Onboard macOS devices with certificates using Jamf and SCEP

In this topic, you will learn how to deploy Portnox™ Cloud certificates via Jamf and SCEP to manage macOS devices.

Turn on the Portnox Cloud SCEP services

In this section, you will configure Portnox™ Cloud to provide SCEP services to your devices.

If you have previously turned on the Portnox Cloud SCEP services, skip to the later step in which you get the Cloud SCEP URL and password.

Portnox Cloud SCEP services let devices contact the Cloud SCEP server and get a unique certificate for the device or for the specific user of the device.

Important: This topic shows the configuration for macOS computers with macOS 12 (Monterey), but the Apple profile payloads Certificate, SCEP, and WiFi, which are used in this configuration, are compatible with the following Apple operating systems: iOS 4.0+, iPadOS 4.0+, macOS 10.7+, tvOS 9.0+, watchOS 3.2+. This means that you can use the same profiles to configure other Apple devices based on these operating systems, for example, iPhones.
  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Services > GENERAL SETTINGS > SCEP Services option.

  3. Enable integration with SCEP services.

    1. Click on the Edit link.
    2. Activate the Enable integration checkbox.
    3. Click on the Save button.
  4. Click on the  ⧉  icon next to the SCEP URL field to copy the SCEP URL, and paste it in a text file for later use.
  5. Click on the  ⧉  icon next to the Password field to copy the SCEP password, and paste it in a text file for later use.

Download the root CA certificate

In this section, you will download the root CA certificate from Portnox™ Cloud, which is needed to create a profile.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Services > CLEAR RADIUS SERVICE > CLEAR RADIUS instance option.

  3. Click on any of the RADIUS servers listed in the right-hand pane to show its configuration.

  4. Click on the Download root certificate link.

Result: The root CA certificate file is in the Downloads folder on the local disk.

Download the tenant CA certificate

In this section, you will download the Portnox™ Cloud tenant CA certificate from the Cloud portal.

You need the tenant CA certificate from Portnox Cloud so that your managed devices can verify the validity of individual SCEP certificates, which are signed using the tenant CA certificate.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Services > GENERAL SETTINGS > Trusted Root Certificates option.

  3. In the Trusted Root Certificates section, click on the Download link, then save the downloaded file.

    The default name of the file is Your_tenant_name - Portnox CLEAR.pfx, for example, Portnox - Portnox CLEAR.

The downloaded tenant CA certificate is a file in the Personal Information Exchange binary format (PFS, also known as PKCS#12), which you cannot use directly. You need to convert it to the Base-64 encoded X.509 format (sometimes referred to as CER or PEM).

Convert the tenant CA certificate

In this section, you will convert the downloaded tenant CA certificate into the Base-64 encoded X.509 format.

You need this certificate in the Base-64 encoded X.509 format, which is sometimes called the PEM format. Files with this format usually have the .pem or .cer extension, but files in the DER binary format also have the .cer extension.

The following are three recommended ways to convert the PKCS#12 certificate into Base-64 encoded X.509:

  • Convert the tenant CA certificate using Windows certificate management.

    You need to download the certificate to a Windows computer or copy it to a Windows computer.

    1. In Windows, right-click on the PKCS#12 file and select Open from the context menu.

      The file will be opened in the Windows certificate manager.

    2. In the certificate manager window, open the Certificates section in the left-hand pane and then double-click on Portnox - Portnox CLEAR in the right-hand side pane.

    3. In the Certificate window, click on the Details tab and then click on the Copy to File button.

    4. In the first step of the Certificate Export Wizard wizard, click on the Next button.
    5. In the second step of the wizard, select the Base-64 encoded X.509 (.CER) option.

    6. In the third step of the wizard, select a file to save the exported tenant CA certificate, and click on the Next button.

      For example, save the file as tenantCertificate.cer.

    7. In the last step of the wizard, click on the Finish button. Then, close the Certificate window.
  • Convert the tenant CA certificate using OpenSSL.

    If you have OpenSSL installed on your macOS device, you can use it to convert certificates. OpenSSL is not installed by default and the installation requires using a third party package or compiling OpenSSL from source.

    1. Open the Terminal.
    2. Type the following command: # openssl pkcs12 -in "Portnox - Portnox CLEAR.pfx" -out tenantCertificate.cer

      If asked for a certificate password, use an empty password.

  • Convert the tenant CA certificate using a third-party online converter.
    Important: The following converters are not affiliated in any way with Portnox. They were found using web search and verified to support the required conversion. If needed, search the web for other converters.
    • RVSSL (select PFX/PKCS#12 as the input format and Standard PEM as the output format)
    • SSL Shopper (select PFX/PKCS#12 as the input format and Standard PEM as the output format)

Create a Jamf configuration profile

In this section, you will create a configuration profile in Jamf that lets managed devices get certificates from the Portnox™ Cloud SCEP server.

  1. Open your Jamf instance in the browser and log in.
    For example, vorlon.jamfcloud.com
  2. In the top-left corner, click on the Computers icon.

  3. In the left-hand menu, click on the Configuration Profiles option.

    Jamf shows the Configuration Profiles pane on the right-hand side.

  4. In the top-right corner of the Configuration Profiles pane, click on the New button.

    Jamf shows the New macOS Configuration Profile pane on the right-hand side.

  5. In the General pane on the right-hand side, configure general properties for the new profile:
    1. In the Name field, enter the name for this SCEP configuration profile.

      We used the name Vorlon SCEP but you can use any name you like.

    2. In the Level field, select whether this profile will be applied on the Computer Level or User Level depending on whether you will be using device certificates or user certificates.

  6. In the left-hand menu of the configuration profile pane, click on the SCEP option.

    Jamf shows the Configure SCEP pane on the right-hand side.

  7. On the right-hand side, click on the Configure button to configure SCEP properties for the new profile:

    1. In the URL field, enter the SCEP URL that you copied earlier from Portnox Cloud.

    2. In the Redistribute Profile field, change the value Never to at least a week or more.

      Note: This value specifies when (how many days before) Jamf redistributes profiles to onboarded devices if their SCEP certificates are about to expire. Distributing a profile causes the device to request a new SCEP certificate. If this setting is left at Never, once the SCEP certificate expires, the device will lose the connection to the network and you will have to manually redistribute its profile to request a new SCEP certificate.
    3. In the Subject field, enter a string to use to generate the Subject field in the user/device certificates.

      The string can contain Jamf variables. For example:

      • For user certificates, use: CN=$EMAIL

      • For device certificates, if there is no Intune integration, use CN=$DEVICENAME

      • For device certificates, if there is Intune integration, use CN=$UDID

      These variables are processed by Jamf and replaced by the user’s email address ($EMAIL) or Jamf device name ($DEVICENAME). Portnox Cloud then uses the values from the certificate fields to create or align with an account in Cloud.

      If you use an incorrect variable for user certificate, Cloud will not be able to align this information with information from the authentication repository, and it will create a new Cloud account instead of aligning it with an accounts from the authentication repository.

      If you use device certificates, Jamf will not able to create LDAP accounts, only Cloud accounts for devices. As such, the Subject value should simply contain a human-readable device name, so that it is easy to read on the Devices screen.

      For more information about Jamf variables, see Payload Variables for Mobile Device Configuration Profiles in the Jamf Pro Administrator’s Guide.

      Important: If you use variables, make sure that the variable value is available. For example, if you use the $USERNAME variable, make sure that there is a valid user account on the device that is also known to Jamf. If not, the device may report the following error: Unable to obtain certificate from SCEP server. Such errors are known to happen for example when devices are recycled (previously assigned to users that are no longer with the company).
    4. In the Subject Alternative Name Type field, select the Uniform Resource Identifier option. In the Subject Alternative Name Value, enter https://jamfdeviceid/$UDID if you manage macOS devices or https://jamfmobiledeviceid/$UDID if you manage iOS devices, and in the NT Principal Name field, enter $EMAIL for user-based accounts or leave the field empty for device-based accounts.

      Note: By default, Portnox Cloud checks for user identity information in the SAN UPN field (NT Principal Name field in macOS). You can use a different SAN field, but it is not recommended. For more information, see the following topic: Certificate identity information.
    5. In the Challenge Type field, select Static, and in the Challenge and Verify Challenge fields, paste the password that you copied earlier from Portnox Cloud.

    6. In the Key Size field, select the key size that you want to use.

      In this example, we used the value 2048 but you can use 1024 or 4096. Note that while higher values provide more security, values other than 1024 may cause certificate fragmentation problems in some network topologies. If such problems occur, see the following topic: Certificate fragmentation issues.

    7. Activate the Use as digital signature and Use for key encipherment checkboxes.

    8. Activate the Allow all apps access checkbox.

      Note: This setting allows for unattended onboarding. If you do not activate this option, macOS will show a window asking for the administrator’s user name and password during onboarding.
    9. Click on the Upload Certificate button, then on the Choose File button, and select the tenant CA certificate file you converted and saved earlier, then click on the Upload button.

  8. In the left-hand menu of the configuration profile pane, click on the Certificate option.

    Jamf shows the Configure Certificate pane on the right-hand side.

  9. On the right-hand side, click on the Configure button to configure certificate properties for the new profile:

    1. In the Certificate Name field, enter a display name for the root CA certificate.

      We used the name Root CA but you can use any name you like.

    2. In the Select Certificate Option field, select Upload.

    3. Click on the Upload Certificate button. Then, in the Certificate pop-up, click on the Choose File button, and select the root CA certificate file that you downloaded earlier, for example, rootCertificate.cer. Then, click on the Upload button.

    4. Click on the  +  button in the top-right corner of the Certificate pane to add another certificate payload. Then, scroll down the Certificate pane to see the added section.

    5. In the Certificate Name field, enter a display name for the tenant CA certificate.

      We used the name Tenant CA but you can use any name you like.

    6. In the Select Certificate Option field, select Upload.

    7. Click on the Upload Certificate button. Then, in the Certificate pop-up, click on the Choose File button, and select the tenant CA certificate file that you downloaded and converted earlier, for example, tenantCertificate.cer. Then, click on the Upload button.

      Note: You don’t have to include the tenant CA certificate in the profile. However, if you don’t distribute the tenant CA certificate to managed devices, the SCEP certificates that your devices will generate on the basis of this tenant CA will be marked in the key chain as untrusted.
  10. Click on the Save icon in the bottom-right corner to save the configuration profile.

Configure the profile for Wi-Fi

In this section, you will edit the configuration profile and add a Wi-Fi network configuration. This will let your managed devices access the Wi-Fi network configured in Portnox™ Cloud by using certificates obtained from the Portnox SCEP server.

  1. In the top-left corner, click on the Computers icon.

  2. In the left-hand menu, click on the Configuration Profiles option.

    Jamf shows the Configuration Profiles pane on the right-hand side.

  3. Find the profile that you created earlier and click on its name.

  4. In the bottom-right corner of the right-hand side pane, click on the Edit icon.

  5. In the left-hand menu of the right-hand side pane, click on the Network option.

    Jamf shows the Configure Network pane on the right-hand side.

  6. On the right-hand side, click on the Configure button to configure network properties for the new profile:

    1. In the Network Interface field, select the Wi-Fi option.

    2. In the Service Set Identifier (SSID) field, enter the SSID of the Wi-Fi network that you configured in Portnox Cloud for your managed devices.

    3. In the Security Type field, select the WPA/WPA2 Enterprise option.

    4. In the Protocols tab of the Network Security Settings section in the right-hand side pane, in the Accepted EAP Types field, activate only the TLS checkbox.

    5. In the Trust tab of the Network Security Settings section in the right-hand side pane, in the Identity Certificate field, select the SCEP option.

    6. In the Trusted Certificates section, click on the checkboxes next to the display names of the certificates that you uploaded earlier.

    7. In the CERTIFICATE COMMON NAME section, click on the Add button and add the following name: clear-rad.portnox.com. Then, click on the Save button.

      Note: To learn more about this option, read the following topic: Trusted certificate server names.
  7. Click on the Save icon in the bottom-right corner to save the configuration profile.

Configure the profile for Ethernet

In this section, you will edit the configuration profile and add an Ethernet network configuration. This will let your managed devices access the Ethernet network configured in Portnox™ Cloud by using certificates obtained from the Portnox SCEP server.

  1. In the top-left corner, click on the Computers icon.

  2. In the left-hand menu, click on the Configuration Profiles option.

    Jamf shows the Configuration Profiles pane on the right-hand side.

  3. Find the profile that you created earlier and click on its name.

  4. In the bottom-right corner of the right-hand side pane, click on the Edit icon.

  5. In the left-hand menu of the right-hand side pane, click on the Network option.

  6. In the right-hand side pane, click on the  +  icon in the top-right corner to create another network configuration. Then, scroll down to the newly created network configuration to set the following properties:
    1. In the Network Interface field, select the Any Ethernet option.

    2. In the Protocols tab of the Network Security Settings section in the right-hand side pane, in the Accepted EAP Types field, activate only the TLS checkbox.

    3. In the Trust tab of the Network Security Settings section in the right-hand side pane, in the Identity Certificate field, select the SCEP option.

    4. In the Trusted Certificates section, click on the checkboxes next to the display names of the certificates that you uploaded earlier.

    5. In the CERTIFICATE COMMON NAME section, click on the Add button and add the following name: clear-rad.portnox.com. Then, click on the Save button.

      Note: To learn more about this option, read the following topic: Trusted certificate server names.
  7. Click on the Save icon in the bottom-right corner to save the configuration profile.

Important: If you get the following error from Jamf: The SCEP server "scep.portnox.com" rejected the request, check the SCEP password in Portnox Cloud that you configured (Settings > Services > GENERAL SETTINGS > SCEP Services > Password) and make sure it has no white spaces or any other unusual characters.