![]() The Jamf ADCS Connector can talk to multiple CA instances and can use any templates you specify whereas each NDES instance talks to a single CA and uses one template.The Jamf ADCS Connector supports client certificate-based auth between Jamf Pro and the Connector which may be perceived as more secure than the service account SCEP Proxy uses to retrieve dynamic challenge.You need to use the Jamf Certificates SDK to support cert provisioning for authenticating users into your in-house apps (rare).It just gets the job done with a minimum of fuss. If you’re not a super fancy IT shop with existing proxy/load-balancers and you don’t have a team that supports things like the Azure AD App Proxy, then setting up the Jamf ADCS Connector is a simple solution anyone can use. You’ll need something to bridge things through your DMZ. Your network admin isn’t going to allow you to pipe connections from Jamf Cloud directly into the internal network where your PKI services reside.Your organization’s PKI admin refuses to run MS NDES (MS SCEP).Good reasons for choosing ADCS Connector include: If your devices are provisioned/used outside your enterprise network, both SCEP and Jamf’s ADCS Connector allow your Jamf Pro to get certificates from ADCS and then deliver them to your devices the only difference is the interface between Jamf Pro and ADCS. It’s also the same interface used by MS’s certutil command line utility so if your Windows team doesn’t know what you’re talking about, tell them that. The connection between Connector and ADCS uses the same MS-standard DCOM interface as the old-school MS Certificates payload we used to use in the days when everyone had their Macs in the office and plugged into Ethernet all the time. You let Jamf Pro talk to the Connector (via https) and let the Connector talk to your ADCS server. If you don’t have NDES, or you do have it but only on your internal network and don’t have any way to get Jamf Cloud connected, you can instead install Jamf’s ADCS Connector software on a Windows server in your DMZ. “NDES” is Microsoft’s implementation of the SCEP protocol. You set up firewall rules (maybe even a proxy or load balancer if you’re a big IT shop) so Jamf Pro can connect to a Windows Server running Microsoft’s NDES role. That way they don’t need to be bound to a domain or pre-connected to an internal network. ![]() In modern Mac+mobile, zero-IT-touch enrollment workflows where a user could be enrolling from anywhere, we need Jamf Pro to determine the trustworthiness of a device and handle the full certificate request/delivery/renewal process on behalf of the devices. Unfortunately, it requires binding (not even an option for iOS) and a direct network connection between the device and ADCS, so almost never used any more. This interface is supported natively by macOS via Apple’s MS Certificates MDM payload. The native interface used for ADCS certificate enrollment is “RPC/DCOM”. Microsoft Windows Server’s AD Certificate Services (“ADCS”) is a commonly-used platform for enterprise PKI. Your PKI and network team already did 90% of the work for you, Microsoft endorses it, and your security team has approved it. If your organization has already set up an App Proxy SCEP/NDES Connector for MS Endpoint Manager, consider following the same design to connect Jamf Pro. One quick note… and you can stop reading here if this applies to you. It implements mutual TLS where Jamf Pro and the Connector have to present their certificates to each other so the authentication is better than SCEP, which uses a service account username and password to get a dynamic challenge and then presents the dynamic challenge when it sends a signing request. It also works in cases where you run a standalone rather than an enterprise CA. It may also be your best option if you can’t run NDES, have a lots of CAs/templates, or write apps that implement the Jamf Certificates SDK. The Jamf ADCS Connector is a good option where you don’t have something better (I.e, a Reverse Proxy) to ferry connections across your DMZ. ![]() These are both ways to integrate Jamf Pro with your AD CS PKI to get certificates deployed to your devices.ġ) It doesn’t require the overhead of installing/maintaining an extra server or any custom Jamf interface software and,Ģ) It lets your managed devices generate (and never share) their own private keys.ģ) SCEP Proxy gives you the option of using MS App Proxy (Azure or on-prem) so no inbound firewall rules are required to your internal networks.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |