Jamf SCEP Gateway Setup

Jamf SCEP Gateway Setup

SecureW2 makes it easy to provision and manage certificates. Using Cloud Connector, you can configure JAMF devices to automatically enroll for certificates using the Simple Certificate Enrollment Protocol (SCEP). SecureW2 provides silent installation that migrates users to certificate-based authentication without interrupting their connection.

You get a more secure network without sacrificing productivity.

This guide shows you how to integrate JAMF External CA with SecureW2’s Cloud Connector to allow devices to enroll for digital certificates using SCEP.

For more details on setting up Cloud Connector for certificate enrollment, refer to the JoinNow MultiOS and Connector Configuration Guide.

 

Prerequisites:

These are the prerequisites for setting up SCEP on JAMF:

  • End users can enroll their devices with JAMF.
  • You created the certificate for Apple push notifications and uploaded it in JAMF.

 

Configure SCEP Enrollment in SecureW2

To set up certificate enrollment through SCEP:

  1. Create an Intermediate CA for SCEP Gateway Integration
  2. Create a JAMF Signing Certificate
  3. Generate an SCEP URL and Secret
  4. Add the Intermediate CA-ID to the SCEP URL
  5. Create a User Role Policy
  6. Create an Enrollment Policy

 

Create an Intermediate CA for SCEP Gateway Integration

As a best practice, SecureW2 recommends having a new intermediate CA for JoinNow SCEP Gateway integration with JAMF. The CA issuing certificates to BYOD devices should be separate from the CA issuing certificates to managed devices, because managed devices don’t require email notifications. You can disable email notifications for the dedicated CA issuing certificates to JAMF managed devices.

To create a new intermediate CA:

  1. From your SecureW2 Management Portal, go to PKI Management > Certificate Authority.
  2. Click Add Certificate Authority.
  3. In the Basic section, click the Type dropdown and select Intermediate CA.
  4. Click the Certificate Authority dropdown and select the default Root CA that comes with your organization.
  5. For Common Name, enter a name. SecureW2 recommends a name that includes ‘SCEP’.
  6. Click Save. This generates the new intermediate CA.

 

Create a JAMF Signing Certificate

Note: The CA that is configured in Policy Management > Enrollment to issue certificates for JAMF enrollment requests should be the same CA with which you create this signing certificate.

To create a JAMF signing certificate:

  1. From your SecureW2 Management Portal, go to PKI Management > Create Certificate.
  2. In the Device section, click the OS dropdown and select an operating system.
  3. For User Description, enter a description.
  4. For MAC Address, enter a unique MAC address.
  5. In the Certificate section, click the Certificate Authority dropdown and select the intermediate CA to use for issuing certificates to clients using SCEP.
  6. For Common Name, enter the common name (example: ‘JAMF Signing Certificate’).
  7. Click the Validity Period dropdown and select a long validity period.
  8. Click the Key Size dropdown and select a key size.
  9. Click the Signature Algorithm dropdown and select a signature algorithm.
  10. Check the box for Include Entire Certificate Chain. This is mandatory.
  11. Click Create to download the PKCS12 file.

 

Generate an SCEP URL and Secret

To generate the SCEP URL and secret:

  1. From your SecureW2 Management Portal, go to Identity Management > API Tokens.
  2. Click Add API Token, and then click New.
  3. For Name, enter a name.
  4. Click the Type dropdown and select SCEP Enrollment Token.
  5. Click Save. This downloads a CSV file containing the SCEP URL and secret.

Note: Save this file securely. This file is downloaded only once at the time of token creation. If you lose this file, you can’t retrieve the token or secret.

Note: You can also refer to the steps in Configuring API Tokens (SCEP Enrollment Token) in the JoinNow MultiOS and Connector Configuration Guide: https://cloud.securew2.com/resources/guides/SecureW2_JoinNow_MultiOS_Configuration_Guide.pdf

 

Add the Intermediate CA-ID to the SCEP URL

To add the intermediate CA-ID to the SCEP URL:

  1. From your SecureW2 Management Portal, go to PKI Management > Certificate Authority.
  2. For the CA you created in the section “Create an Intermediate CA for SCEP Gateway Integration”, click View.
  3. In the CRL section, in Base or Delta, copy the URL.
  4. Paste the Base/Delta URL into a blank document.
  5. Open the CSV file you downloaded in the section “Generate an SCEP URL and Secret”.
  6. Copy the SCEP URL and paste it into the blank document with the Base/Delta URL.
  7. From the Base/Delta URL, copy the CA-ID portion.
  8. In the SCEP URL, replace the existing CA-ID portion with the one you copied from the Base/Delta URL.
  9. Copy the new SCEP URL and paste it into the CSV file.
  10. Save the CSV file.

 

Create a User Role Policy

To create a user role policy:

  1. From your SecureW2 Management Portal, go to Policy Management > User Roles.
  2. Click Add Role Policy.
  3. Select the Basic tab.
  4. For Name, enter a name.
  5. For Description, enter a description.
  6. Click Save. The page refreshes and automatically selects the Conditions tab.
  7. In the Conditions sections, click the Identity Provider dropdown and select the SCEP Token you created in the previous section.
  8. Click Update.

 

Create an Enrollment Policy

To create an enrollment policy:

  1. From your SecureW2 Management Portal, go to Policy Management > Enrollment.
  2. Click Add Enrollment Policy.
  3. Select the Basic tab.
  4. For Name, enter a name.
  5. For Description, enter a description.
  6. Click Save. The page refreshes and automatically selects the Conditions tab.
  7. In the Conditions section, for User Role, select the user role policy you created in the previous section.
  8. For Device Role, select Any Device.
    • Note: You must select a User Role and Device Role for enrollment. You can use a fallback device policy to allow enrollment based on user role policy.
  9. Select the Settings tab.
  10. In the Settings section, click the Use Certificate Authority dropdown and select the intermediate CA you created in the section “Create an Intermediate CA for SCEP Gateway Integration”.
  11. Click Update.

 

Set up Certificate Enrollment via SCEP on JAMF

To set up certificate enrollment via SCEP on JAMF:

  1. From your jamf PRO console, go to Settings > Global Management.
  2. Click PKI Certificates.
  3. Select the Management Certificate Template tab, then select External CA and click Edit.
  4. Check the box for Enable Jamf Pro as SCEP Proxy for configuration profiles.
  5. For URL, enter the SCEP URL from the CSV file you downloaded in the section “Generate an SCEP URL and Secret”.
    • Note: Write to support@securew2.com to confirm that this URL works with the intermediate CA you configured in the section “Create an Enrollment Policy”. However, you can proceed with the remaining steps, and write to SecureW2 support should you notice any failure.
  6. Click the SUBJECT ALTERNATIVE NAME TYPE dropdown and select None.
  7. Click the CHALLENGE TYPE dropdown and select Static.
  8. For CHALLENGE and VERIFY CHALLENGE, enter the Secret from the CSV file you downloaded.
  9. Click the KEY SIZE dropdown and select 2048. SecureW2 does not recommend selecting 1024.
  10. Under Signing Certificate, click Change Signing and CA Certificates to upload the signing certificate you created in the section “Create a JAMF Signing Certificate”.
    • Note: The signing certificate must be a certificate signed by the intermediate CA that is used for certificate enrollment and should include the complete CA chain (signing certificate, intermediate CA certificate, and root CA certificate).
  11. Using the PKI Certificate Assistant:
    1. On the Upload Keystore step, click Choose File and upload the PKCS12 file you downloaded in the section “Create a JAMF Signing Certificate”.
    2. Click Next.
    3. On the Enter Password step, for PASSWORD, enter the password you entered in your SecureW2 Management Portal when you created the certificate.
    4. Click Next.
    5. On the Choose Certificate step, for the CHOOSE CERTIFICATE dropdown, verify the correct CA certificate is selected. Also, verify the correct certificate chain is shown.
    6. Click Next.
    7. On the Upload CA Certificate step, click Next to skip the upload. The CA certificate is already present in PKCS12.
    8. On the Complete step, click Done.

 

Set up JAMF Configuration Profiles

This section explains how to set up JAMF configuration profiles for iOS and macOS.

Set up a JAMF Configuration Profile for iOS

To set up a JAMF configuration profile for iOS:

  1. From your jamf PRO console, go to Devices > Configuration Profiles.
  2. Click New.
    • Note: To update an existing configuration profile, click Edit for the profile.
  3. Select Options > General.
  4. For NAME, enter a name.
  5. For DESCRIPTION, enter a description.
  6. Click the DISTRIBUTION METHOD dropdown and select Install Automatically or Available in Self Service.
  7. Click Save.
  8. Select Options > SCEP.
  9. Click Configure.
  10. Check the box for Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile.
  11. For NAME, enter the common name of the intermediate CA that will be issuing the certificate for the client. You can find the common name in your SecureW2 Management Portal.
  12. For SUBJECT and SUBJECT ALTERNATIVE NAME, enter a value that will help the admin identify the device. If you wish, you can make this a static value.
  13. For SUBJECT ALTERNATIVE NAME TYPE, click the dropdown and select RFC 822 Name. This is mandatory.
    • Enter the payload variables. The values returned by these variables will be encoded as the Subject Alternative Name attributes on issued certificates. You must define three payload variables, each separated by a double semicolon. Examples:
      • $USERNAME;;$MACADDRESS;;$UDID
      • $USERNAME;;$MACADDRESS;;$EMAIL
  14. Click Save and then click Done.
  15. Enter the number of days prior to certificate expiration that the system should begin to display the expiration notice.
  16. In Profile, in the Scope section, update the scope for the devices to which the configuration profile will be pushed.

Note: If you want to make changes to JAMF as SCEP proxy in Settings > Global Management > PKI Certificates > Management Certificate Template > External CA, first disable Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile. If you proceed without disabling this, it will affect the corresponding profile that is using JAMF as SCEP proxy.

 

Set up a JAMF Configuration Profile for macOS

To set up a JAMF configuration profile for macOS:

  1. From your jamf PRO console, go to Computers > Configuration Profiles.
  2. Click New.
    • Note: To update an existing configuration profile, click Edit for the profile.
  3. Select Options > General.
  4. For NAME, enter a name.
  5. For DESCRIPTION, enter a description.
  6. Click the DISTRIBUTION METHOD dropdown and select Install Automatically or Available in Self Service.
  7. Click the LEVEL dropdown and select Computer Level.
  8. Select Options > SCEP.
  9. Click Configure.
  10. Check the box for Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile.
  11. For NAME, enter the common name of the intermediate CA that will be issuing the certificate for the client. You can find the common name in your SecureW2 Management Portal.
  12. For SUBJECT and SUBJECT ALTERNATIVE NAME, enter a value that will help the admin identify the device. If you wish, you can make this a static value.
  13. For SUBJECT ALTERNATIVE NAME TYPE, click the dropdown and select RFC 822 Name. This is mandatory.
    • Enter the payload variables. The values returned by these variables will be encoded as the Subject Alternative Name attributes on issued certificates. You must define three payload variables, each separated by a double semicolon. Examples:
      • $USERNAME;;$MACADDRESS;;$UDID
      • $USERNAME;;$MACADDRESS;;$EMAIL
  14. Click Save and then click Done.
  15. Enter the number of days prior to certificate expiration that the system should begin to display the expiration notice.
  16. In Profile, in the Scope section, update the scope for the devices to which the configuration profile will be pushed.

Note: If you want to make changes to JAMF as SCEP proxy in Settings > Global Management > PKI Certificates > Management Certificate Template > External CA, first disable Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile. If you proceed without disabling this, it will affect the corresponding profile that is using JAMF as SCEP proxy.

 

Set up the Certificate Payload for RADIUS Connections

This section explains how to set up the certificate payload to validate your RADIUS server. If your RADIUS server certificate also has one or more intermediate CA certificates as part of the certificate chain, you can add those certificates (Root and Intermediate) in this payload.

Note: Do not upload the actual RADIUS server certificate.

Here’s how to set up the certificate payload:

  1. From your jamf PRO console, go to Devices > Configuration Profiles.
  2. Click Edit for the configuration profile you want to configure.
  3. Select Options > Certificate.
  4. Click Configure.
  5. For CERTIFICATE NAME, enter the name of the certificate you’re adding. This will be the Common Name (Issued To name).
  6. For SELECT CERTIFICATE OPTION, click the dropdown and select Upload.
  7. Click Upload Certificate.
  8. In the Certificate popup, click Choose File and select the CA certificate you want to upload.
  9. Click Upload.
  10. After the certificate uploads, click Save.
  11. Select Options > Wi-Fi.
  12. Select Trust, and for Trusted Certificates, check the box for the certificate you uploaded.
    • Note: Along with validating a RADIUS servery by certificates, you should also specify the RADIUS server certificate names for validation as an additional security measure. This is available in the Wi-Fi payload when you enable the certificate you just uploaded.
  13. For CERTIFICATE COMMON NAME, click Add.
  14. In the field that appears, enter the name of the RADIUS server used for validation, and then click Save.
  15. At the bottom right, click Save to save the Wi-Fi payload. The managed devices now have appropriate certificates and the Common Name to validate the RADIUS server.

Note: If your setup has more than one RADIUS server for validation, you can add more than one Common Name with the same certificate payload configuration.

 

Set up the Wi-Fi Payload

  1. From your jamf PRO console, go to Devices > Configuration Profiles.
  2. Click Edit for the configuration profile you want to configure.
  3. Select Options > Wi-Fi.
  4. Click Configure.
  5. For SERVICE SET IDENTIFIER (SSID), enter a name.
  6. Select any other relevant settings like Hidden Network, Auto Join, and/or Disable Captive Network Detection.
  7. For SECURITY TYPE, click the dropdown and select WPA2-Enterprise.
  8. Select Protocols, and for Accepted EAP Types, check the box for TLS.
  9. Select Trust, and for Trusted Certificates, check the box for the certificate you uploaded.
    • Note: Along with validating a RADIUS server by certificates, you should also specify the RADIUS server certificate names for validation as an additional security measure. This is available in the Wi-Fi payload when you enable the certificate you just uploaded.
  10. For CERTIFICATE COMMON NAME, click Add.
  11. In the field that appears, enter the name of the RADIUS server used for validation, and then click Save.
  12. For IDENTITY CERTIFICATE, click the dropdown and select the CA from the SCEP payload.
  13. At the bottom right, click Save to save the Wi-Fi payload.

Note: Using the previous steps for Devices and Computers, both iOS and macOS devices can be configured for Wi-Fi.

When a device successfully enrolls, the Configuration Profiles table shows an increased value for Completed.

 

Troubleshooting

Device Status

You can verify a device’s status on the Configuration Profiles page.

In the table, the Completed, Pending, and Failed columns show the number of devices whose configuration profile has the respective installation status.

To see more details about devices that have a completed, pending, or failed configuration profile installation status, click the number in the respective column.

For example, if the SCEP URL is incorrect and a client tries to enroll for a certificate, the enrollment fails. The number in the Failed column reflects this.

Click the number to go to the Logs page, which shows a list of all devices that have failed enrollment.

To see why the installation failed for the device, click the device and go to Management > Management Commands.

 

Debug Mode

JAMF also allows you to enable debug logging. This is useful for troubleshooting JAMF-related issues. However, JAMF cautions that enabling debug logging affects the performance of JAMF pro.

To enable Debug Mode, go to Settings > JAMF Pro Information > Jamf Pro Server Logs > Edit, and then check the box for Enable Debug Mode.

You can disable Debug Mode once you’re done troubleshooting an issue.

Jamf is registered trademark of Jamf in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.

  • Email addresses from free providers (Gmail, Hotmail, etc.) will not be accepted.
  • This field is for validation purposes and should be left unchanged.