Using Connector for SCEP with Jamf Pro - Amazon Private Certificate Authority
Jamf Pro requirementsPrerequisitesConfigure Amazon Private CA as an external CA in Jamf ProCreate and upload a profile signing certificate(Optional) Add a CA fingerprint(Optional) Install certificate during user-initiated enrollmentTroubleshoot profile installation failures
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using Connector for SCEP with Jamf Pro

You can use Amazon Private CA as an external certificate authority (CA) with Jamf Pro mobile device management (MDM) solution. This guide provides instructions on how to configure Jamf Pro as a SCEP Proxy after creating an Amazon Private Certificate Authority Connector for SCEP.

Jamf Pro requirements

Your implementation of Jamf Pro must meet the following requirements.

  • You must use Jamf Pro 10.0.0 or later.

  • You must enable the Enable certificate-based authentication setting in Jamf Pro. You can find details on this setting on the Jamf Pro Security Settings page in the Jamf Pro documentation.

Prerequisites

To use Connector for SCEP with Jamf Pro, you must first create a private CA and a general-purpose connector for SCEP. For instructions, see Setting up Connector for SCEP.

Configure Amazon Private CA as an external CA in Jamf Pro

After you create a connector for SCEP, you must set Amazon Private CA as an external CA in Jamf Pro. You can set Amazon Private CA as a global, external CA. Or you can use a Jamf Pro configuration profile to issue different certificates from Amazon Private CA for different use cases, such as issuing certificates to subset of devices in your organization. Guidance on implementing Jamf Pro configuration profiles is beyond the scope of this document.

To configure Amazon Private CA as an external CA in Jamf Pro

  1. In the Jamf Pro console, go to the PKI certificates settings page by going to Settings > Global > PKI certificates.

  2. Select the Management Certificate Template tab.

  3. Select External CA.

  4. Select Edit.

  5. (Optional) Select Enable Jamf Pro as SCEP Proxy for configuration profiles. You can use Jamf Pro configuration profiles to issue different certificates tailored to specific use-cases. For guidance on how to use configuration profiles in Jamf Pro, see Enabling Jamf Pro as SCEP Proxy for Configuration Profiles in the Jamf Pro documentation.

  6. Select Use a SCEP-enabled external CA for computer and mobile device enrollment.

  7. (Optional) Select Use Jamf Pro as SCEP Proxy for computer and mobile device enrollment. If you experience profile installation failures, see Troubleshoot profile installation failures.

  8. Copy and paste the Connector for SCEP public SCEP URL from the connector's details to the URL field in Jamf Pro. To view a connector's details, choose the connector from the Connectors for SCEP list. Alternatively, you can get the URL by calling GetConnector and copy the Endpoint value from the response.

  9. (Optional) Enter the name of the instance in the Name field. For example, you can name it Amazon Private CA.

  10. Select Static for the challenge type.

  11. Copy your connector's challenge password and paste it into the Challenge field. To view your connector's challenge passwords, navigate to your connector's details page in the Amazon console and select the View password button. Alternatively, you can get a connector's challenge password by calling GetChallengePassword and copy the Password value from the response.

  12. Paste the challenge password into the Verify Challenge field.

  13. Choose a Key Size. We recommend a key size of 2048 or higher.

  14. (Optional) Select Use as digital signature. Select this for authentication purposes to grant devices secure access to resources like Wi-Fi and VPN.

  15. (Optional) Select Use for key encipherment.

  16. (Optional) Enter a hex string in the Fingerprint field. For instructions on how to create a fingerprint of your private CA, see (Optional) Add a CA fingerprint.

  17. Select Save.

Create and upload a profile signing certificate

To use Connector for SCEP with Jamf Pro, you must provide the signing and CA certificates for the private CA that's associated to your connector. You can do this by uploading a profile signing certificate keystore to Jamf Pro that contains both certificates. You need to generate a certificate signing request (CSR) using your internal processes and get it signed by Amazon Private Certificate Authority. The following instructions explain how to create a certificate keystore and upload it into Jamf Pro. The following example uses OpenSSL, but you can generate a certificate signing request using your preferred method.

  1. Using OpenSSL, generate a private key by running the following command:

    openssl genrsa -out local.key 2048

  2. Generate a certificate signing request (CSR):

    openssl req -new -key local.key -sha512 -out local.csr -subj "/CN=MySigningCertificate/O=MyOrganization" -addext keyUsage=critical,digitalSignature,nonRepudiation

  3. Using the Amazon CLI, issue the signing certificate using the CSR you generated in step two. Run the following command and note the certificate ARN in the response:

    aws acm-pca issue-certificate --certificate-authority-arn <SAME CA AS USED ABOVE, SO IT’S TRUSTED> --csr fileb://local.csr --signing-algorithm SHA512WITHRSA --validity Value=365,Type=DAYS

  4. Get the signing certificate by running the following command using the certificate ARN from step 3:

    aws acm-pca get-certificate --certificate-authority-arn <SAME CA AS USED ABOVE, SO IT’S TRUSTED> --certificate-arn <ARN OF NEW CERTIFICATE> | jq -r '.Certificate' >local.crt

  5. Get the CA certificate by running the following command:

    aws acm-pca get-certificate-authority-certificate --certificate-authority-arn <SAME CA AS USED ABOVE, SO IT’S TRUSTED> | jq -r '.Certificate' > ca.crt

  6. Using OpenSSL, output the signing certificate keystore in p12 format. You'll use the crt files that you generated during steps four and five. Run the following command:

    openssl pkcs12 -export -in local.crt -inkey local.key -certfile ca.crt -name "CA Chain" -out local.p12

  7. When prompted, enter an export password. This password is your keystore password, and you'll need to use it later.

  8. In Jamf Pro, navigate to the Management Certificate Template and go to the External CA pane.

  9. At the bottom of the External CA pane, select Change Signing and CA Certificates.

  10. Follow the onscreen instructions to upload the signing and CA certificates for the external CA.

(Optional) Add a CA fingerprint

Adding a CA fingerprint allows managed devices to verify the CA and only request certificates from the CA.

  1. Obtain the private CA certificate from either Amazon Private CA console or by using the GetCertificateAuthorityCertificate. Save it as ca.pem file.

  2. In OpenSSL, run the following command:

    openssl x509 -in ca.pem -sha256 -fingerprint

  3. Copy and paste the output into the Fingerprint field referred to in the preceding procedure.

(Optional) Install certificate during user-initiated enrollment

To install your connector's private CA certificate to a client or device during user-initiated enrollment, configure your Jamf Pro user-initiated enrollment settings. This helps Jamf Pro to install your Amazon Private CA certificates to the client or device when they request a certificate. It's your responsibility to test your configuration to make sure that it's compatible with your Connector for SCEP implementation. For information about Jamf Pro user-initiated enrollment settings, see User-Initiated Enrollment Settings in the Jamf Pro documentation.

Troubleshoot profile installation failures

If you're experiencing profile installation failures after enabling Use Jamf Pro as SCEP Proxy for computer and mobile device enrollment, try the following.

Error message Mitigation

Profile installation failed. Unable to obtain certificate from SCEP server at "<your-jamf-endpoint>.jamfcloud.com". <MDM-SCEP:15001>

If you receive this error message while trying to enroll, retry the enrollment. It can take several tries before enrollment succeeds.

Profile installation failed. Unable to obtain certificate from SCEP server at "<your-jamf-endpoint>.jamfcloud.com". <MDM-SCEP:14006>

Your challenge password might be misconfigured. Verify that the challenge password in Jamf Pro matches your connector’s challenge password.