SCEP integration guide for Jamf Pro (manual seat creation)
DigiCert® Trust Lifecycle Manager facilitates certificate issuance through your Jamf Pro mobile device management (MDM) environment. This guide describes how to integrate with Jamf using the SCEP (Simple Certificate Enrollment Protocol) with manual creation of seat records in Trust Lifecycle Manager.
Avertissement
Manual seat creation gives you more control over how your seat records are set up, but requires a significant amount of additional configuration in both Trust Lifecycle Manager and Jamf Pro.
To simplify setup, DigiCert recommends using dynamic seat creation instead. For details, see SCEP integration guide.
Important
The SCEP service can authenticate devices using either dynamic or static (global) enrollment codes. DigiCert strongly recommends using dynamic enrollment codes, as they are the most secure option and provide enhanced tracking and management capabilities.
This guide focuses on the use of dynamic enrollment codes for authentication but mentions the static enrollment code option where applicable.
Prerequisites
Contact your DigiCert account representative if you need help verifying these settings.
Your Trust Lifecycle Manager account is enabled for SCEP enrollment.
Issuing CA in your account configured to Allow CA to decrypt and sign SCEP packets.
Consult with your local admin or Jamf Pro documentation for questions regarding Jamf configuration and use.
Active Jamf Pro account with the target devices for enrollment added to it.
Your Jamf Pro account is configured with an Apple MDM Push certificate if you intend to issue certificates to Apple iOS devices.
(Recommended) Create Smart Groups in Jamf Pro for each logical group of devices or computers to enroll. For more information, refer to the official Jamf Pro documentation.
Workflow
To set up the Jamf Pro integration via SCEP, complete these tasks in order.
Task | Section | |
|---|---|---|
1. | Enable API access to your Trust Lifecycle Manager account and download the device identifiers from Jamf Pro. | |
2. | Create seat records in Trust Lifecycle Manager using the device identifiers from Jamf Pro. | |
3. | Define the properties of the certificates to issue in Trust Lifecycle Manager. | |
4. | Create Jamf configuration profiles with the required SCEP settings to enroll certificates from DigiCert. | |
5. | Verify the certificates are getting issued in Trust Lifecycle Manager and provisioned by Jamf Pro. |
Prepare the integration
Dynamic SCEP-based enrollments require API access from Jamf Pro to your Trust Lifecycle Manager account and a common way to identify the devices in both platforms.
To use dynamic enrollment codes with SCEP, Jamf Pro needs API access to your Trust Lifecycle Manager account using a client authentication certificate.
Avis
For tracking purposes, DigiCert recommends using a dedicated API service user for the integration, as described below. You can also generate the client authentication certificate for a standard user with the User and certificate manager role or equivalent permissions.
The SCEP integration requires a common way to identify devices to both DigiCert and Jamf. You can use any identifier from Jamf Pro as long as it's present for all the devices to enroll. You will use this identifier to prepare seat records for the devices in Trust Lifecycle Manager.
To ensure the identifier is present for all the devices, DigiCert recommends using one of the following Jamf Pro identifiers, depending on the general device type.
Device type | Recommended Jamf Pro identifier |
|---|---|
Institutionally-owned | |
Personally-owned (BYOD) | |
To facilitate creation of seat records in Trust Lifecycle Manager, download your chosen device identifiers in CSV format from Jamf Pro.
To download the CSV file with identifiers for a group of devices:
In the Jamf Pro portal, navigate to either the Computers or Devices tab, depending on where your devices are set up.
Select Inventory > Search Inventory.
Select the New button on the right to create a new search.
(Optional) Use the Criteria tab to apply filters for which devices to include. By default, the search includes all Jamf devices.
Use the Display tab to select the identifer(s) to include in the CSV file. For example:
Serial Number: In the list of Hardware parameters, select the checkbox for Serial Number.UDID (Unique Device Identifier): In the list of Computer parameters, select the checkbox for UDID.
In the Reports tab:
File Format: Select
Comma-Separated Values (.csv).Select Download Report
Save the downloaded CSV file in a safe location. You will use it to create the corresponding seat records for the devices in Trust Lifecycle Manager.
Create seat records in Trust Lifecycle Manager
To use dynamic enrollment codes, you must prepare seat records in Trust Lifecycle Manager to identify all the Jamf devices to enroll. You can create multiple seat records in bulk from a CSV file.
To bulk create multiple seats at once in Trust Lifecycle Manager for enrolling Jamf devices, you need a CSV file in the following format:
seat_name,seat_id,business_unit_id Admin Macbook Pro,K2YL4QH3FZ,2edf100e-0916-402d-835b-dc4915d4df28 j.smith iPhone,C02G80DHMD6R,2edf100e-0916-402d-835b-dc4915d4df28
If you used Jamf Pro to download a CSV file with your devices as described in the Prepare the integration section, adjust the CSV file to follow the above format, with the following values:
seat_id: The identifier for each device in both Trust Lifecycle Manager and Jamf Pro. For example, theSerial NumberorUDID (Unique Device Identifier).seat_name: The Jamf device name. You can update this to use different names for the seat records in Trust Lifecycle Manager.business_unit_id: Add the GUID of the business unit in Trust Lifecycle Manager to issue certificates in.
Important
The first line of the CSV file must include the exact field identifier names for Trust Lifecycle Manager, as shown in the above example. The order of the field identifiers must match the values in the subsequent lines.
To bulk create seat records in Trust Lifecycle Manager from the CSV file:
From the Trust Lifecycle Manager menu, go to Account > Seats.
Select Manage seats in bulk on the top-right.
Complete the Manage seats in bulk (via CSV file) form:
Seat type: Select the seat type (either
DeviceorUser) for the type of certificates to issue in Trust Lifecycle Manager. To learn more, refer to the Create certificate profiles section.Operation: Select Create/Update seats.
Do you wish to enroll the Seats against a profile: Leave unchecked.
Submit CSV file: Drag your CSV file to the provided area or select Browse files to select it from your computer.
Avis
The system validates your CSV file to ensure it's in the correct format. If you get an error, update the CSV file and try again.
As soon as you upload the CSV file, the system creates the corresponding seat records. To see a report of all the seats created and the current status of each, select the Download results JSON link at the bottom.
When you're finished, select the Ok button to return to the main Account > Seats page. The seats you created should be present in the table here.
To create a single seat record in Trust Lifecycle Manager for enrolling a Jamf device:
From the Trust Lifecycle Manager main menu, select Account > Seats.
Select Create on the top-right.
Complete the Create seat form:
Business unit: Select the business unit in Trust Lifecycle Manager to issue the certificate in.
Seat type: Select the seat type (either
DeviceorUser) for the type of certificates to issue in Trust Lifecycle Manager. To learn more, refer to the Create certificate profiles section.Seat ID: Enter the identifier for this seat. For example, enter the device's
Serial NumberorUDID (Unique Device Identifier)in Jamf Pro.Seat name: Enter a friendly name to help identify the seat/device in Trust Lifecycle Manager.
Select Create seat to create the seat record for the Jamf device.
Create certificate profiles in Trust Lifecycle Manager
A certificate profile defines the issuing CA and general properties for a type of certificate you can issue in Trust Lifecycle Manager. Using a base template as the starting point, create a profile for each type of certificate you want to enroll via Jamf Pro.
Use one of the following base templates as the starting point when creating certificate profiles in Trust Lifecycle Manager for use with Jamf Pro.
Both templates support SCEP-based enrollments and issue private trust certificates from CAs in DigiCert® Private CA.
Make sure you have the corresponding seat type allocated to the business unit in Trust Lifecycle Manager where you will issue the certificates.
Template name | Seat type |
|---|---|
| Device |
| User |
To create a certificate profile in Trust Lifecycle Manager to use with Jamf Pro:
In the Trust Lifecycle Manager menu, select Policies > Certificate profiles.
Select the Create profile from template button.
Select one of the templates from the Available base templates section as the basis for creating the certificate profile.
Follow the profile creation wizard, focusing on the Jamf-related options described below and making other selections for your business needs.
On the Primary options screen:
General information:
Profile name: Give the profile a readily identifiable name. You will select the profile by name when configuring Jamf Pro. To ensure compatibility, avoid special characters like "(" in the profile name, use hyphens instead of whitespace as word separators, and limit the name to 34 characters or less.
Business unit: Select the applicable business unit to assign the certificates to in Trust Lifecycle Manager.
Issuing CA: Select the certificate authority (CA) to issue the certificates. The issuing CA you select must have the Allow CA to decrypt and sign SCEP packets option enabled, otherwise the
SCEPenrollment method is not available below.
Enrollment method: Select
SCEP.Authentication method: Select one of the following authentication types and configure options for it:
Dynamic enrollment code options: Authenticate each Jamf device using a dynamic enrollment code. With this option, each device has its own enrollment code.
Important
DigiCert strongly recommends using Dynamic enrollment codes for authentication. This is the most secure option and provides enhanced tracking and management capabilities.
Global enrollment code options: Authenticate all Jamf devices using a static code that you configure in the profile. With this option, all Jamf devices share the same enrollment code and do not need to be registered in Trust Lifecycle Manager beforehand.
Avertissement
If you use a Global enrollment code for authentication, any client that knows the code can potentially issue a certificate from the profile.
Under Certificate options > Subject DN and SAN fields, configure the fields to include in certificates issued from this profile:
By default, each certificate includes a Common name in the Subject DN, which gets it value from the SCEP request.
(Optional) Use the dropdown to add more fields to the certificates. For the Source of the field's value, select either:
SCEP request: To assign the value dynamically from the SCEP enrollment request.
Fixed value: To enter a static value to assign to all certificates.
Important
Important notes:
Each certificate profile must include at least one field (for example, the Common name) that gets its value from the SCEP request, which will be used to carry the device identifiers from Jamf Pro.
To use the certificate profile redistribution method to ensure certificates get reissued when they are nearing expiration, add an Organization units (OU) field to the Subject DN that gets its value from the SCEP request.
You will configure the Jamf configuration profile to supply corresponding values for the SCEP request fields when a device requests a certificate.
Under Advanced settings > Seat ID Mapping:
Seat ID: Select the certificate field that will carry the Jamf Pro device identifiers used as the
Seat IDvalues in the corresponding seat records in Trust Lifecycle Manager. For example, to read the device identifiers from the certificate common name, set this toSubject DN: Common name.
To save the new certificate profile, select Create on the final wizard screen.
Copy and save the certificate profile’s SCEP Server URL for use in your Jamf Pro mobile device configuration profile.
Configure Jamf for SCEP enrollments
To enable endpoint devices to enroll certificates from DigiCert ONE, you need to create a Jamf Pro configuration profile with the SCEP settings for your certificate profile in Trust Lifecycle Manager. The scope of the Jamf profile must include the target users and devices to enroll.
Avis
For more details about Jamf configuration profiles, refer to the official Jamf Pro documentation.
To create a new configuration profile in Jamf Pro:
In the Jamf Pro portal, navigate to either the Computers or Devices tab, depending on where your devices are set up.
Select Content Management > Configuration Profiles.
Select New to create a new configuration profile.
In the General tab, configure the following settings:
Name: Enter a name to help identify this configuration profile.
Level: Select one of the following:
Device LevelorComputer Level: To make the profile available to all users on the device or computer.Astuce
For MDM purposes, most Jamf configuration profiles should use either the
Device LevelorComputer Levelsetting.User Level: To associate the profile with a specific user account on a computer. This setting is not as commonly used and is primarily applicable to computers shared by multiple users.
Distribution Method: Select
Install Automatically.
In the SCEP tab, configure the SCEP settings for the certificate profile you created in Trust Lifecycle Manager:
URL: Enter the SCEP Server URL for the corresponding profile to issue certificates from in Trust Lifecycle Manager. Refer to the Create certificate profiles section for details.
Subject: Enter the Subject DN value string to add to the certificates. For example, enter
CN=$SERIALNUMBERto dynamically insert the serial number of each device as the common name in SCEP enrollment requests.Subject Alternative Name: (Optional) If your certificate profile in Trust Lifecycle Manager includes fields in the Subject Alternative Name (SAN) extension that get their values from the SCEP request, use the Add button to add matching field types and enter value strings for them.
In the following example, the SCEP certificate settings in the Jamf profile include each device's serial number in the Subject common name, plus a SAN RFC 822 field with the serial number as part of the email address.
Important
Important notes:
Every certificate field configured in the Trust Lifecycle Manager certificate profile that gets its value from the SCEP request must have a corresponding value in the Jamf configuration profile.
For a list of payload variables you can use in your Jamf configuration profiles, refer to the official Jamf Pro documentation. Payload variables are case-sensitive.
Any certificate field configured with a Fixed value in the Trust Lifecycle Manager certificate profile must not be present in the Jamf configuration profile.
To use the certificate profile redistribution method to ensure certificates get reissued when they are nearing expiration, add
OU=$PROFILEIDENTIFIERto the Subject field. This adds the ID value of the Jamf configuration profile as an organization unit in each certificate and is especially important when mapping the certificate's common name to the seat ID value in Trust Lifecycle Manager.
Challenge Type: Select one of the following and fill in the options for it:
Static: Select this if your certificate profile in Trust Lifecycle Manager is configured to use a Global enrollment code. Enter the enrollment code in the Challenge and Verify Challenge inputs.
Dynamic-DigiCert Trust Lifecycle Manager: Select this if your certificate profile uses Dynamic enrollment codes. Configure the following fields:
PKI Instance: Select the applicable integration for your Trust Lifecycle Manager account as configured in your global Jamf Pro settings. Refer to the Prepare the integration section for more information.
Certificate Profile: Select the name of the profile to issue certificates from in Trust Lifecycle Manager. After making a selection, the GUID of the profile is shown for verification and so you can cross-check it against the certificate profile in Trust Lifecycle Manager.
Seat ID: Select the field used for the
Seat IDvalues in the corresponding seat records in Trust Lifecycle Manager. For example, select:Serial Number: For Jamf Serial Numbers used as the seat IDs.Device UDID: For Jamf UDID (Unique Device Identifier) values used as the seat IDs.
Seat Type: To use existing, manually created seats in Trust Lifecycle Manager, you must select
Otherhere.
(Optional) Make additional selections if needed to match the configuration of your certificate profile in Trust Lifecycle Manager.
Select Save on the bottom-right to save the new Jamf configuration profile.
To start enrolling computers/devices and users from the Jamf profile, configure the scope of the profile:
In the Jamf Pro portal, navigate to either the Computers or Devices tab, depending on where your devices are set up.
Select Content Management > Configuration Profiles.
Select the configuration profile.
Select Edit on the bottom-right.
Select the Scope tab below the profile name at top.
To set the scope, update the Target selections for computers/devices or users to one of the following:
All: Allow all computers/devices or users to enroll from the profile.
Specific: Allow only specific computers/devices or users to enroll:
Use the Add button to add the target computers/devices or users that can get certificates from this configuration profile.
Under Add Deployment Targets, select individual targets or target groups to enroll.
Important
Important notes:
DigiCert recommends setting the scope to Specific and using Smart Groups to control which computers/devices or users can get certificates.
To avoid issues from enrolling too many devices at once, select and apply target Smart Groups one at a time or in small batches. For more details, refer to the Distribute the Jamf profile to more targets section below.
Select Save on the bottom-right to apply your changes.
The Jamf configuration profile gets distributed to all the selected targets, prompting them to enroll certificates from Trust Lifecycle Manager.
To avoid issues from enrolling too many devices at once, distribute the Jamf configuration profile to Smart Groups one at a time or in small batches. After enrolling one group of devices, update the profile scope to distribute it to the next group.
To distribute the Jamf profile to the next group of devices:
In the Jamf Pro portal, navigate to either the Computers or Devices tab, depending on where your devices are set up.
Select Content Management > Configuration Profiles.
Select the configuration profile.
Select Edit on the bottom-right.
Select the Scope tab below the profile name at top.
Update the Target selections to add the new target computers/devices or users to enroll.
Select Save on the bottom-right to apply your changes.
In the Redistribution Options dialog, select one of the following options:
Distribute to All: The Jamf configuration profile gets distributed to all target devices, even those that already have the profile installed. This causes all the devices to enroll new certificates from Trust Lifecycle Manager.
Distribute to Newly Assigned Devices Only: The Jamf configuration profile only gets distributed to the newly selected target devices. Only the new devices you added will enroll certificates from Trust Lifecycle Manager.
Important
DigiCert recommends enrolling certificates in rolling groups, using the Distribute to Newly Assigned Devices Only option.
Select Save to finish and distribute the configuration profile to the selected targets, based on the selected distribution option.
Repeat this process to enroll the next group of devices.
Verify certificate enrollments
After enrolling a target device, verify the certificate got issued in Trust Lifecycle Manager and provisioned by Jamf Pro.
To view the issued certificate in Trust Lifecycle Manager:
Go to your Inventory page.
Use the view functions to display the certificate, filtering by fields such as the Common name or Seat ID.
Select a certificate by its Common name to see more details about it.
To verify profile distribution and certificate issuance for a single computer or device in the Jamf Pro portal:
In the Jamf Pro portal, navigate to either the Computers or Devices tab, depending on where your devices are set up.
Select Inventory > Search Inventory.
Select the Search button on the top-right.
Select the computer or device from the list to see the details for it.
Verify details in the computer or device record:
Inventory > Profiles: Lists all the configuration profiles installed on the device, including the identifier for each. If you configured your profiles to enable SCEP redistribution, this is the IDENTIFIER value that gets added as an organization unit (OU) in the certificate subject.
Inventory > Certificates: Lists all the certificates installed on the device, including expiration date and status of each. Select a certificate to see more details about it.
Management > Management Commands: Review this tab to see the deployment status of a Jamf configuration profile, including any errors that have been reported to Jamf Pro from DigiCert.
To see all certificates issued through Trust Lifecycle Manager in your Jamf Pro account:
More information
For more information about the integration, refer to the following Jamf technical paper: Integrating with DigiCert Using Jamf Pro.