4. In the Display Description field, enter a description (Optional).
  5. From the Type drop-down, select ACME Client Certificate Enrollment Token.
  6. From the Vendor drop-down, select Jamf.
  7. Click Save. A .mobileconfig file is downloaded.

Creating an Identity Lookup Provider in JoinNow

To create an Identity Lookup Provider for Jamf ACME based enrollment:

  1. Navigate to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. Enter a Name and Description for the IDP in the respective fields.
  4. From the Type drop-down list, select Jamf Identity Lookup.
  5. Click Save.
  6. Click on the Configuration tab.
  7. In the Provider URL field, enter the Jamf URL of your organization.
  8. In the Username field, enter your Jamf username.
  9. In the Password field, enter your Jamf Password.
  10. Click Validate to validate your connection with Jamf.
  11. Set up required attributes in the Attribute Mapping tab.
  12. Create required groups in the Groups tab.
  13. Click Update.

Policy Management in JoinNow

Policy Management allows us to create specific Lookup policies, roles for user and device groups, which can be used in SecureW2 to create custom certificate enrollment policies.

Creating an Account Lookup Policy

Account Lookup Policy can be mapped along with the Jamf Identity Lookup provider created earlier for device lookup.

From the JoinNow Management Portal:

  1. Go to Policy Management > Account Lookup Policies.
  2. Click Add Account Lookup Policy.
  3. In the Basic tab, enter a Name and Description in respective fields.
  4. Click Save. The page refreshes and the Settings tab is displayed. Click on the Settings tab.
  5. From the Provider drop-down, select the Jamf Lookup IDP created in the previous step.
  6. From the Lookup Type drop-down, select Custom.
  7. From the Identity drop-down, select Computer Identity.
  8. Lookup Purpose – Purpose of Account Lookup:
    1. Certificate Issuance – To lookup user/device account during Enrollment
    2. RADIUS Authentication – To lookup user/device account during RADIUS Authentication
  9. Click Update.

Creating a Policy Engine Workflow

  1. Go to Policy Management > Policy Engine Workflows.
  2. Click Add Policy Engine Workflows.
  3. In the Basic section, In Name field, enter a name for the policy.
  4. In the Description field, enter a description for the policy.
  5. Click Save. The page refreshes and automatically selects the Conditions tab.
  6. In the Conditions section, click the Identity Provider drop-down and select the Identity Lookup Provider you created in the earlier section.
  7. Click Update.

Creating a Device Role Policy

Device Role Policy helps in mapping the attestation provider in JoinNow for device attestation.

  1. From the JoinNow Management Portal, go to Policy Management > Device Roles Policies.
  2. Click Add Device Role Policy.
  3. In the Basic tab, for Name, enter a name. For Description, enter a description.
  4. Click Save. The page refreshes and the Conditions tab opens. Click on the Conditions tab.
  5. From the Identity drop-down, select the Key Attestation Provider created in section.
  6. Click Update.

Creating an Enrollment Policy

  1. From the JoinNow Management Portal, go to Policy Management > Enrollment Policies.
  2. Click Add Enrollment Policy.
  3. In the Basic tab, for Name, enter a name.
    For Description, enter a description.
  4. Click Save. The page refreshes and displays the Conditions and Settings tab.
  5. In the Conditions section, for Role, select the user role policy you created in the Creating a Policy Engine Workflow section.
  6. For Device Role, select the device role created in Creating a Device Role Policy section.
  7. Click on the Settings tab.
  8. From the Use Certificate Authority drop-down, select the Certificate Authority created for ACME.
  9. From the Use Certificate Template drop-down, choose the Certificate Template created for ACME.
  10. Click Update.

Configuring ACME Certificate in Jamf

Log in to the Jamf MDM portal.

  1. Navigate to Devices > Configuration Profiles.

    NOTE: Devices refer to creating configuration profiles of iOS Mobile devices and iPad. For mac OS, upload Mobileconfig via Computers > Configuration Profiles.

  2. Click + New.
  3. Click on ACME Certificate.
  4. Click + Add.
  5. In the ACME directory URL field, enter the “Directory URL” value from the .mobileconfig file downloaded in 3.4 Creating an API Gateway in JoinNow section.

  6. In the Client Identifier field, enter the value corresponding to “ClientIdentifier” in the .mobileconfig file.
  7. In the Key Size field, enter “384”.
  8. From the Key Type drop-down list, select ECSECPrimeRandom.
  9. For theHardware Bound toggle switch, select True.
  10. In the Subject field,  enter the value corresponding to “Subject” in the .mobileconfig file. The value must be added as”/CN=value” format.
  11. Configure further settings as required and click Save.

Schedule a Demo

Sign up for a quick demonstration and see how SecureW2 can make your organization simpler, faster, and more secure.

Schedule Now

Pricing Information

Our solutions scale to fit you. We have affordable options for organizations of any size. Click here to see our pricing.

Check Pricing