Simple Cert Enrollment Protocol (“SCEP”) is an interface for negotiating cert singing requests used by a number of enterprise CA vendors. Microsoft AD Certificate Services (“ADCS”) is a commonly-used CA used by organizations and in the MS CA case, SCEP is provided by the Network Device Enrollment Service (“NDES”) role.Continue reading “What You’ll See When you Install MS SCEP/NDES”
Update: It looks like MS has patched this in recent versions of Windows Server and it no longer works. A better approach would be to put a reverse proxy in the DMZ and put your Jamf ADCS Connector on the same network as your ADCS Server.
I wanted to see if I could submit ADCS certificate requests from a machine that was not bound to the same domain as ADCS. Test 1 was to send a request from an unbound machine. I also tested from a machine that was bound to a different domain than the one running ADCS and with no cross-domain trust and not in the same forest, as might be the case when the ADCS domain is on an internal network and the client computer is bound to a DMZ-only domain. The DCOM network ports must be open between the test computer and the ADCS host, obviously.Continue reading “Testing AD Certificate Services Permissions from an un-bound machine”
These are both ways to integrate Jamf Pro with your AD CS PKI to get certificates deployed to your devices.
SCEP Proxy is a better choice in theory…
1) It doesn’t require the overhead of installing/maintaining an extra server or any custom Jamf interface software and,
2) It lets your managed devices generate (and never share) their own private keys.
3) SCEP Proxy gives you the option of using MS App Proxy (Azure or on-prem) so no inbound firewall rules are required to your internal networks.
The Jamf ADCS Connector is a good option where you don’t have something better (I.e, a Reverse Proxy) to ferry connections across your DMZ. It may also be your best option if you can’t run NDES, have a lots of CAs/templates, or write apps that implement the Jamf Certificates SDK. It also works in cases where you run a standalone rather than an enterprise CA. It implements mutual TLS where Jamf Pro and the Connector have to present their certificates to each other so the authentication is better than SCEP, which uses a service account username and password to get a dynamic challenge and then presents the dynamic challenge when it sends a signing request.
tldr: You may have SaaS or remote clients that need access to SCEP cert provisioning but your security team may not allow inbound connections from the DMZ to the internal network where your NDES Server is located. Read this Microsoft document that deals with this issue: Integrate with Azure AD Application Proxy on a Network Device Enrollment Service (NDES) serverContinue reading “Configuring Azure Application Proxy for Jamf Pro SCEP Certificates”
tldr: Organizations that prefer to use Azure’s Web Application Proxy service should consider using the SCEP Proxy method for their certificate deployment. The Jamf ADCS Connector uses client certificate-based authentication, which is not supported by Azure AD App Proxy. NDES dynamic challenge (Microsoft’s implementation of SCEP) uses form-based authentication, which is supported by Azure Web Application Proxy.Continue reading “Can Jamf ADCS Connector use Azure Web App Proxy?”
“Announcement of Death to the Virgin” by Duccio di Buoninsegna
“The School of Athens” by Raffaello Sanzio da Urbino (Raphael)
“The Last Supper” by Leonardo da Vinci
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
The ADCSC is easy to set up but some implementations might want to do things like use their own certs (instead of the default self-signed ones) or create a cluster of them behind a load balancer for HA.
If you’re going to be making some changes on your connectors and want to test them, it’s a lot easier to use this script than having to scope a cert profile to a device, waiting for APNs cycles, and checking devices/logs every time you make a change on your connectors.Continue reading “Test Script for Jamf AD CS Connector (ADCSC – Active Directory Certificate Services Connector)”
The installer script “deploy.ps1” for the Jamf Active Directory Certificate Services Connector can be replaced to
- Simplify setup of clustered connectors for HA
- Use your own certs instead of the default self-signed ones.
- Authenticate the connector to AD CS as a service account user instead of as the Connector host
- Copious logging
Not that you couldn’t just do this IIS setup stuff by hand but some people like to automate everything.Continue reading “Alternate Installer for Jamf AD CS Connector”
admin@jamfpro:~$ sudo apt-get update; sudo apt-get install mysql-server # Not strictly required, but a good idea, even for dev servers... admin@jamfpro:~$ sudo mysql_secure_installation admin@jamfpro:~$ sudo mysql mysql> create database jamf; Query OK, 1 row affected (0.01 sec) mysql> grant all on jamf.* to username@localhost identified WITH mysql_native_password BY 'thepassword; Query OK, 0 rows affected, 1 warning (0.00 sec) mysql> SELECT user,plugin,host FROM mysql.user; +------------------+-----------------------+-----------+ | user | plugin | host | +------------------+-----------------------+-----------+ | root | auth_socket | localhost | | mysql.session | mysql_native_password | localhost | | mysql.sys | mysql_native_password | localhost | | debian-sys-maint | mysql_native_password | localhost | | jamf | mysql_native_password | localhost | +------------------+-----------------------+-----------+ 5 rows in set (0.00 sec)