Configure Jamf to issue certificates with SCEP
DigiCert® Trust Lifecycle Manager facilitates certificate issuance through your Jamf mobile device management environment using SCEP (Simple Certificate Enrollment Protocol).
Jamf prerequisites
Consult with your local admin or Jamf documentation for questions regarding Jamf configuration and use.
Active Jamf Pro account.
Your Jamf Pro account is configured with an Apple MDM Push certificate if you intend to issue certificates to Apple iOS devices.
Trust Lifecycle Manager prerequisites
Contact your DigiCert account manager if your Trust Lifecycle Manager account needs to be configured with these settings.
Your Trust Lifecycle Manager account is enabled for SCEP enrollment.
Issuing CA in your account is configured to Allow CA to decrypt and sign SCEP packets.
Configure your Trust Lifecycle Manager account and Jamf for SCEP enrollment
In DigiCert ONE, in the Manager menu (top right), select Trust Lifecycle.
Go to Policies > Certificate profiles.
Create or make sure you have a certificate profile with the following:
The issuing CA for the certificate profile supports Allow CA to decrypt and sign SCEP packets.
Tip
Check with your DigiCert ONE CA Services admin or your DigiCert account manager if you are unsure which issuing CA to use.
The enrollment method is set to SCEP.
Copy and save the certificate profile’s SCEP Server URL for use in your Jamf mobile device configuration profile.
Sign in to your Jamf Pro account.
Create or open an existing computer or mobile device configuration profile.
Add the proper root CA and issuing CA from your DigiCert ONE account to the Certificate section in the Jamf configuration profile.
Provide the SCEP Server URL from your Trust Lifecycle Manager certificate profile to the SCEP section in the Jamf configuration profile.
Specify target object(s) to issue certificates to.
Return to Trust Lifecycle Manager to verify issued certificate(s).