API integration guide for Jamf Pro
DigiCert® Trust Lifecycle Manager facilitates certificate issuance through your Jamf Pro mobile device management (MDM) environment. This guide describes how to integrate with Jamf using the REST API service of Trust Lifecycle Manager.
重要
Jamf Pro also supports SCEP integration for issuing certificates from Trust Lifecycle Manager. While the API integration currently requires less configuration, it does not support issuing certificates with a SAN extension or fixed-value fields in the Subject DN.
Prerequisites
Consult with your local admin or Jamf Pro documentation for questions regarding Jamf configuration and use.
Active Jamf Pro account with the target devices for enrollment added to it.
Your Jamf Pro account is configured with an Apple MDM Push certificate if you intend to issue certificates to Apple iOS devices.
(Recommended) Create Smart Groups in Jamf Pro for each logical group of devices or computers to enroll. For more information, refer to the official Jamf Pro documentation.
Workflow
To set up the Jamf Pro integration via API, complete these tasks in order.
Task | Section | |
---|---|---|
1. | Enable API access to your Trust Lifecycle Manager account. | |
2. | Define the properties of the certificates to issue in Trust Lifecycle Manager. | |
3. | Create Jamf configuration profiles with the required settings to enroll certificates from DigiCert. | |
4. | Verify the certificates are getting issued in Trust Lifecycle Manager and provisioned by Jamf Pro. |
Prepare the integration
To prepare the integration, configure API access from Jamf Pro to your Trust Lifecycle Manager account using a client authentication certificate.
注意
For tracking purposes, DigiCert recommends using a dedicated API service user for the integration, as described below. You can also generate the client authentication certificate for a standard user with the User and certificate manager role or equivalent permissions.
To create an API service user with the minimum required permissions in DigiCert ONE:
To generate an authentication certificate for your service user in DigiCert ONE:
To configure the Jamf Pro settings for accessing your Trust Lifecycle Manager account:
Create certificate profiles in Trust Lifecycle Manager
A certificate profile defines the issuing CA and general properties for a type of certificate you can issue in Trust Lifecycle Manager. Using a base template as the starting point, create a profile for each type of certificate you want to enroll via Jamf Pro.
Use one of the following base templates as the starting point when creating certificate profiles in Trust Lifecycle Manager for use with Jamf Pro.
Both templates support API-based enrollments and issue private trust certificates from CAs in DigiCert® Private CA.
Make sure you have the corresponding seat type allocated to the business unit in Trust Lifecycle Manager where you will issue the certificates.
Template name | Seat type |
---|---|
| Device |
| User |
To create a certificate profile in Trust Lifecycle Manager to use with Jamf Pro:
In the Trust Lifecycle Manager menu, select Policies > Certificate profiles.
Select the Create profile from template button.
Select one of the templates from the Available base templates section as the basis for creating the certificate profile.
Follow the profile creation wizard, focusing on the Jamf-related options described below and making other selections for your business needs.
On the Primary options screen:
General information: Select the applicable business unit and issuing CA for the certificates.
Enrollment method: Select
REST API
.Authentication method: Select
3rd Party app
.
Under Certificate options > Subject DN and SAN fields, configure the fields to include in certificates issued from this profile:
By default, each certificate includes a Common name in the Subject DN, which gets it value from the REST request.
(Optional) Use the dropdown to add more fields to the certificates. For the Source of the field's value, select REST request to assign the value dynamically from the API enrollment request.
重要
Important notes:
Each certificate profile must include at least one field (for example, the Common name) that gets its value from the REST request, which will be used to add the user or device identifiers from Jamf Pro.
You will configure the Jamf configuration profile to supply corresponding values for the REST request fields when a device requests a certificate.
警告
The API integration for Jamf Pro does not currently support the SAN extension or any Subject DN fields configured with a Fixed value. To avoid enrollment issues, do not add any such fields to the certificate profile in Trust Lifecycle Manager.
Under Advanced settings > Service User binding:
Select Service User: If you set up a service user for the Jamf Pro integration as described in the Prepare the integration section, select the name of the user here to restrict profile access to only that service user. This ensures the profile is used exclusively for the Jamf Pro integration and allows for enhanced tracking and management of certificates issued to Jamf-managed devices.
To save the new certificate profile, select Create on the final wizard screen.
Configure Jamf for API enrollments
To enable endpoint devices to enroll certificates from DigiCert ONE, you need to create a Jamf Pro configuration profile that aligns with the certificate profile in Trust Lifecycle Manager. The scope of the Jamf profile must include the target users and devices to enroll.
注意
For more details about Jamf configuration profiles, refer to the official Jamf Pro documentation.
To create a new configuration profile in Jamf Pro:
In the Jamf Pro portal, navigate to either the Computers or Devices tab, depending on where your devices are set up.
Select Content Management > Configuration Profiles.
Select New to create a new configuration profile.
In the General tab, configure the following settings:
Name: Enter a name to help identify this configuration profile.
Level: Select one of the following:
Device Level
orComputer Level
: To make the profile available to all users on the device or computer.提示
For MDM purposes, most Jamf configuration profiles should use either the
Device Level
orComputer Level
setting.User Level
: To associate the profile with a specific user account on a computer. This setting is not as commonly used and is primarily applicable to computers shared by multiple users.
Distribution Method: Select
Install Automatically
.
In the Certificate tab, configure certificate properties that align with the certificate profile you created in Trust Lifecycle Manager:
Name: Enter a name to help identify this certificate configuration.
Select Certificate Option: Select the applicable integration for your Trust Lifecycle Manager account as configured in your global Jamf Pro settings. Refer to the Prepare the integration section for more information.
Certificate Profile: Select the name of the profile to issue certificates from in Trust Lifecycle Manager. After making a selection, the GUID of the profile is shown for verification and so you can cross-check it against the certificate profile in Trust Lifecycle Manager.
Seat ID: Select a Jamf Pro identifier to use as the
Seat ID
value in Trust Lifecycle Manager when a device enrolls a new certificate from this configuration profile. To ensure the identifier is present for all the devices, DigiCert recommends using one of the following identifiers, depending on the general device type:Device UDID
: For personally-owned (BYOD) devices.Serial Number
: For institutionally-owned devices.
Attribute mapping: This section lists all the Subject DN fields in the selected certificate profile in Trust Lifecycle Manager that are configured to get their value from the REST request. For each field, use the dropdown to select a Jamf parameter to assign as the value in the issued certificates.
Select Save on the bottom-right to save the new Jamf configuration profile.
To start enrolling computers/devices and users from the Jamf profile, configure the scope of the profile:
In the Jamf Pro portal, navigate to either the Computers or Devices tab, depending on where your devices are set up.
Select Content Management > Configuration Profiles.
Select the configuration profile.
Select Edit on the bottom-right.
Select the Scope tab below the profile name at top.
To set the scope, update the Target selections for computers/devices or users to one of the following:
All: Allow all computers/devices or users to enroll from the profile.
Specific: Allow only specific computers/devices or users to enroll:
Use the Add button to add the target computers/devices or users that can get certificates from this configuration profile.
Under Add Deployment Targets, select individual targets or target groups to enroll.
重要
Important notes:
DigiCert recommends setting the scope to Specific and using Smart Groups to control which computers/devices or users can get certificates.
To avoid issues from enrolling too many devices at once, select and apply target Smart Groups one at a time or in small batches. For more details, refer to the Distribute the Jamf profile to more targets section below.
Select Save on the bottom-right to apply your changes.
The Jamf configuration profile gets distributed to all the selected targets, prompting them to enroll certificates from Trust Lifecycle Manager.
To avoid issues from enrolling too many devices at once, distribute the Jamf configuration profile to Smart Groups one at a time or in small batches. After enrolling one group of devices, update the profile scope to distribute it to the next group.
To distribute the Jamf profile to the next group of devices:
In the Jamf Pro portal, navigate to either the Computers or Devices tab, depending on where your devices are set up.
Select Content Management > Configuration Profiles.
Select the configuration profile.
Select Edit on the bottom-right.
Select the Scope tab below the profile name at top.
Update the Target selections to add the new target computers/devices or users to enroll.
Select Save on the bottom-right to apply your changes.
In the Redistribution Options dialog, select one of the following options:
Distribute to All: The Jamf configuration profile gets distributed to all target devices, even those that already have the profile installed. This causes all the devices to enroll new certificates from Trust Lifecycle Manager.
Distribute to Newly Assigned Devices Only: The Jamf configuration profile only gets distributed to the newly selected target devices. Only the new devices you added will enroll certificates from Trust Lifecycle Manager.
重要
DigiCert recommends enrolling certificates in rolling groups, using the Distribute to Newly Assigned Devices Only option.
Select Save to finish and distribute the configuration profile to the selected targets, based on the selected distribution option.
Repeat this process to enroll the next group of devices.
Verify certificate enrollments
After enrolling a target device, verify the certificate got issued in Trust Lifecycle Manager and provisioned by Jamf Pro.
To view the issued certificate in Trust Lifecycle Manager:
Go to your Inventory page.
Use the view functions to display the certificate, filtering by fields such as the Common name or Seat ID.
Select a certificate by its Common name to see more details about it.
To verify configuation profile distribution and certificate issuance for a single computer or device in the Jamf Pro portal:
In the Jamf Pro portal, navigate to either the Computers or Devices tab, depending on where your devices are set up.
Select Inventory > Search Inventory.
Select the Search button on the top-right.
Select the computer or device from the list to see the details for it.
Verify details in the computer or device record:
Inventory > Profiles: Lists all the configuration profiles installed on the device, including the identifier for each.
Inventory > Certificates: Lists all the certificates installed on the device, including expiration date and status of each. Select a certificate to see more details about it.
Management > Management Commands: Review this tab to see the deployment status of a Jamf configuration profile, including any errors that have been reported to Jamf Pro from DigiCert.
To see all certificates issued through Trust Lifecycle Manager in your Jamf Pro account:
More information
For more information about the integration, refer to the following Jamf technical paper: Integrating with DigiCert Using Jamf Pro.