API integration guide for Jamf Pro

DigiCert® Trust Lifecycle Manager facilitates certificate issuance through your Jamf Pro mobile device management (MDM) environment. This guide describes how to integrate with Jamf using the REST API service of Trust Lifecycle Manager.

重要

Jamf Pro also supports SCEP integration for issuing certificates from Trust Lifecycle Manager. While the API integration currently requires less configuration, it does not support issuing certificates with a SAN extension or fixed-value fields in the Subject DN.

Prerequisites

Jamf Pro MDM prerequisites

Consult with your local admin or Jamf Pro documentation for questions regarding Jamf configuration and use.

Active Jamf Pro account with the target devices for enrollment added to it.
Your Jamf Pro account is configured with an Apple MDM Push certificate if you intend to issue certificates to Apple iOS devices.
(Recommended) Create Smart Groups in Jamf Pro for each logical group of devices or computers to enroll. For more information, refer to the official Jamf Pro documentation.

Workflow

To set up the Jamf Pro integration via API, complete these tasks in order.

	Task	Section
1.	Enable API access to your Trust Lifecycle Manager account.	Prepare the integration
2.	Define the properties of the certificates to issue in Trust Lifecycle Manager.	Create certificate profiles in Trust Lifecycle Manager
3.	Create Jamf configuration profiles with the required settings to enroll certificates from DigiCert.	Configure Jamf for API enrollments
4.	Verify the certificates are getting issued in Trust Lifecycle Manager and provisioned by Jamf Pro.	Verify certificate enrollments

Prepare the integration

To prepare the integration, configure API access from Jamf Pro to your Trust Lifecycle Manager account using a client authentication certificate.

注意

For tracking purposes, DigiCert recommends using a dedicated API service user for the integration, as described below. You can also generate the client authentication certificate for a standard user with the User and certificate manager role or equivalent permissions.

Step 1: Create service user in DigiCert ONE

To create an API service user with the minimum required permissions in DigiCert ONE:

Open the DigiCert ONE Managers menu (grid icon) on the top-right, and select Account.
In the Account Manager menu, select Access > Service User.
Select the Create service user button.
Enter the service user details.
For DigiCert ONE Manager access, select Trust Lifecycle.
Select Next.
Under Roles and permissions for Trust Lifecycle Manager, select User and certificate manager.
You may select additional roles. DigiCert recommends following the principle of least privilege.
Select Add user to create the service user with the configured settings.
The Service user token ID window opens with the API token for the new service user.
Note: For the Jamf Pro integration, you do not need the API token. We will use an authentication certificate instead.
To dismiss the token ID popup window, select Close.

Step 2: Generate authentication certificate for the service user

To generate an authentication certificate for your service user in DigiCert ONE:

In the Account Manager menu, select Access > Service User.
In the table, select the name of the service user you created.
In the Client authentication certificates section, select the Create client authentication certificate button.
Enter the requested client authentication certificate settings, then select Generate certificate.
A popup window opens with the randomly generated password required to decrypt the PKCS#12 file containing your authentication certificate.
Important: You will need this password to configure the integration in Jamf Pro.
Copy and save the password to a secure location.
After saving the password, select Download certificate to download the authentication certificate.
Follow the instructions in the popup window to save the PKCS#12 certificate file to your computer.
Make note of the location where you save the file. You will need it when configuring the integration in Jamf Pro.
After saving the certificate, select Close to dismiss the popup window.

Step 3: Configure integration settings in Jamf Pro

To configure the Jamf Pro settings for accessing your Trust Lifecycle Manager account:

In the Jamf Pro portal, go to Settings > Global > PKI certificates.
Select Configure New Certificate Authority on the top-right.
Select the option for DigiCert Trust Lifecycle Manager and select Next on the bottom-right.
Configure the following settings for the integration:
- Display Name for the Integration: Enter a name to help identify this integration in Jamf Pro.
- Automatic certificate revocation: (Optional) Enable this option to automatically revoke the certificates associated with a device when decommissioning that device. For more information about this feature, refer to the official Jamf Pro documentation.
- DigiCert One Host Name: Enter the URL you use to log in to Trust Lifecycle Manager. For a list of URLs for the cloud-hosted version of DigiCert ONE by environment and region, see Platform IP addresses and URLs.
- Client authentication certificate: Drag and drop or browse to upload the authentication certificate for the API service user you created in DigiCert ONE.
- Certificate password: Enter the corresponding password for the authentication certificate you uploaded above.
Select Save on the bottom-right to save this Trust Lifecycle Manager integration.
If the connection is successful, Jamf Pro displays a green success banner at the top of the screen.
注意
You can check the status of the connection at any time by returning to the Settings > Global > PKI certificates screen and selecting View next to the Trust Lifecycle Manager integration. If the connection is active, Jamf Pro shows a green banner message at the top of the details screen, otherwise it shows a red banner message.

Create certificate profiles in Trust Lifecycle Manager

A certificate profile defines the issuing CA and general properties for a type of certificate you can issue in Trust Lifecycle Manager. Using a base template as the starting point, create a profile for each type of certificate you want to enroll via Jamf Pro.

Available base templates

Use one of the following base templates as the starting point when creating certificate profiles in Trust Lifecycle Manager for use with Jamf Pro.

Both templates support API-based enrollments and issue private trust certificates from CAs in DigiCert® Private CA.
Make sure you have the corresponding seat type allocated to the business unit in Trust Lifecycle Manager where you will issue the certificates.

Template name	Seat type
`Generic Device Certificate`	Device
`Generic User Certificate`	User

Create a certificate profile

To create a certificate profile in Trust Lifecycle Manager to use with Jamf Pro:

In the Trust Lifecycle Manager menu, select Policies > Certificate profiles.
Select the Create profile from template button.
Select one of the templates from the Available base templates section as the basis for creating the certificate profile.
Follow the profile creation wizard, focusing on the Jamf-related options described below and making other selections for your business needs.
On the Primary options screen:
- General information: Select the applicable business unit and issuing CA for the certificates.
- Enrollment method: Select REST API.
- Authentication method: Select 3rd Party app.
Under Certificate options > Subject DN and SAN fields, configure the fields to include in certificates issued from this profile:
- By default, each certificate includes a Common name in the Subject DN, which gets it value from the REST request.
- (Optional) Use the dropdown to add more fields to the certificates. For the Source of the field's value, select REST request to assign the value dynamically from the API enrollment request.
  重要
  Important notes:
  Each certificate profile must include at least one field (for example, the Common name) that gets its value from the REST request, which will be used to add the user or device identifiers from Jamf Pro.
  You will configure the Jamf configuration profile to supply corresponding values for the REST request fields when a device requests a certificate.
  警告
  The API integration for Jamf Pro does not currently support the SAN extension or any Subject DN fields configured with a Fixed value. To avoid enrollment issues, do not add any such fields to the certificate profile in Trust Lifecycle Manager.
Under Advanced settings > Service User binding:
- Select Service User: If you set up a service user for the Jamf Pro integration as described in the Prepare the integration section, select the name of the user here to restrict profile access to only that service user. This ensures the profile is used exclusively for the Jamf Pro integration and allows for enhanced tracking and management of certificates issued to Jamf-managed devices.
To save the new certificate profile, select Create on the final wizard screen.

Configure Jamf for API enrollments

To enable endpoint devices to enroll certificates from DigiCert ONE, you need to create a Jamf Pro configuration profile that aligns with the certificate profile in Trust Lifecycle Manager. The scope of the Jamf profile must include the target users and devices to enroll.

注意

For more details about Jamf configuration profiles, refer to the official Jamf Pro documentation.

Create a Jamf configuration profile

To create a new configuration profile in Jamf Pro:

In the Jamf Pro portal, navigate to either the Computers or Devices tab, depending on where your devices are set up.
Select Content Management > Configuration Profiles.
Select New to create a new configuration profile.
In the General tab, configure the following settings:
- Name: Enter a name to help identify this configuration profile.
- Level: Select one of the following:
  - Device Level or Computer Level: To make the profile available to all users on the device or computer.
    提示
    For MDM purposes, most Jamf configuration profiles should use either the Device Level or Computer Level setting.
  - User Level: To associate the profile with a specific user account on a computer. This setting is not as commonly used and is primarily applicable to computers shared by multiple users.
- Distribution Method: Select Install Automatically.
In the Certificate tab, configure certificate properties that align with the certificate profile you created in Trust Lifecycle Manager:
- Name: Enter a name to help identify this certificate configuration.
- Select Certificate Option: Select the applicable integration for your Trust Lifecycle Manager account as configured in your global Jamf Pro settings. Refer to the Prepare the integration section for more information.
- Certificate Profile: Select the name of the profile to issue certificates from in Trust Lifecycle Manager. After making a selection, the GUID of the profile is shown for verification and so you can cross-check it against the certificate profile in Trust Lifecycle Manager.
- Seat ID: Select a Jamf Pro identifier to use as the Seat ID value in Trust Lifecycle Manager when a device enrolls a new certificate from this configuration profile. To ensure the identifier is present for all the devices, DigiCert recommends using one of the following identifiers, depending on the general device type:
  - Device UDID: For personally-owned (BYOD) devices.
  - Serial Number: For institutionally-owned devices.
- Attribute mapping: This section lists all the Subject DN fields in the selected certificate profile in Trust Lifecycle Manager that are configured to get their value from the REST request. For each field, use the dropdown to select a Jamf parameter to assign as the value in the issued certificates.
Select Save on the bottom-right to save the new Jamf configuration profile.

Configure the scope of the Jamf profile

To start enrolling computers/devices and users from the Jamf profile, configure the scope of the profile:

In the Jamf Pro portal, navigate to either the Computers or Devices tab, depending on where your devices are set up.
Select Content Management > Configuration Profiles.
Select the configuration profile.
Select Edit on the bottom-right.
Select the Scope tab below the profile name at top.
To set the scope, update the Target selections for computers/devices or users to one of the following:
- All: Allow all computers/devices or users to enroll from the profile.
- Specific: Allow only specific computers/devices or users to enroll:
  - Use the Add button to add the target computers/devices or users that can get certificates from this configuration profile.
  - Under Add Deployment Targets, select individual targets or target groups to enroll.
  重要
  Important notes:
  DigiCert recommends setting the scope to Specific and using Smart Groups to control which computers/devices or users can get certificates.
  To avoid issues from enrolling too many devices at once, select and apply target Smart Groups one at a time or in small batches. For more details, refer to the Distribute the Jamf profile to more targets section below.
Select Save on the bottom-right to apply your changes.
The Jamf configuration profile gets distributed to all the selected targets, prompting them to enroll certificates from Trust Lifecycle Manager.

Distribute the Jamf profile to more targets

To avoid issues from enrolling too many devices at once, distribute the Jamf configuration profile to Smart Groups one at a time or in small batches. After enrolling one group of devices, update the profile scope to distribute it to the next group.

To distribute the Jamf profile to the next group of devices:

In the Jamf Pro portal, navigate to either the Computers or Devices tab, depending on where your devices are set up.
Select Content Management > Configuration Profiles.
Select the configuration profile.
Select Edit on the bottom-right.
Select the Scope tab below the profile name at top.
Update the Target selections to add the new target computers/devices or users to enroll.
Select Save on the bottom-right to apply your changes.
In the Redistribution Options dialog, select one of the following options:
- Distribute to All: The Jamf configuration profile gets distributed to all target devices, even those that already have the profile installed. This causes all the devices to enroll new certificates from Trust Lifecycle Manager.
- Distribute to Newly Assigned Devices Only: The Jamf configuration profile only gets distributed to the newly selected target devices. Only the new devices you added will enroll certificates from Trust Lifecycle Manager.
  重要
  DigiCert recommends enrolling certificates in rolling groups, using the Distribute to Newly Assigned Devices Only option.
Select Save to finish and distribute the configuration profile to the selected targets, based on the selected distribution option.
Repeat this process to enroll the next group of devices.

Verify certificate enrollments

After enrolling a target device, verify the certificate got issued in Trust Lifecycle Manager and provisioned by Jamf Pro.

In Trust Lifecycle Manager

To view the issued certificate in Trust Lifecycle Manager:

Go to your Inventory page.
Use the view functions to display the certificate, filtering by fields such as the Common name or Seat ID.
Select a certificate by its Common name to see more details about it.

In Jamf Pro

To verify configuation profile distribution and certificate issuance for a single computer or device in the Jamf Pro portal:

In the Jamf Pro portal, navigate to either the Computers or Devices tab, depending on where your devices are set up.
Select Inventory > Search Inventory.
Select the Search button on the top-right.
Select the computer or device from the list to see the details for it.
Verify details in the computer or device record:
- Inventory > Profiles: Lists all the configuration profiles installed on the device, including the identifier for each.
- Inventory > Certificates: Lists all the certificates installed on the device, including expiration date and status of each. Select a certificate to see more details about it.
- Management > Management Commands: Review this tab to see the deployment status of a Jamf configuration profile, including any errors that have been reported to Jamf Pro from DigiCert.

To see all certificates issued through Trust Lifecycle Manager in your Jamf Pro account:

More information

For more information about the integration, refer to the following Jamf technical paper: Integrating with DigiCert Using Jamf Pro.

本节内容如下: