Configure Jamf Pro for Connector for SCEP
You can use Amazon Private CA as an external certificate authority (CA) with the Jamf Pro mobile device management (MDM) system. This guide provides instructions on how to configure Jamf Pro after you create a general-purpose connector.
Configure Jamf Pro for Connector for SCEP
This guide provides instructions on how to configure Jamf Pro for use with Connector for SCEP. After you successfully configure Jamf Pro and Connector for SCEP, you'll be able to issue Amazon Private CA certificates to your managed devices.
Jamf Pro requirements
Your implementation of Jamf Pro must meet the following requirements.
You must enable the Enable certificate-based authentication setting in Jamf Pro. You can find details on this setting on the Jamf Pro Security Settings
page in the Jamf Pro documentation.
Step 1: (Optional - recommended) Obtain your private CA's fingerprint
A fingerprint is a unique identifier for your private CA that can be used to verify the identity of your CA when establishing trust with other systems or applications. Incorporating a certificate authority (CA) fingerprint allows managed devices to authenticate the CA they are connecting to and request certificates solely from the anticipated CA. We recommend using a CA fingerprint with Jamf Pro.
To generate a fingerprint for your private CA
Obtain the private CA certificate from either Amazon Private CA console or by using the GetCertificateAuthorityCertificate. Save it as
ca.pem
file.Install the OpenSSL Command Line Utilities
. In OpenSSL, run the following command to generate the fingerprint:
openssl x509 -in ca.pem -sha256 -fingerprint
Step 2: Configure Amazon Private CA as an external CA in Jamf Pro
After you create a connector for SCEP, you must set Amazon Private CA as an external certificate authority (CA) in Jamf Pro. You can set Amazon Private CA as a global, external CA. Alternatively, you can use a Jamf Pro configuration profile to issue different certificates from Amazon Private CA for different use cases, such as issuing certificates to a subset of devices in your organization. Guidance on implementing Jamf Pro configuration profiles is beyond the scope of this document.
To configure Amazon Private CA as an external certificate authority (CA) in Jamf Pro
In the Jamf Pro console, go to the PKI certificates settings page by going to Settings > Global > PKI certificates.
Select the Management Certificate Template tab.
Select External CA.
Select Edit.
(Optional) Select Enable Jamf Pro as SCEP Proxy for configuration profiles. You can use Jamf Pro configuration profiles to issue different certificates tailored to specific use-cases. For guidance on how to use configuration profiles in Jamf Pro, see Enabling Jamf Pro as SCEP Proxy for Configuration Profiles
in the Jamf Pro documentation. Select Use a SCEP-enabled external CA for computer and mobile device enrollment.
(Optional) Select Use Jamf Pro as SCEP Proxy for computer and mobile device enrollment. If you experience profile installation failures, see Troubleshoot profile installation failures.
Copy and paste the Connector for SCEP public SCEP URL from the connector's details to the URL field in Jamf Pro. To view a connector's details, choose the connector from the Connectors for SCEP
list. Alternatively, you can get the URL by calling GetConnector and copy the Endpoint
value from the response.(Optional) Enter the name of the instance in the Name field. For example, you can name it Amazon Private CA.
Select Static for the challenge type.
Copy a challenge password from your connector, and paste it into the Challenge field. A connector can have multiple challenge passwords. To view your connector's challenge passwords, navigate to your connector's details page in the Amazon console and select the View password button. Alternatively, you can get a connector's challenge password(s) by calling GetChallengePassword and copy a
Password
value from the response. For information about using challenge passwords, see Understand Connector for SCEP considerations and limitations.Paste the challenge password into the Verify Challenge field.
Choose a Key Size. We recommend a key size of 2048 or higher.
(Optional) Select Use as digital signature. Select this for authentication purposes to grant devices secure access to resources like Wi-Fi and VPN.
(Optional) Select Use for key encipherment.
(Optional - recommended) Enter a hex string in the Fingerprint field. We recommend that you add a CA fingerprint to allow managed devices to verify the CA, and only request certificates from the CA. For instructions on how to generate a fingerprint for your private CA, see Step 1: (Optional - recommended) Obtain your private CA's fingerprint.
Select Save.
Step 3: Set up a configuration profile signing certificate
To use Jamf Pro with Connector for SCEP, you must provide the signing and CA certificates for the private CA that's associated with your connector. You can do this by uploading a profile signing certificate keystore to Jamf Pro that contains both certificates.
Here are the steps to create a certificate keystore and upload it into Jamf Pro:
Generate a certificate signing request (CSR) using your internal processes.
Get the CSR signed by the private CA associated with your connector.
Create a profile signing certificate keystore that contains both the profile signing and CA certificates.
Upload the certificate keystore to Jamf Pro.
By following these steps, you can make sure that your devices can validate and authenticate the configuration profile signed by your private CA, enabling the use of Connector for SCEP with Jamf Pro.
-
The following example uses OpenSSL and Amazon Certificate Manager, but you can generate a certificate signing request using your preferred method.
In Jamf Pro, navigate to the Management Certificate Template and go to the External CA pane.
At the bottom of the External CA pane, select Change Signing and CA Certificates.
Follow the onscreen instructions to upload the signing and CA certificates for the external CA.
Step 4: (Optional) Install certificate during user-initiated enrollment
To establish trust between your client devices and your private CA, you must ensure your devices trust the certificates issued by Jamf Pro. You can use Jamf Pro's User-Initiated Enrollment Settings
Troubleshoot profile installation failures
If you're experiencing profile installation failures after enabling Use Jamf Pro as SCEP Proxy for computer and mobile device enrollment, consult your device logs and try the following.
Device log error message | Mitigation |
---|---|
|
If you receive this error message while trying to enroll, retry the enrollment. It can take several tries before enrollment succeeds. |
|
Your challenge password might be misconfigured. Verify that the challenge password in Jamf Pro matches your connector’s challenge password. |