What You’ll See When you Install MS SCEP/NDES

Simple Cert Enrollment Protocol (“SCEP”) is an interface for negotiating cert singing requests used by a number of enterprise CA vendors. Microsoft AD Certificate Services (“ADCS”) is a commonly-used CA used by organizations and in the MS CA case, SCEP is provided by the Network Device Enrollment Service (“NDES”) role.

Advertisement

Testing AD Certificate Services Permissions from an un-bound machine

Update: It looks like MS has patched this in recent versions of Windows Server and it no longer works. A better approach would be to put a reverse proxy in the DMZ and put your Jamf ADCS Connector on the same network as your ADCS Server. I wanted to see if I could submit ADCSContinue reading “Testing AD Certificate Services Permissions from an un-bound machine”

SCEP Proxy or Jamf ADCS Connector for deploying certs with Jamf Pro?

tldr:These are both ways to integrate Jamf Pro with your AD CS PKI to get certificates deployed to your devices. SCEP Proxy is a better choice in theory… 1) It doesn’t require the overhead of installing/maintaining an extra server or any custom Jamf interface software and,2) It lets your managed devices generate (and never share)Continue reading “SCEP Proxy or Jamf ADCS Connector for deploying certs with Jamf Pro?”

Configuring Azure Application Proxy for Jamf Pro SCEP Certificates

tldr: You may have SaaS or remote clients that need access to SCEP cert provisioning but your security team may not allow inbound connections from the DMZ to the internal network where your NDES Server is located. Read this Microsoft document that deals with this issue: Integrate with Azure AD Application Proxy on a NetworkContinue reading “Configuring Azure Application Proxy for Jamf Pro SCEP Certificates”

Can Jamf ADCS Connector use Azure Web App Proxy?

tldr: Organizations that prefer to use Azure’s Web Application Proxy service should consider using the SCEP Proxy method for their certificate deployment. The Jamf ADCS Connector uses client certificate-based authentication, which is not supported by Azure AD App Proxy. NDES dynamic challenge (Microsoft’s implementation of SCEP) uses form-based authentication, which is supported by Azure WebContinue reading “Can Jamf ADCS Connector use Azure Web App Proxy?”

Test Script for Jamf AD CS Connector (ADCSC – Active Directory Certificate Services Connector)

The ADCSC is easy to set up but some implementations might want to do things like use their own certs (instead of the default self-signed ones) or create a cluster of them behind a load balancer for HA. If you’re going to be making some changes on your connectors and want to test them, it’sContinue reading “Test Script for Jamf AD CS Connector (ADCSC – Active Directory Certificate Services Connector)”

Alternate Installer for Jamf AD CS Connector

The installer script “deploy.ps1” for the Jamf Active Directory Certificate Services Connector can be replaced to Simplify setup of clustered connectors for HA Use your own certs instead of the default self-signed ones. Authenticate the connector to AD CS as a service account user instead of as the Connector host Copious logging Not that youContinue reading “Alternate Installer for Jamf AD CS Connector”

Install mysql on ubuntu for Jamf Pro

admin@jamfpro:~$ sudo apt-get update; sudo apt-get install mysql-server # Not strictly required, but a good idea, even for dev servers… admin@jamfpro:~$ sudo mysql_secure_installation admin@jamfpro:~$ sudo mysql mysql> create database jamf; Query OK, 1 row affected (0.01 sec) mysql> grant all on jamf.* to username@localhost identified WITH mysql_native_password BY ‘thepassword; Query OK, 0 rows affected, 1Continue reading “Install mysql on ubuntu for Jamf Pro”