Jamf SCEP Gateway Setup

Jamf SCEP Gateway Setup

Certificate-based authentication provides the highest level of Wi-Fi security and with SecureW2, provisioning and managing certificates has become incredibly simple. Network engineers no longer have to manually load certificates onto devices. For organizations that manage devices using Jamf, SecureW2 has created a solution that enables Jamf managed devices to automatically enroll themselves for certificates. The installation process is silent, and end users will be migrated to certificate-based authentication with no interruption in network connectivity. The improvement in network security will be substantial, and can be achieved without causing slowdowns in productivity.

Assumptions:

  • End users can enroll their devices with Jamf
  • Certificates for Apple push notifications have been created and uploaded in Jamf
  • JoinNow Cloud Management Portal has been setup for TLS (root and intermediate device CAs are present)
  • You have received a SCEP Server URL and shared secret from SecureW2
    • This is dependent on completion of the previous assumption on this list

 

Creating Jamf Signing Certificate

For the use of certificates to be effective, an organization must be able to identify who is issued certificates. The signing certificate acts as a digital signature, allowing network administrators to identify the device and which user is tied to it. This first section of the tutorial takes us through the process of configuring a Jamf signing certificate.

We’ll begin by logging into the SecureW2 Management Portal:

  1. Navigate to PKI Management and click Create Certificate
  2. In the Device section, select iOS in the OS category
  3. In the User Description category, enter your Common Name
    • In this tutorial, we are going to enter JamfSigningCertificate
    • This will be the common name of the Intermediate Certificate later
  4. In the Mac Address category, you can enter any number combo you’d like because it does not matter for this
    • The format should be 11:22:33:44:55:66
  5. In the Certificate section, enter the Common Name in its category
  6. In the Validity category, you can enter any amount of time that fits your certificate expiration policies
  7. For the Key Size and Signature Algorithm, the default values of 2048 and SHA-256 respectively are appropriate
  8. Your certificate should look like the screenshot above, click Create
  9. You will get a request to create a password that will protect the certificate, it may be any password but must be six characters or more

Creating the signing certificate

Jamf External SCEP CA Configuration

Now we need to configure Jamf to use SecureW2 as an External CA by entering in the URL for the SCEP Server.

  1. Navigate to the Jamf cloud portal
  2. Click Settings in the top right corner and click Global Management,then PKI Certificates
  3. Select the Management Certificate Template tab and click External CA
  4. Add an External CA by clicking Add in the bottom right corner
  5. Check the first box for Enable Jamf Pro as SCEP Proxy for configuration profiles
  6. Enter the URL for the SCEP Server
  7. To obtain the SCEP URL, you must:
    1. Navigate to the SecureW2 Management Portal and click API Tokens under Identity Management
    2. Click Add API Token
    3. In the Name field, add a name
    4. In the Type field, select SCEP Enrollment Token
    5. In the SCEP Vendor field, select Jamf, and click Save
    6. The file will contain the SCEP URL and shared secret
  8. Scroll down to the Subject Alternative Name Type and set it to None
  9. Just below, set the Challenge Type to Static
    • Here you will see the Challenge is a shared secret that was previously shared by SecureW2 Support
  10. For the Key Size select 2048
  11. Click Save
  12. Scroll down to the Signing Certificate
    • Here you will upload the PKCS-12 that we created at the beginning of the video, a wizard will take you through the uploading process and you will need to enter the password that was used earlier

Configuring the settings for the PKI Certificate

 

Jamf iOS Configuration Profile

Now that we’ve set up the process for onboarding certificates, we need to adjust the settings to adhere to specific organization policies. Once configured, you can set iOS devices to automatically observe the correct settings.

  1. Click the Devices tab, and under Content Management, select Configuration Profiles and click New to create a new configuration profile
  2. Add a Name and Description to the new configuration profile
  3. Set the Distribution Method to either Install Automatically or Available in Self Service
  4. Under General, scroll down to and click on SCEP
  5. First ensure that you have checked the box for the option Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile
  6. In the Name field, enter the Common Name of the Intermediate CA
  7. In the Subject field, enter CN=$MACADDRESS,O=abc
  8. The Subject Alternative Name field should be set to None

Configuring Settings for iOS Device Onboarding

 

Jamf macOS Configuration Profile

Similar to the configuration of iOS devices, we need to configure settings for macOS devices. This will be a familiar process with comparable results and give your organization broader network control.

  1. In the Jamf cloud portal, click the Computer tab and then click Configuration Profiles
  2. Click New to create a new configuration profile and add a Name and Description
  3. In the Distribution Method drop-down menu, choose either Install Automatically or Available in Self Service
  4. Under General, click SCEP and check the box Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile
  5. Enter the name of the Intermediate Certificate into the Name field
  6. In the Subject field, enter CN=$MACADDRESS $PROFILE_IDENTIFIER,O=gatewaycheck
  7. The Subject Alternative Name field should be set to None
  8. In the Scope tab, confirm that the Target Users and Target Computer are set to All Users and All Computers respectively

 

Wi-Fi Configuration Profile

Lastly, the Wi-Fi network needs to be properly configured for the use of a certificate-based security system. The network needs to be configured for WPA2-Enterprise with EAP-TLS so users are securely connected to the network every time they go online.

  1. Navigate to the Devices tab and click Configuration Profiles
  2. Click New to create a new Configuration Profile
  3. Click the menu option WI-FI and click Configure to configure the Wi-Fi settings
  4. Enter the SSID Name that was given to SecureW2
  5. Select the Security Type as WPA2-Enterprise
  6. In Network Security Settings, under Protocols, select TLS in Accepted EAP Types
  7. In the Identity Certificate field, select SCEP Proxy: (Name of the Intermediate CA)
  8. Network Type should be set to Standard
  9. Click Save

Configuring the Wi-Fi settings, confirming WPA2-Enterprise Network and EAP-TLS

The benefits of connecting your Jamf SCEP network with SecureW2 certificate onboarding can be experienced with the first user to connect to the network. They will be issued a digital certificate with no effort and will gain secure network connection with no interruptions. Network engineers will see proven results in the form of fewer IT tickets and less time spent on user connectivity issues. The joint connection results in a streamlined network that is undemanding to manage and tailored to the end users’ experience.

Jamf is registered trademark of Jamf in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.

  • Email addresses from free providers (Gmail, Hotmail, etc.) will not be accepted.
  • This field is for validation purposes and should be left unchanged.