Skip to main content

Configure Jamf to issue certificates with SCEP

DigiCert​​®​​ Trust Lifecycle Manager facilitates certificate issuance through your Jamf mobile device management environment using SCEP (Simple Certificate Enrollment Protocol).

Jamf prerequisites

Consult with your local admin or Jamf documentation for questions regarding Jamf configuration and use.

  • Active Jamf Pro account.

  • Your Jamf Pro account is configured with an Apple MDM Push certificate if you intend to issue certificates to Apple iOS devices.

Trust Lifecycle Manager prerequisites

Contact your DigiCert account manager if your Trust Lifecycle Manager account needs to be configured with these settings.

  • Your Trust Lifecycle Manager account is enabled for SCEP enrollment.

  • Issuing CA in your account is configured to Allow CA to decrypt and sign SCEP packets.

Configure your Trust Lifecycle Manager account and Jamf for SCEP enrollment

  1. In DigiCert ONE, in the Manager menu (top right), select Trust Lifecycle.

  2. Go to Policies > Certificate profiles.

  3. Create or make sure you have a certificate profile with the following:

    • The issuing CA for the certificate profile supports Allow CA to decrypt and sign SCEP packets.

      Tip

      Check with your DigiCert ONE CA Services admin or your DigiCert account manager if you are unsure which issuing CA to use.

    • The enrollment method is set to SCEP.

  4. Copy and save the certificate profile’s SCEP Server URL for use in your Jamf mobile device configuration profile.

  5. Sign in to your Jamf Pro account.

  6. Create or open an existing computer or mobile device configuration profile.

  7. Add the proper root CA and issuing CA from your DigiCert ONE account to the Certificate section in the Jamf configuration profile.

  8. Provide the SCEP Server URL from your Trust Lifecycle Manager certificate profile to the SCEP section in the Jamf configuration profile.

  9. Specify target object(s) to issue certificates to.

  10. Return to Trust Lifecycle Manager to verify issued certificate(s).