Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Deploy Client Certificates via SCEP to Jamf Managed Devices

When using certificate-driven authentication for your Wi-Fi network, the way you issue client certificates to your devices is important. With devices managed by an MDM such as Jamf, Simple Certificate Enrollment Protocol (SCEP) can simplify the process.

SCEP allows digital certificates to be issued and managed automatically. It eliminates the need for human interaction by letting devices automatically seek and receive certificates from a Certificate Authority (CA). SCEP allows businesses to greatly improve their security by doing away with the weaknesses of password-based authentication.

SCEP, when used in tandem with Jamf, streamlines the process of issuing client certificates to devices under Jamf’s control. This simplified method automates the enrolment of certificates without requiring complicated settings from end users. In this configuration guide, you’ll learn how to set up SCEP profiles in Jamf, which will facilitate the easy rollout of client certificates and increase the safety of your wireless network.

Configuring EAP-TLS and SCEP for SecureW2 Managed Device Gateway API:

EAP-TLS is a lightweight Extensible Authentication Protocol – Transport Layer Security, highly secure and frequently used authentication mechanism within the EAP flexible authentication architecture. It uses the TLS protocol’s security characteristics to build a secure communication channel between the client device and the authentication server. EAP-TLS passes EAP messages across the client and server, which contain the cryptographic certificates and keys required for mutual authentication. EAP Transport Layer Security, unlike other EAP methods such as EAP-Password or EAP-PEAP, EAP-PSK, EAP-TTLS does not send plaintext passwords over the network, making it extremely resistant to password eavesdropping and dictionary attacks. Instead, it uses digital certificates and private keys to ensure the authentication process’s secrecy and integrity.

Setting up EAP-TLS and SCEP with SecureW2’s Managed device gateway is essential for ensuring secure certificate-based authentication. Here’s a step-by-step guide.

  1. Using SecureW2’s PKI Services, begin by configuring the Intermediate CA, the actual certificate format, and the SCEP Gateway URL
  2. In the Jamf management portal, upload your new Signing Certificate
    • Your network will now trust certificates and will integrate with Access Points from all major vendors
  3. Enter the SCEP URL as the avenue in which the certificates will be distributed
  4. Prepare the Jamf Wi-Fi and SCEP Profiles for macOS and iOS devices
    • The certificate payload and Wi-Fi payload will be sent via the SCEP URL and will equip devices with trusted certificates and your organization’s customized wireless settings
  5. Once completed, devices can begin requesting certificates and be configured for a WPA2-Enterprise EAP-TLS network protected by certificate-based security.
    • Managed devices will be authenticated by an existing RADIUS Server from any major vendor or The SecureW2 Cloud RADIUS

Prerequisites:

These are the prerequisites for setting SCEP profile on Jamf:

Configuring a SCEP Gateway for certificate enrollment with SecureW2

Setting up a SCEP gateway is critical in certificate authority administration and safe certificate deployment. The SCEP streamlines certificate enrollment inside an organization by allowing for the smooth acquisition of client certificates through certificate signing requests. Configuring an issuing Intermediate Certificate Authority (CA), which serves as an intermediate between the root CA and end-user devices, is part of this procedure. The SCEP gateway guarantees that client certificates are provided with suitable security mechanisms by handling certificate requests, validity periods, and certificate templates. Furthermore, the SCEP gateway is important in certificate revocation, allowing for the effective processing of expired or compromised certificates and ensuring the overall security of the certificate management protocol. Organizations may use the SCEP gateway to install and maintain server certificates and client certificate, ensuring secure communication and data security throughout their network security architecture.

Here’s a detailed explanation on creating an issuing Intermediate certificate authority: 

Creating an Issuing Intermediate CA used for SCEP Certificate Enrollment

As a best practice, SecureW2 recommends having a new intermediate CA for JoinNow SCEP Gateway integration with Jamf. The CA issuing certificates to BYOD devices should be separate from the CA issuing certificates to managed devices, because managed devices don’t require email notifications. You can disable email notifications for the dedicated CA issuing certificates to Jamf managed devices.

To create a new intermediate CA:

    1. From your JoinNow MultiOS Management Portal, go to PKI > Certificate Authorities.
    2. Click Add Certificate Authority.
    3. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
    4. From the Type drop-down list, select Intermediate CA.
    5. From the Certificate Authority drop-down, select the default Root CA that comes with your organization.
    6. For the Common Name field, enter a name. SecureW2 recommends a name that includes ‘SCEP’.
    7. Click Save. This generates the new intermediate CA.

Create JAMF Signed Certificate

NOTE:The CA that is configured in Policy Management > Enrollment Policies to issue certificates for Jamf enrollment requests should be the same CA with which you create this signing certificate.

To create Jamf signing certificate:

  1. In the JoinNow MultiOS Management Portal, go to PKI > Create Certificate.
  2. In the Device Info section, select an operating system from the Operating System drop-down list.
  3. For User Description, enter a description.
  4. In the MAC Address field, enter the MAC address of the device.
  5. In the Certificate section, from the Certificate Authority drop-down list and select the intermediate CA to use for issuing certificates to clients using SCEP (Created in the Create Intermediate CA for SCEP Gateway Integration section).
  6. For Common Name, enter the common name (example: ‘Jamf Signing Certificate’).
  7. In the Validity Period field, type the validity period of the certificate (based on requirement).
  8. From the Key Size drop-down list, select a key size.
  9. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request.

  10. Select the Include Entire Certificate Chain checkbox. This is mandatory.
  11. In the SAN section, enter the following values:
    • For the RFC822 field, enter ${/auth/email:/device/userDescription}.
    • For the Other Name field, enter ${/auth/upn:/device/clientId}.
  12. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.

  13. Click Create to download the PKCS12 file.
  14. Enter the required/preferable password when the Password for private key prompt opens. Click Submit.

Creating the SCEP Certificate Template for Enhanced Certificate Management

Setting up a tailored SCEP certificate template is a pivotal step in the realm of certificate management protocols. To create Jamf Certificate Template, perform the following steps:

  1. Navigate to PKI > Certificate Authorities > Certificate Templates > Add Certificate Template.
  2. In the Name field, enter the desired name.
  3. In the Subject field, enter CN=${/auth/displayName:/device/identity}.
  4. In the Validity Period field, type the validity period of the certificate (based on requirement).
  5. In the Override Validity Period field, choose a specific date to bypass the validity period.
  6. Select the signature algorithm for the certificate signing request from the Signature Algorithm drop-down list.
  7. Under SAN, enter the following values:
    • In the DNS field, enter ${/device/computerIdentity:/device/buildModel}.
    • In the RFC822 field, enter ${/auth/email:/device/userDescription}.
    • In the Other Name field, enter ${/auth/upn:/device/clientId}.

  8. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.
  9. Click Save.

Generate SCEP URL and Shared Secret

To generate the SCEP URL and secret:

    1. From your JoinNow MultiOS Management Portal, go to Identity Management > API Tokens.
    2. Click Add API Token.
    3. In the Basic section, enter the name and description for the API token.
    4. From the Type drop-down list, select SCEP Enrollment Token.
    5. From the SCEP Vendor drop-down list, select JAMF.
    6. From the Certificate Authority drop-down list, select a CA. If you do not select a CA, by default the organization CA is chosen.
    7. Select the Enable Auto Revocation checkbox for certificate auto-revocation.
    8. In the Server URL field, enter the JAMF server URL.
    9. In the Authentication section, enter the credentials of a Read Only user. To create a Read Only user:
      1. Log in to the Jamf portal.
      2. Click the Settings icon at the top-right corner.
      3. Click Jamf Pro User Accounts & Groups.
      4. Click the + New button.
      5. From the Choose an Action list, select the Create Standard Account option and click Next.
      6. In the Account tab:
        • In the Username field, enter a username for the account.
        • From the Privilege Set drop-down list, select Custom.
        • Enter the other details, such as email address, password, and so on, in the respective fields.
      7. Click the Privileges tab and select the READ checkbox for the following items.
        • Mobile Devices
        • Smart Computer Groups
        • Smart Mobile Device Groups
        • Static Computer Groups
        • Static Mobile Device Groups
        • Computers
    10. Click Save.
    11. In the Revocation Group section, enter the name of the computer and mobile device groups that contain the devices whose certificates are to be revoked. There are two kinds of groups you can create and add mobile devices and computers to the Revocation Group list.
      • Smart Device/Computer Groups (Revocation of devices/computers is based on criteria)
    12. To add Smart Device Groups:
      1. Log in to the Jamf portal.
      2. Click on Devices and navigate to Smart Device Groups.
      3. Click on New.
      4. In the Display Name field, enter a name for your group.
      5. Click on the Criteria tab and click Add

        NOTE
        : There is a list of criteria you could create a group for and add devices to. In our example here, we would be revocating groups based on Last Inventory Update.With this criteria, Jamf syncs with a managed device on a regular basis and when an update between the device and Jamf has not occurred for a period of time, the certificate in the device will automatically be revoked.

        Please refer to Smart Groups for more information on Smart Device/Computer group configurations.

    13. Click Choose.
    14. From the Operator drop-down list, choose the period type/date based on which revocation should be applied.
    15. Enter the date/number of days in the Value field. In our example, the operator selected is more than x days ago, and the Value is entered as 10. So, if an update between Jamf and the device has not occurred for more than 10 days. All certificates in the device will be revoked.
    16. Click Save. The Smart Device Group is created.

      NOTE: Please click on Computers and navigate to Smart Computer Groups and follow steps iii to viii explained above to set up Smart Computer Groups. The steps are the same for computer groups.

    17. To add Static Device Groups:
      1. Log in to Jamf portal.
      2. Click Devices and navigate to Static Device Groups.
      3. Click on New.
      4. In the Display Name field, enter a name for your group.
      5. Click Assignments tab.
      6. Select Devices you want to add to this group by clicking on the checkbox.
      7. Click Save.
        NOTE: Please click Computers and navigate to Static Computer Groups and follow steps iii to vii explained above to set up Static Computer Groups. The steps are the same for computer groups.
    18. Click the Test Connection button to verify that the connection works.
    19. Click Save. A .csv file containing the API secret and Enrollment URL is downloaded. In addition, the Enrollment URL is displayed on the screen.

NOTE: Save this file securely. This file is downloaded only once at the time of token creation. If you lose this file, you can’t retrieve the token or secret.

NOTE: You can also refer to the steps in Configuring API Tokens (SCEP Enrollment Token) in the JoinNow MultiOS and Connector Configuration Guide in our JoinNow MultiOS Management Portal.

Create User Role Policy

To create user role policy:

    1. From the JoinNow MultiOS Management Portal, go to Policy Management > Role Policies.
    2. Click Add Role.
    3. Select the Basic tab.
    4. For Name field, enter a name.
    5. For the Description field, enter a description.
    6. Click Save.The page refreshes and automatically selects the Conditions tab.
    7. In the Conditions section, click the Identity Provider drop-down and select the SCEP Token you created in Generate SCEP URL and Shared Secret section.
    8. Click Update.

Creating a SCEP Enrollment Policy

To create enrollment policy:

    1. From the JoinNow MultiOS Management Portal, go to Policy Management > Enrollment Policies.
    2. Click Add Enrollment Policy.
    3. In the Basic tab, for Name, enter a name.
    4. For Description, enter a description.
    5. Click Save.The page refreshes and displays the Conditions and Settings tab.
    6. In the Conditions section, for User Role, select the user role policy you created in the Create User Role Policy section.
    7. For Device Role, select Admin Device.
    8. Select the Settings tab.
    9. In the Settings section, click the Use Certificate Authority drop-down list and select the intermediate CA you created in the Create Intermediate CA for SCEP Gateway Integration section.

    10. Click Update.

  1.  

Set Up Certificate Enrollment via SCEP on JAMF

Before we can setup the SCEP Profile in Jamf, we need to configure our SecureW2 Certificate Authority as an External Certificate Authority in Jamf. In order to configure a Jamf Profile for the Simple Certificate Enrollment Protocol (SCEP), we need to configure our CA in our Global Management settings.

    1. From your jamf PRO console, click on Settings > Global Management.
    2. Click PKI Certificates.
    3. Select the Management Certificate Template tab, then select External CA and click Edit.
    4. Select the Enable Jamf Pro as SCEP Proxy for configuration profiles checkbox.
    5. For the URL, enter the new SCEP URL you saved in the CSV file.

      NOTE: Write to support@securew2.com to confirm that this URL works with the intermediate CA you configured in the Create an Enrollment Policy section. However, you can proceed with the remaining steps, and write to SecureW2 support should you notice any failure.
    6. Click the SUBJECT ALTERNATIVE NAME TYPE drop-down and select None.
    7. Click the CHALLENGE TYPE drop-down and select Static.
    8. For CHALLENGE and VERIFY CHALLENGE, enter the Secret from the CSV file you downloaded.
    9. Click the KEY SIZE drop-down and select 2048. SecureW2 does not recommend selecting 1024. Click Save.
    10. Under Signing Certificate, click Change Signing and CA Certificates to upload the signing certificate you created in the Create Jamf Signing Certificate section.

      NOTE: The signing certificate must be a certificate signed by the intermediate CA that is used for certificate enrollment and should include the complete CA chain (signing certificate, intermediate CA certificate, and root CA certificate).

Set up Certificate Enrollment Using the PKI Certificate Assistant:

Now that we have configured the External Certificate Authority settings, we need to upload the Jamf Signing Certificate that we created in SecureW2, into the Jamf Public Key Infrastructure Certificate Assistant.

    1. On the Upload Keystore step, click Choose File and upload the PKCS12 file you downloaded in the Create Jamf Signing Certificate section.
    2. Click Next.
    3. On the Enter Password step, enter the password you entered in the Password for private key prompt in the Create JAMF Signing Certificate section when you created the certificate.

    4. Click Next.
    5. On the Choose Certificate step, for the CHOOSE CERTIFICATE drop-down, verify the correct CA certificate is selected. Also, verify the correct certificate chain is shown.
    6. Click Next.
    7. On the Upload CA Certificate step, click Next to skip the upload. The CA certificate is already present in PKCS12.
    8. On the Complete step, click Done.

Set Up JAMF Configuration Profiles for SCEP & WPA2-Enterprise

This section will walk you through creating JAMF configuration profiles for iOS and macOS devices, allowing for seamless SCEP certificate enrolment and WPA2-Enterprise security.

Set Up a Jamf Configuration Profile for iOS

To set up a JAMF configuration profile for iOS:

  1. From your jamf PRO console, go to Devices > Configuration Profiles.

  2. Click New.


    NOTE: To update an existing configuration profile, click Edit for the profile.

  3. Select Options > General.
  4. For NAME, enter a name.
  5. For DESCRIPTION, enter a description.
  6. Click the DISTRIBUTION METHOD drop-down and select Install Automatically or Available in Self Service.
  7. Select Options > SCEP.
  8. Click Configure.
  9. Check the box for Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile.
  10. For NAME, enter the common name of the intermediate CA that will be issuing the certificate for the client. You can find the common name in your JoinNow MultiOS Management Portal.
  11. For SUBJECT and SUBJECT ALTERNATIVE NAME, enter a value that will help the admin identify the device. If you wish, you can make this a static value.
    •  Examples:
      • CN=$DEVICENAME
      • CN=$UDID
      • CN=$SERIALNUMBER

        NOTE: What you enter for SUBJECT and SUBJECT ALTERNATIVE NAME are referred to as payload variables, and define the common name that you want to be encoded on certificates.

        NOTE: You can find available iOS payload variables in the Mobile Device Configuration Profiles.

  12. For SUBJECT ALTERNATIVE NAME TYPE, click the drop-down and select RFC 822 Name. This is mandatory.

    Enter the payload variables. The values returned by these variables will be encoded as the Subject Alternative Name attributes on issued certificates. You must define three payload variables, each separated by a double semicolon.
    • Examples:
      • $USERNAME;;$MACADDRESS;;$UDID
      • $USERNAME;;$MACADDRESS;;$EMAIL
  13. Click Save and then click Done.
  14. Enter the number of days prior to certificate expiration that the system should begin to display the expiration notice.
  15. In Profile, in the Scope section, update the scope for the devices to which the configuration profile will be pushed.

    NOTE: If you want to make changes to JAMF as SCEP proxy in Settings > Global Management > PKI Certificates > Management Certificate Template > External CA, first disable Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile. If you proceed without disabling this, it will affect the corresponding profile that is using JAMF as SCEP proxy.

Set Up JAMF Configuration Profile for macOS

To set up JAMF configuration profile for macOS:

  1. From your jamf PRO console, go to Computers > Configuration Profiles.
  2. Click New.

    NOTE: To update an existing configuration profile, click Edit for the profile.

  3. Select Options > General.
  4. For NAME, enter a name.

  5. For DESCRIPTION, enter a description
  6. Click the DISTRIBUTION METHOD drop-down list and select Install Automatically or Available in Self Service.
  7. Click the LEVEL drop-down list and select Computer Level.
  8. Select Options > SCEP.
  9. Click Configure.
  10. Select the Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile checkbox.
  11. For NAME, enter the common name of the intermediate CA that will be issuing the certificate for the client. You can find the common name in your SecureW2 Management Portal.
  12. For SUBJECT and SUBJECT ALTERNATIVE NAME, enter a value that will help the admin identify the device. If you wish, you can make this a static value.
    • Examples:
      • CN=$DEVICENAME
      • CN=$UDID
      • CN=$SERIALNUMBER

    NOTE: What you enter for SUBJECT and SUBJECT ALTERNATIVE NAME are referred to as payload variables, and define the common name that you want to be encoded on certificates.

    NOTE: You can find available Mac OS payload variables in the Computer Configuration Profiles.

  13. For SUBJECT ALTERNATIVE NAME TYPE, click the drop-down list and select RFC 822 Name. This is mandatory.

    Enter the payload variables. The values returned by these variables will be encoded as the Subject Alternative Name attributes on issued certificates. You must define three payload variables, each separated by a double semicolon.
    • Examples:
      • $USERNAME;;$MACADDRESS;;$UDID
      • $USERNAME;;$MACADDRESS;;$EMAIL
  14. Click Save and then click Done.
  15. Enter the number of days prior to certificate expiration that the system should begin to display the expiration notice.
  16. In Profile, in the Scope section, update the scope for the devices to which the configuration profile will be pushed.

    NOTE: If you want to make changes to JAMF as SCEP proxy in Settings > Global Management > PKI Certificates > Management Certificate Template > External CA, first disable Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile. If you proceed without disabling this, it will affect the corresponding profile that is using JAMF as SCEP proxy.

Set Up the Certificate Payload for RADIUS Server Certificate Validation

This section explains how to set up the certificate payload so our devices can perform Server Certificate Validation. This is a form of server authentication that is a standard part of any of the EAP protocol aka Extensible Authentication Protocol. Since Cloud RADIUS will be the authentication server, you must upload its RADIUS server authentication certificate. 

If your RADIUS server certificate also has one or more intermediate CA certificates as part of the certificate chain, you can add those certificates (Root and Intermediate) in this payload.

NOTE: Do not upload the actual RADIUS server certificate.

To set up the certificate payload:

    1. From your jamf PRO console, go to Devices > Configuration Profiles.
    2. Click Edit for the configuration profile you want to configure.
    3. Select Options > Certificate.
    4. Click Configure.
    5. For CERTIFICATE NAME, enter the name of the certificate you’re adding. This will be the Common Name (Issued To name).
    6. For SELECT CERTIFICATE OPTION, click the drop-down list and select Upload.
    7. Click Upload Certificate.
    8. In the Certificate popup, click Choose File and select the CA certificate you want to upload.
    9. Click Upload.
    10. After the certificate uploads, click Save.

      NOTE: If your setup has more than one RADIUS server for validation, you can add more than one Common Name with the same certificate payload configuration.

Configure Wi-Fi Payload for 802.1x

To set up the Wi-Fi payload:

  1. From your jamf PRO console, go to Devices > Configuration Profiles.
  2. Click Edit for the configuration profile you want to configure.
  3. Select Options > Wi-Fi.
  4. Click Configure.
  5. For SERVICE SET IDENTIFIER (SSID), enter a name.
  6. Select any other relevant settings like Hidden NetworkAuto Join, and/or Disable Captive Network Detection.
  7. For SECURITY TYPE, click the drop-down list and select WPA2-Enterprise.
  8. Select Protocols, and for Accepted EAP Types, check the box for TLS.
  9. Select Trust, and for Trusted Certificates, check the box for the certificate you uploaded.

    NOTE: Along with validating a RADIUS server by certificates, you should also specify the RADIUS server certificate names for validation as an additional security measure. This is available in the Wi-Fi payload when you enable the certificate you just uploaded.
  10. For CERTIFICATE COMMON NAME, click Add.
  11. In the field that appears, enter the name of the RADIUS server used for validation, and then click Save.
  12. Click the Protocols tab. From the Identity Certificate drop-down list, select the CA from the SCEP payload.
  13. At the bottom right, click Save to save the Wi-Fi payload.

    NOTE: Using the previous steps for Devices and Computers, both iOS and macOS devices can be configured for Wi-Fi.

    When a device successfully enrolls, the Configuration Profiles table shows an increased value for Completed.

Secure EAP-TLS 802.1x with SecureW2's SCEP Gateway

In the past, issuing certificates to all the devices on a network was a challenge. With Jamf and SecureW2’s SCEP gateways, this problem has a simple and elegant solution. Organizations can eliminate the requirement for Pre shared Key and improve the overall effectiveness of authentication by following the  steps described in this article and configuring Jamf to issue certificates.

SecureW2 doesn’t just make issuing certificates to Jamf-managed devices easy – also simplify revoking certificates with our Auto-Revocation feature. With auto-revocation, our managed device gateways will check smart and static groups in Jamf every several minutes. Devices with certificates in those groups will be automatically revoked.

This setup has several advantages, including automating certificate enrollment and revocation procedures. Certificates issued by SecureW2’s PKI Platform can be used for more than only Jamf-managed devices, including Bring Your Own Device (BYOD) Wi-Fi, Virtual Private Network (VPN), Web application authentication, and PIV-backed Smart Cards. 

Explore an affordable security solution that exceeds all expectations. Click here for a free cost estimate.

Jamf is a registered trademark in the United States of America and/or other countries. All other trademarks, logos, and service marks mentioned on this website are the property of SecureW2 or their respective owners.