Onboard macOS devices with certificates using Jamf and SCEP

In this topic, you will learn how to deploy Portnox™ Cloud certificates via Jamf and SCEP to manage macOS devices.

Turn on the Portnox Cloud SCEP services

In this section, you will configure Portnox™ Cloud to provide SCEP services to your devices.

If you have previously turned on the Portnox Cloud SCEP services, skip to the later step in which you get the Cloud SCEP URL and password.

Portnox Cloud SCEP services let devices contact the Cloud SCEP server and get a unique certificate for the device or for the specific user of the device.

Important: This topic shows the configuration for macOS computers with macOS 12 (Monterey), but the Apple profile payloads Certificate, SCEP, and WiFi, which are used in this configuration, are compatible with the following Apple operating systems: iOS 4.0+, iPadOS 4.0+, macOS 10.7+, tvOS 9.0+, watchOS 3.2+. This means that you can use the same profiles to configure other Apple devices based on these operating systems, for example, iPhones.
  1. In the Cloud portal top menu, click on the Settings option.

  2. In the right-hand side pane, find and click on the CLEAR GENERAL SETTINGS heading.

    More options appear under the CLEAR GENERAL SETTINGS heading and description.

  3. Enable integration with SCEP services.

    1. Scroll down to the SCEP SERVICES section.
    2. Click on the Edit link.
    3. Activate the Enable integration checkbox.
    4. Click on the Save button.

  4. Click on the  ⧉  icon next to the SCEP URL field to copy the SCEP URL, and paste it in a text file for later use.
  5. Click on the  ⧉  icon next to the Password field to copy the SCEP password, and paste it in a text file for later use.

Download the root CA certificate

In this section, you will download the root CA certificate from Portnox™ Cloud, which is needed to create a profile.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the right-hand side pane, find and click on the CLEAR RADIUS SERVICE heading.

    More options appear under the CLEAR RADIUS SERVICE heading and description.

  3. Click on any of the RADIUS servers listed to show its configuration.

  4. Click on the Download root certificate link.

Result: The root CA certificate file is in the Downloads folder on the local disk.

Download the tenant CA certificate

In this section, you will download the Portnox™ Cloud tenant CA certificate from the Cloud portal.

You need the tenant CA certificate from Portnox Cloud so that your managed devices can verify the validity of individual SCEP certificates, which are signed using the tenant CA certificate.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the right-hand side pane, find and click on the CLEAR GENERAL SETTINGS heading.

    More options appear under the CLEAR GENERAL SETTINGS heading and description.

  3. Scroll down to the TRUSTED ROOT CERTIFICATES section and click on the Download link, then save the downloaded file.

    The default name of the file is Your_tenant_name - Portnox CLEAR.pfx, for example, Portnox - Portnox CLEAR.

The downloaded tenant CA certificate is a file in the Personal Information Exchange binary format (PFS, also known as PKCS#12), which you cannot use directly. You need to convert it to the Base-64 encoded X.509 format (sometimes referred to as CER or PEM).

Convert the tenant CA certificate

In this section, you will convert the downloaded tenant CA certificate into the Base-64 encoded X.509 format.

You need this certificate in the Base-64 encoded X.509 format, which is sometimes called the PEM format. Files with this format usually have the .pem or .cer extension, but files in the DER binary format also have the .cer extension.

The following are three recommended ways to convert the PKCS#12 certificate into Base-64 encoded X.509:

  • Convert the tenant CA certificate using Windows certificate management.

    You need to download the certificate to a Windows computer or copy it to a Windows computer.

    1. In Windows, right-click on the PKCS#12 file and select Open from the context menu.

      The file will be opened in the Windows certificate manager.

    2. In the certificate manager window, open the Certificates section in the left-hand pane and then double-click on Portnox - Portnox CLEAR in the right-hand side pane.

    3. In the Certificate window, click on the Details tab and then click on the Copy to File button.

    4. In the first step of the Certificate Export Wizard wizard, click on the Next button.
    5. In the second step of the wizard, select the Base-64 encoded X.509 (.CER) option.

    6. In the third step of the wizard, select a file to save the exported tenant CA certificate, and click on the Next button.

      For example, save the file as tenantCertificate.cer.

    7. In the last step of the wizard, click on the Finish button. Then, close the Certificate window.
  • Convert the tenant CA certificate using OpenSSL.

    If you have OpenSSL installed on your macOS device, you can use it to convert certificates. OpenSSL is not installed by default and the installation requires using a third party package or compiling OpenSSL from source.

    1. Open the Terminal.
    2. Type the following command: # openssl pkcs12 -in "Portnox - Portnox CLEAR.pfx" -out tenantCertificate.cer

      If asked for a certificate password, use an empty password.

  • Convert the tenant CA certificate using a third-party online converter.
    Important: The following converters are not affiliated in any way with Portnox. They were found using web search and verified to support the required conversion. If needed, search the web for other converters.
    • RVSSL (select PFX/PKCS#12 as the input format and Standard PEM as the output format)
    • SSL Shopper (select PFX/PKCS#12 as the input format and Standard PEM as the output format)

Create a Jamf configuration profile

In this section, you will create a configuration profile in Jamf that lets managed devices get certificates from the Portnox™ Cloud SCEP server.

  1. Open your Jamf instance in the browser and log in.
    For example, vorlon.jamfcloud.com
  2. In the top-left corner, click on the Computers icon.

  3. In the left-hand menu, click on the Configuration Profiles option.

    Jamf shows the Configuration Profiles pane on the right-hand side.

  4. In the top-right corner of the Configuration Profiles pane, click on the New button.

    Jamf shows the New macOS Configuration Profile pane on the right-hand side.

  5. In the General pane on the right-hand side, configure general properties for the new profile:
    1. In the Name field, enter the name for this SCEP configuration profile.

      We used the name Vorlon SCEP but you can use any name you like.

    2. In the Level field, select whether this profile will be applied on the Computer Level or User Level depending on whether you will be using device certificates or user certificates.

  6. In the left-hand menu of the configuration profile pane, click on the SCEP option.

    Jamf shows the Configure SCEP pane on the right-hand side.

  7. On the right-hand side, click on the Configure button to configure SCEP properties for the new profile:

    1. In the URL field, enter the SCEP URL that you copied earlier from Portnox Cloud.

    2. In the Subject field, enter a string to use to generate the Subject field in the user/device certificates.

      The string can contain Jamf variables. For example:

      • For user certificates, use: CN=$EMAIL

      • For device certificates, use: CN=$UDID

      These variables are processed by Jamf and replaced by the user’s email address ($EMAIL) and Jamf device ID ($UDID). Portnox Cloud then uses the values from the certificate fields to create or align with an account in Cloud. If you use incorrect variables, Cloud will not be able to align this information with information from the authentication repository, and it will create new Cloud accounts for devices instead of aligning them with accounts from the authentication repository. For more information about Jamf variables, see Payload Variables for Mobile Device Configuration Profiles in the Jamf Pro Administrator’s Guide.

      Important: If you use variables, make sure that the variable value is available. For example, if you use the $USERNAME variable, make sure that there is a valid user account on the device that is also known to Jamf. If not, the device may report the following error: Unable to obtain certificate from SCEP server. Such errors are known to happen for example when devices are recycled (previously assigned to users that are no longer with the company). Also, if you intend to use the same profile to manage iOS devices, you need to use device certificates and CN=$DEVICENAME.
    3. In the Subject Alternative Name Type field, select the Uniform Resource Identifier option. In the Subject Alternative Name Value, enter https://jamfdeviceid/$UDID, and in the NT Principal Name field, enter $EMAIL for user-based accounts or leave the field empty for device-based accounts.

      Note: Portnox Clear uses these Subject Alternative Name (SAN) values from the certificate to provide device information for risk assessment policies.
    4. In the Challenge Type field, select Static, and in the Challenge and Verify Challenge fields, paste the password that you copied earlier from Portnox Cloud.

    5. In the Key Size field, select the key size that you want to use.

      In this example, we used the value 2048 but you can use 1024 or 4096. Note that while higher values provide more security, values other than 1024 may cause certificate fragmentation problems in some network topologies.

    6. Activate the Use as digital signature and Use for key encipherment checkboxes.

    7. Click on the Upload Certificate button, then on the Choose File button, and select the tenant CA certificate file you converted and saved earlier, then click on the Upload button.

  8. In the left-hand menu of the configuration profile pane, click on the Certificate option.

    Jamf shows the Configure Certificate pane on the right-hand side.

  9. On the right-hand side, click on the Configure button to configure certificate properties for the new profile:

    1. In the Certificate Name field, enter a display name for the root CA certificate.

      We used the name Root CA but you can use any name you like.

    2. In the Select Certificate Option field, select Upload.

    3. Click on the Upload Certificate button. Then, in the Certificate pop-up, click on the Choose File button, and select the root CA certificate file that you downloaded earlier, for example, rootCertificate.cer. Then, click on the Upload button.

    4. Click on the  +  button in the top-right corner of the Certificate pane to add another certificate payload. Then, scroll down the Certificate pane to see the added section.

    5. In the Certificate Name field, enter a display name for the tenant CA certificate.

      We used the name Tenant CA but you can use any name you like.

    6. In the Select Certificate Option field, select Upload.

    7. Click on the Upload Certificate button. Then, in the Certificate pop-up, click on the Choose File button, and select the tenant CA certificate file that you downloaded and converted earlier, for example, tenantCertificate.cer. Then, click on the Upload button.

      Note: You don’t have to include the tenant CA certificate in the profile. However, if you don’t distribute the tenant CA certificate to managed devices, the SCEP certificates that your devices will generate on the basis of this tenant CA will be marked in the key chain as untrusted.
  10. Click on the Save icon in the bottom-right corner to save the configuration profile.

Configure the profile for Wi-Fi

In this section, you will edit the configuration profile and add a Wi-Fi network configuration. This will let your managed devices access the Wi-Fi network configured in Portnox™ Cloud by using certificates obtained from the Portnox SCEP server.

  1. In the top-left corner, click on the Computers icon.

  2. In the left-hand menu, click on the Configuration Profiles option.

    Jamf shows the Configuration Profiles pane on the right-hand side.

  3. Find the profile that you created earlier and click on its name.

  4. In the bottom-right corner of the right-hand side pane, click on the Edit icon.

  5. In the left-hand menu of the right-hand side pane, click on the Network option.

    Jamf shows the Configure Network pane on the right-hand side.

  6. On the right-hand side, click on the Configure button to configure network properties for the new profile:

    1. In the Network Interface field, select the Wi-Fi option.

    2. In the Service Set Identifier (SSID) field, enter the SSID of the Wi-Fi network that you configured in Portnox Cloud for your managed devices.

    3. In the Security Type field, select the WPA/WPA2 Enterprise option.

    4. In the Protocols tab of the Network Security Settings section in the right-hand side pane, in the Accepted EAP Types field, activate only the TLS checkbox.

    5. In the Trust tab of the Network Security Settings section in the right-hand side pane, in the Identity Certificate field, select the SCEP option.

    6. In the Trusted Certificates section, click on the checkboxes next to the display names of the certificates that you uploaded earlier.

    7. In the CERTIFICATE COMMON NAME section, click on the Add button and add the following name: clear-rad.portnox.com. Then, click on the Save button.

  7. Click on the Save icon in the bottom-right corner to save the configuration profile.

Configure the profile for Ethernet

In this section, you will edit the configuration profile and add an Ethernet network configuration. This will let your managed devices access the Ethernet network configured in Portnox™ Cloud by using certificates obtained from the Portnox SCEP server.

  1. In the top-left corner, click on the Computers icon.

  2. In the left-hand menu, click on the Configuration Profiles option.

    Jamf shows the Configuration Profiles pane on the right-hand side.

  3. Find the profile that you created earlier and click on its name.

  4. In the bottom-right corner of the right-hand side pane, click on the Edit icon.

  5. In the left-hand menu of the right-hand side pane, click on the Network option.

  6. In the right-hand side pane, click on the  +  icon in the top-right corner to create another network configuration. Then, scroll down to the newly created network configuration to set the following properties:
    1. In the Network Interface field, select the Any Ethernet option.

    2. In the Protocols tab of the Network Security Settings section in the right-hand side pane, in the Accepted EAP Types field, activate only the TLS checkbox.

    3. In the Trust tab of the Network Security Settings section in the right-hand side pane, in the Identity Certificate field, select the SCEP option.

    4. In the Trusted Certificates section, click on the checkboxes next to the display names of the certificates that you uploaded earlier.

    5. In the CERTIFICATE COMMON NAME section, click on the Add button and add the following name: clear-rad.portnox.com. Then, click on the Save button.

  7. Click on the Save icon in the bottom-right corner to save the configuration profile.