Configuring EAP-TLS & SCEP with Jamf

Configuring EAP-TLS & SCEP with Jamf

Implementing secure Wi-Fi is difficult, and can leave you wondering, what is the ideal network authentication method for my Jamf managed devices?

For maximum security and authentication efficiency, implementing a WPA2-Enterprise / 802.1x network using certificate-based authentication (EAP-TLS) is the way to go. By eliminating credentials and relying on certificates for authentication, you negate the consequences of passwords: easily compromised, password reset policies, and poor authentication experience.

Additionally, administration’s visibility and identity context are significantly improved. Certificates allow you to see exactly who is on the network by putting a name to every network connection. Investing in a PKI also opens the door for SSL decryption, empowering you to ensure every user is following your organization’s content policies and no SSL encrypted malware gets on your network.

To efficiently equip your Jamf devices with certificates, the best option is to utilize a SCEP Gateway. Once a SCEP payload is sent out, devices do not need to be manually configured for certificates; they are enrolled automatically through the SCEP Gateway with no end user interaction required. Using SecureW2’s Managed Device Gateway APIs, you can easily enroll every Jamf managed device with certificates.

To configure the SecureW2 Managed Device Gateway API:

  1. Using SecureW2’s PKI Services, begin by configuring the Intermediate CA, the actual certificate format, and the SCEP Gateway URL
  2. In the Jamf management portal, upload your new Signing Certificate
    • Certificates will now be trusted by your network and will integrate with Access Points from all major vendors
  3. Enter the SCEP URL as the avenue in which the certificates will be distributed
  4. Prepare the Jamf SCEP and Wi-Fi Profiles for macOS and iOS devices
    • The certificate payload and Wi-Fi payload will be sent via the SCEP URL and will equip devices with trusted certificates and your organization’s customized wireless settings
  5. Once completed, devices can begin requesting certificates and be configured for a WPA2-Enterprise EAP-TLS network protected by certificate-based security.
    • Managed devices will be authenticated by an existing RADIUS Server from any major vendor, or The SecureW2 Cloud RADIUS

 

Prerequisites:

These are the prerequisites for setting up SCEP on Jamf:

  • End users can enroll their devices with Jamf.
  • You created the certificate for Apple push notifications and uploaded it in Jamf.

 

Configuring SCEP Enrollment for EAP-TLS in SecureW2

To set up certificate enrollment through SCEP:

  1. Create an Intermediate CA for SCEP Gateway Integration
  2. Create a JAMF Signing Certificate
  3. Generate an SCEP URL and Secret
  4. Add the Intermediate CA-ID to the SCEP URL
  5. Create a User Role Policy
  6. Create an Enrollment Policy

 

Create an Intermediate CA for SCEP Gateway Integration

As a best practice, SecureW2 recommends having a new intermediate CA for JoinNow SCEP Gateway integration with Jamf. The CA issuing certificates to BYOD devices should be separate from the CA issuing certificates to managed devices, because managed devices don’t require email notifications. You can disable email notifications for the dedicated CA issuing certificates to Jamf managed devices.

To create a new intermediate CA:

  1. From your SecureW2 Management Portal, go to PKI Management > Certificate Authorities.
  2. Click Add Certificate Authority.
  3. In the Basic section, click the Type dropdown and select Intermediate CA.
  4. Click the Certificate Authority dropdown and select the default Root CA that comes with your organization.
  5. For Common Name, enter a name. SecureW2 recommends a name that includes ‘SCEP’.
  6. Click Save. This generates the new intermediate CA.

 

 

Create a JAMF Signing Certificate

Note: The CA that is configured in Policy Management > Enrollment to issue certificates for Jamf enrollment requests should be the same CA with which you create this signing certificate.

To create a Jamf signing certificate:

  1. From your SecureW2 Management Portal, go to PKI Management > Create Certificate.
  2. In the Device section, click the OS dropdown and select an operating system.
  3. For User Description, enter a description.
  4. For MAC Address, enter a unique MAC address.
  5. In the Certificate section, click the Certificate Authority dropdown and select the intermediate CA to use for issuing certificates to clients using SCEP.
  6. For Common Name, enter the common name (example: ‘Jamf Signing Certificate’).
  7. For Validity Period, enter a long validity period.
  8. Click the Key Size dropdown and select a key size.
  9. Click the Signature Algorithm dropdown and select a signature algorithm.
  10. Check the box for Include Entire Certificate Chain. This is mandatory.
  11. Click Create to download the PKCS12 file.

Create a Jamf Certificate Template

To create a Jamf Certificate Template, perform the following steps:

  1. Navigate to PKI Management > Certificate Authorities > Certificate Templates > Add Certificate Template.
  2. Name this Template as Jamf Certificate Template.
Subject: 
CN=${/auth/displayName:/device/identity} 
Validity Period: <admin would choose this based on their requirement>

SAN DNS: ${/device/computerIdentity:/device/buildModel} 
RFC822:${/auth/email:/device/userDescription} 
Other Name:${/auth/upn:/device/clientId}

 

Generate an SCEP URL and Shared Secret

To generate the SCEP URL and secret:

  1. From your SecureW2 Management Portal, go to Identity Management > API Tokens.
  2. Click Add API Token.
  3. For Name, enter a name.
  4. Click the Type dropdown and select SCEP Enrollment Token.
  5. Click the Scep Vendor dropdown and select JAMF.
  6. Click Save. This downloads a .csv file containing the SCEP URL and secret.

 

Note: Save this file securely. This file is downloaded only once at the time of token creation. If you lose this file, you can’t retrieve the token or secret.

Note: You can also refer to the steps in Configuring API Tokens (SCEP Enrollment Token) in the JoinNow MultiOS and Connector Configuration Guide in our Management Portal

 

Add the Intermediate CA-ID to the SCEP URL

To add the intermediate CA-ID to the SCEP URL:

  1. From your SecureW2 Management Portal, go to PKI Management > Certificate Authority.
  2. For the CA you created in the section “Create an Intermediate CA for SCEP Gateway Integration”, click View.
  3. In the CRL section, in Base or Delta, copy the URL.
  4. Paste the Base/Delta URL into a blank document.
  5. Open the CSV file you downloaded in the section “Generate an SCEP URL and Secret”.
  6. Copy the SCEP URL and paste it into the blank document with the Base/Delta URL.
  7. From the Base/Delta URL, copy the CA-ID portion.
  8. In the SCEP URL, replace the existing CA-ID portion with the one you copied from the Base/Delta URL.
  9. Copy the new SCEP URL and paste it into the .csv file.
  10. Save the .csv file.

 

 

Create a User Role Policy

To create a user role policy:

  1. From your SecureW2 Management Portal, go to Policy Management > User Roles.
  2. Click Add Role Policy.
  3. Select the Basic tab.
  4. For Name, enter a name.
  5. For Description, enter a description.
  6. Click Save.
  7. Select the Conditions tab.
  8. In the Conditions section, click the Identity Provider dropdown and select the SCEP Token you created in the previous section.
  9. Click Update.

 

 

Create an Enrollment Policy

To create an enrollment policy:

  1. From your SecureW2 Management Portal, go to Policy Management > Enrollment.
  2. Click Add Enrollment Policy.
  3. For Name, enter a name.
  4. For Description, enter a description.
  5. Click Save.
  6. Select the Conditions tab.
  7. In the Conditions section, for User Role, select the user role policy you created in the previous section.
  8. For Device Role, select Any Device.
    • Note: You must select a User Role and Device Role for enrollment. You can use a fallback device policy to allow enrollment based on user role policy.
  9. Select the Settings tab.
  10. In the Settings section, click the Use Certificate Authority dropdown and select the intermediate CA you created in the section “Create an Intermediate CA for SCEP Gateway Integration”.
  11. Click the Use Certificate Template dropdown and select DEFAULT CERTIFICATE TEMPLATE 1.
  12. Click Update.

 

 

Set Up Certificate Enrollment via SCEP on JAMF

To set up certificate enrollment via SCEP on JAMF:

  1. From your jamf PRO console, go to Settings > Global Management.
  2. Click PKI Certificates.
  3. Select the Management Certificate Template tab, then select External CA and click Edit.
  4. Check the box for Enable Jamf Pro as SCEP Proxy for configuration profiles.
  5. For URL, enter the SCEP URL from the CSV file you downloaded in the section “Generate an SCEP URL and Secret”.
    • Note: Write to support@securew2.com to confirm that this URL works with the intermediate CA you configured in the section “Create an Enrollment Policy”. However, you can proceed with the remaining steps, and write to SecureW2 support should you notice any failure.
  6. Click the SUBJECT ALTERNATIVE NAME TYPE dropdown and select None.
  7. Click the CHALLENGE TYPE dropdown and select Static.
  8. For CHALLENGE and VERIFY CHALLENGE, enter the Secret from the CSV file you downloaded.
  9. Click the KEY SIZE dropdown and select 2048. SecureW2 does not recommend selecting 1024.
  10. Under Signing Certificate, click Change Signing and CA Certificates to upload the signing certificate you created in the section “Create a Jamf Signing Certificate”.
    • Note: The signing certificate must be a certificate signed by the intermediate CA that is used for certificate enrollment and should include the complete CA chain (signing certificate, intermediate CA certificate, and root CA certificate).
  11. Using the PKI Certificate Assistant:
    1. On the Upload Keystore step, click Choose File and upload the PKCS12 file you downloaded in the section “Create a Jamf Signing Certificate”.
    2. Click Next.
    3. On the Enter Password step, for PASSWORD, enter the password you entered in your SecureW2 Management Portal when you created the certificate.
    4. Click Next.
    5. On the Choose Certificate step, for the CHOOSE CERTIFICATE dropdown, verify the correct CA certificate is selected. Also, verify the correct certificate chain is shown.
    6. Click Next.
    7. On the Upload CA Certificate step, click Next to skip the upload. The CA certificate is already present in PKCS12.
    8. On the Complete step, click Done.

 

 

Set Up JAMF Configuration Profiles for SCEP & WPA2-Enterprise

This section demonstrates how to set up JAMF configuration profiles for iOS and macOS.

Set Up a Jamf Configuration Profile for iOS

To set up a JAMF configuration profile for iOS:

  1. From your jamf PRO console, go to Devices > Configuration Profiles.
  2. Click New.
    • Note: To update an existing configuration profile, click Edit for the profile.
  3. Select Options > General.
  4. For NAME, enter a name.
  5. For DESCRIPTION, enter a description.
  6. Click the DISTRIBUTION METHOD dropdown and select Install Automatically or Available in Self Service.
  7. Click Save.
  8. Select Options > SCEP.
  9. Click Configure.
  10. Check the box for Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile.
  11. For NAME, enter the common name of the intermediate CA that will be issuing the certificate for the client. You can find the common name in your SecureW2 Management Portal.
  12. For SUBJECT and SUBJECT ALTERNATIVE NAME, enter a value that will help the admin identify the device. If you wish, you can make this a static value.
  13. For SUBJECT ALTERNATIVE NAME TYPE, click the dropdown and select RFC 822 Name. This is mandatory.
    • Enter the payload variables. The values returned by these variables will be encoded as the Subject Alternative Name attributes on issued certificates. You must define three payload variables, each separated by a double semicolon. Examples:
      • $USERNAME;;$MACADDRESS;;$UDID
      • $USERNAME;;$MACADDRESS;;$EMAIL
  14. Click Save and then click Done.
  15. Enter the number of days prior to certificate expiration that the system should begin to display the expiration notice.
  16. In Profile, in the Scope section, update the scope for the devices to which the configuration profile will be pushed.

Note: If you want to make changes to JAMF as SCEP proxy in Settings > Global Management > PKI Certificates > Management Certificate Template > External CA, first disable Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile. If you proceed without disabling this, it will affect the corresponding profile that is using JAMF as SCEP proxy.

 

Set Up a JAMF Configuration Profile for macOS

To set up a JAMF configuration profile for macOS:

  1. From your jamf PRO console, go to Computers > Configuration Profiles.
  2. Click New.
    • Note: To update an existing configuration profile, click Edit for the profile.
  3. Select Options > General.
  4. For NAME, enter a name.
  5. For DESCRIPTION, enter a description.
  6. Click the DISTRIBUTION METHOD dropdown and select Install Automatically or Available in Self Service.
  7. Click the LEVEL dropdown and select Computer Level.
  8. Select Options > SCEP.
  9. Click Configure.
  10. Check the box for Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile.
  11. For NAME, enter the common name of the intermediate CA that will be issuing the certificate for the client. You can find the common name in your SecureW2 Management Portal.
  12. For SUBJECT and SUBJECT ALTERNATIVE NAME, enter a value that will help the admin identify the device. If you wish, you can make this a static value.
  13. For SUBJECT ALTERNATIVE NAME TYPE, click the dropdown and select RFC 822 Name. This is mandatory.
    • Enter the payload variables. The values returned by these variables will be encoded as the Subject Alternative Name attributes on issued certificates. You must define three payload variables, each separated by a double semicolon. Examples:
      • $USERNAME;;$MACADDRESS;;$UDID
      • $USERNAME;;$MACADDRESS;;$EMAIL
  14. Click Save and then click Done.
  15. Enter the number of days prior to certificate expiration that the system should begin to display the expiration notice.
  16. In Profile, in the Scope section, update the scope for the devices to which the configuration profile will be pushed.

Note: If you want to make changes to JAMF as SCEP proxy in Settings > Global Management > PKI Certificates > Management Certificate Template > External CA, first disable Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile. If you proceed without disabling this, it will affect the corresponding profile that is using JAMF as SCEP proxy.

 

Set Up the Certificate Payload for RADIUS Server Certificate Validation

This section explains how to set up the certificate payload to validate your RADIUS server. If your RADIUS server certificate also has one or more intermediate CA certificates as part of the certificate chain, you can add those certificates (Root and Intermediate) in this payload.

Note: Do not upload the actual RADIUS server certificate.

To set up the certificate payload:

  1. From your jamf PRO console, go to Devices > Configuration Profiles.
  2. Click Edit for the configuration profile you want to configure.
  3. Select Options > Certificate.
  4. Click Configure.
  5. For CERTIFICATE NAME, enter the name of the certificate you’re adding. This will be the Common Name (Issued To name).
  6. For SELECT CERTIFICATE OPTION, click the dropdown and select Upload.
  7. Click Upload Certificate.
  8. In the Certificate popup, click Choose File and select the CA certificate you want to upload.
  9. Click Upload.
  10. After the certificate uploads, click Save.
  11. Select Options > Wi-Fi.
  12. Select Trust, and for Trusted Certificates, check the box for the certificate you uploaded.
    • Note: Along with validating a RADIUS servery by certificates, you should also specify the RADIUS server certificate names for validation as an additional security measure. This is available in the Wi-Fi payload when you enable the certificate you just uploaded.
  13. For CERTIFICATE COMMON NAME, click Add.
  14. In the field that appears, enter the name of the RADIUS server used for validation, and then click Save.
  15. At the bottom right, click Save to save the Wi-Fi payload. The managed devices now have appropriate certificates and the Common Name to validate the RADIUS server.

Note: If your setup has more than one RADIUS server for validation, you can add more than one Common Name with the same certificate payload configuration.

 

Configure a Wi-Fi Payload for 802.1x

To set up the Wi-Fi payload:

  1. From your jamf PRO console, go to Devices > Configuration Profiles.
  2. Click Edit for the configuration profile you want to configure.
  3. Select Options > Wi-Fi.
  4. Click Configure.
  5. For SERVICE SET IDENTIFIER (SSID), enter a name.
  6. Select any other relevant settings like Hidden Network, Auto Join, and/or Disable Captive Network Detection.
  7. For SECURITY TYPE, click the dropdown and select WPA2-Enterprise.
  8. Select Protocols, and for Accepted EAP Types, check the box for TLS.
  9. Select Trust, and for Trusted Certificates, check the box for the certificate you uploaded.
    • Note: Along with validating a RADIUS server by certificates, you should also specify the RADIUS server certificate names for validation as an additional security measure. This is available in the Wi-Fi payload when you enable the certificate you just uploaded.
  10. For CERTIFICATE COMMON NAME, click Add.
  11. In the field that appears, enter the name of the RADIUS server used for validation, and then click Save.
  12. For IDENTITY CERTIFICATE, click the dropdown and select the CA from the SCEP payload.
  13. At the bottom right, click Save to save the Wi-Fi payload.

Note: Using the previous steps for Devices and Computers, both iOS and macOS devices can be configured for Wi-Fi.

When a device successfully enrolls, the Configuration Profiles table shows an increased value for Completed.

Secure EAP-TLS 802.1x with SecureW2’s SCEP Gateway

With SecureW2, you can implement certificate-based authentication anywhere on your network. This guide may have only shown you how you can use our Gateway APIs to auto-enroll Jamf-managed devices for certificates, but you can do so much more with our PKI Platform.
If you’re interested in moving away from Pre-shared Keys on your Jamf devices, or if you want to use certificates for other applications like BYOD Wi-Fi, VPN & Web application authentication, or PIV-Backed Smart Cards, let us know. The entire security solution is available for a price more reasonable than you’d expect, click here today for a free pricing estimate.

Jamf is registered trademark of Jamf in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.

  • Email addresses from free providers (Gmail, Hotmail, etc.) will not be accepted.
  • This field is for validation purposes and should be left unchanged.