Onboard macOS devices with certificates using Jamf and SCEP

In this topic, you will learn how to deploy Portnox™ Cloud certificates via Jamf and SCEP to manage macOS devices.

Turn on the Portnox Cloud SCEP services

In this section, you will configure Portnox™ Cloud to provide SCEP services to your devices.

If you have previously turned on the Portnox Cloud SCEP services, skip to the later step in which you get the Cloud SCEP URL and password.

Portnox Cloud SCEP services let devices contact the Cloud SCEP server and get a unique certificate for the device or for the specific user of the device.

Important:

This topic shows the configuration for macOS computers with macOS 12 (Monterey), but the Apple profile payloads Certificate, SCEP, and WiFi, which are used in this configuration, are compatible with the following Apple operating systems: iOS 4.0+, iPadOS 4.0+, macOS 10.7+, tvOS 9.0+, watchOS 3.2+. This means that you can use the same profiles to configure other Apple devices based on these operating systems, for example, iPhones.

In the Cloud portal top menu, click on the Settings option.
In the Cloud portal left-hand side menu, click on the Services > GENERAL SETTINGS > SCEP Services option.
Enable integration with SCEP services.
1. Click on the Edit link.
2. Activate the Enable integration checkbox.
3. Click on the Save button.
Click on the ⧉ icon next to the SCEP URL field to copy the SCEP URL, and paste it in a text file for later use.
Click on the ⧉ icon next to the Password field to copy the SCEP password, and paste it in a text file for later use.

Download the root CA certificate

In this section, you will download the root CA certificate from Portnox™ Cloud, which is needed to create a profile.

In the Cloud portal top menu, click on the Settings option.
In the Cloud portal left-hand side menu, click on the Services > CLOUD RADIUS SERVICE > Cloud RADIUS instance option.
Click on any of the RADIUS servers listed in the right-hand pane to show its configuration.
Click on the Download root certificate link.

Result: The root CA certificate file is in the Downloads folder on the local disk.

Download the tenant CA certificate

In this section, you will download the Portnox™ Cloud tenant CA certificate from the Cloud portal.

You need the tenant CA certificate from Portnox Cloud so that your managed devices can verify the validity of individual SCEP certificates, which are signed using the tenant CA certificate.

In the Cloud portal top menu, click on the Settings option.
In the Cloud portal left-hand side menu, click on the Services > GENERAL SETTINGS > Trusted Root Certificates option.
In the Trusted Root Certificates section, click on the Download CER link, then save the downloaded file.

The default name of the file is Your_tenant_name - Portnox CLEAR.cer, for example, Vorlon - Portnox CLEAR.cer.
Optional: Rename the downloaded file to tenantCertificate.cer. This is the name used in the next part of this guide.

Optional: Hand over information from the Portnox Cloud team to the Jamf team

In this section, you will learn what information was collected in previous steps from Portnox Cloud, which is needed to configure Jamf to work with Portnox Cloud.

If different people are responsible for managing Portnox Cloud and Jamf, here is the information you need to hand over:

The URL of the Portnox Cloud SCEP server. For example, https://scep.portnox.com/b2973887-1274-45d4-91d0-4a342a861c76.
The password for the SCEP server.
The root CA certificate file in the X.509 format. For example, rootCertificate.cer.
The tenant CA certificate file in the X.509 format. For example, tenantCertificate.cer.

Create a Jamf configuration profile

In this section, you will create a configuration profile in Jamf that lets managed devices get certificates from the Portnox™ Cloud SCEP server.

Open your Jamf instance in the browser and log in.
For example, vorlon.jamfcloud.com
In the top-left corner, click on the Computers icon.
In the left-hand menu, click on the Configuration Profiles option.

Jamf shows the Configuration Profiles pane on the right-hand side.
In the top-right corner of the Configuration Profiles pane, click on the New button.

Jamf shows the New macOS Configuration Profile pane on the right-hand side.
In the General pane on the right-hand side, configure general properties for the new profile:
1. In the Name field, enter the name for this SCEP configuration profile.
  We used the name Vorlon SCEP but you can use any name you like.
2. In the Level field, select whether this profile will be applied on the Computer Level or User Level depending on whether you will be using device certificates or user certificates.
Note:
If you use user certificates, we recommend that you select User Level in this field. However, If you prefer to use user certificates with Device Level, make sure that the Email Address field is populated correctly in the device’s inventory record in Jamf (Computers > Search Inventory > Search > selected computer > User and Location > Edit > Email Address or Devices > Search Inventory > Search > selected device > User and Location > Edit > Email Address).
In the left-hand menu of the configuration profile pane, click on the SCEP option.

Jamf shows the Configure SCEP pane on the right-hand side.
On the right-hand side, click on the Configure button to configure SCEP properties for the new profile:
1. In the URL field, enter the SCEP URL that you copied earlier from Portnox Cloud.
2. In the Redistribute Profile field, change the value Never to at least a week or more.
  
  Note:
  This value specifies when (how many days before) Jamf redistributes profiles to onboarded devices if their SCEP certificates are about to expire. Distributing a profile causes the device to request a new SCEP certificate. If this setting is left at Never, once the SCEP certificate expires, the device will lose the connection to the network and you will have to manually redistribute its profile to request a new SCEP certificate.
3. In the Subject field, enter a string to use to generate the Subject field in the user/device certificates.
  The string can contain Jamf variables. The following are recommendations, but you should select the correct variables depending on your environment, the way you want to use AgentP, and repository:
  - For macOS user certificates, we recommend that you use: CN=$EMAIL,ST=$PROFILE_IDENTIFIER
  - For device certificates (macOS and iOS), we recommend that you use: CN=$DEVICENAME,ST=$PROFILE_IDENTIFIER
  Note:
  The $PROFILE_IDENTIFIER variable is required by Jamf to automatically renew certificates. If it is not specified, Jamf will silently append it to the existing CN string, which may cause this string to be truncated, and the certificate will then not be renewed.
  
  These variables are processed by Jamf and replaced by the user’s email address ($EMAIL) or Jamf device name ($DEVICENAME). Portnox Cloud then uses the values from the certificate fields to create or align with an account in Cloud.
  
  If you use an incorrect variable for user certificate, Cloud will not be able to align this information with information from the authentication repository, and it will create a new Portnox account instead of aligning it with an accounts from the authentication repository.
  
  If you use device certificates, Jamf will not able to create LDAP accounts, only Portnox accounts for devices. As such, the Subject value should simply contain a human-readable device name, so that it is easy to read on the Devices screen.
  
  For more information about Jamf variables, see Payload Variables for Mobile Device Configuration Profiles in the Jamf Pro Administrator’s Guide.
  
  Important:
  If you use variables, make sure that the variable value is available. For example, if you use the $USERNAME variable, make sure that there is a valid user account on the device that is also known to Jamf. If not, the device may report the following error: Unable to obtain certificate from SCEP server. Such errors are known to happen for example when devices are recycled (previously assigned to users that are no longer with the company).
4. In the Subject Alternative Name Type field, select the Uniform Resource Identifier option. In the Subject Alternative Name Value, enter https://jamfdeviceid/$UDID if you manage macOS devices or https://jamfmobiledeviceid/$UDID if you manage iOS devices, and in the NT Principal Name field, enter $EMAIL for user-based accounts or leave the field empty for device-based accounts.
  
  Note:
  By default, Portnox Cloud checks for user identity information in the SAN UPN field (NT Principal Name field in macOS). To understand how Portnox Cloud matches the identity in the certificates with the authentication repository, read the following section: Certificate identity information.
5. In the Challenge Type field, select Static, and in the Challenge and Verify Challenge fields, paste the password that you copied earlier from Portnox Cloud.
6. In the Key Size field, select the key size that you want to use.
  
  In this example, we used the value 2048 but you can use 1024 or 4096. Note that while higher values provide more security, values other than 1024 may cause certificate fragmentation problems in some network topologies. If such problems occur, see the following topic: Certificate fragmentation issues.
7. Activate the Use as digital signature and Use for key encipherment checkboxes.
8. Activate the Allow all apps access checkbox.
  
  Note:
  This setting allows for unattended onboarding. If you do not activate this option, macOS will show a window asking for the administrator’s user name and password during onboarding.
9. Click on the Upload Certificate button, then on the Choose File button, and select the tenant CA certificate file you saved earlier, then click on the Upload button.
In the left-hand menu of the configuration profile pane, click on the Certificate option.

Jamf shows the Configure Certificate pane on the right-hand side.
On the right-hand side, click on the Configure button to configure certificate properties for the new profile:
1. In the Certificate Name field, enter a display name for the root CA certificate.
  
  We used the name Root CA but you can use any name you like.
2. In the Select Certificate Option field, select Upload.
3. Click on the Upload Certificate button. Then, in the Certificate pop-up, click on the Choose File button, and select the root CA certificate file that you downloaded earlier, for example, rootCertificate.cer. Then, click on the Upload button.
4. Click on the + button in the top-right corner of the Certificate pane to add another certificate payload. Then, scroll down the Certificate pane to see the added section.
5. In the Certificate Name field, enter a display name for the tenant CA certificate.
  
  We used the name Tenant CA but you can use any name you like.
6. In the Select Certificate Option field, select Upload.
7. Click on the Upload Certificate button. Then, in the Certificate pop-up, click on the Choose File button, and select the tenant CA certificate file you saved earlier, for example, tenantCertificate.cer. Then, click on the Upload button.
  
  Note:
  You don’t have to include the tenant CA certificate in the profile. However, if you don’t distribute the tenant CA certificate to managed devices, the SCEP certificates that your devices will generate on the basis of this tenant CA will be marked in the key chain as untrusted.
Click on the Save icon in the bottom-right corner to save the configuration profile.

Configure the profile for Wi-Fi

In this section, you will edit the configuration profile and add a Wi-Fi network configuration. This will let your managed devices access the Wi-Fi network configured in Portnox™ Cloud by using certificates obtained from the Portnox SCEP server.

In the top-left corner, click on the Computers icon.
In the left-hand menu, click on the Configuration Profiles option.

Jamf shows the Configuration Profiles pane on the right-hand side.
Find the profile that you created earlier and click on its name.
In the bottom-right corner of the right-hand side pane, click on the Edit icon.
In the left-hand menu of the right-hand side pane, click on the Network option.

Jamf shows the Configure Network pane on the right-hand side.
On the right-hand side, click on the Configure button to configure network properties for the new profile:
1. In the Network Interface field, select the Wi-Fi option.
2. In the Service Set Identifier (SSID) field, enter the SSID of the Wi-Fi network that you configured in Portnox Cloud for your managed devices.
3. Activate the Disable MAC Address Randomization checkbox.
  
  Important:
  If you do not turn off MAC address randomization, and the supplicant certificates are not issued by Portnox SCEP, and the certificate’s SAN field does not include a Jamf or Intune device ID, Portnox Cloud assigns a new license to the device each time it connects with a different MAC address. This can significantly increase your licensing costs. Even if you use Portnox SCEP and this issue does not apply, we still recommend turning MAC address randomization off for safety.
4. In the Security Type field, select the WPA/WPA2 Enterprise option.
5. In the Protocols tab of the Network Security Settings section in the right-hand side pane, in the Accepted EAP Types field, activate only the TLS checkbox.
6. In the Trust tab of the Network Security Settings section in the right-hand side pane, in the Identity Certificate field, select the SCEP option.
7. In the Trusted Certificates section, click on the checkboxes next to the display names of the certificates that you uploaded earlier.
8. In the CERTIFICATE COMMON NAME section, click on the Add button and add the following name: clear-rad.portnox.com. Then, click on the Save button.
  
  Note:
  To learn more about this option, read the following topic: Trusted certificate server names.
Click on the Save icon in the bottom-right corner to save the configuration profile.

Configure the profile for Ethernet

In this section, you will edit the configuration profile and add an Ethernet network configuration. This will let your managed devices access the Ethernet network configured in Portnox™ Cloud by using certificates obtained from the Portnox SCEP server.

In the top-left corner, click on the Computers icon.
In the left-hand menu, click on the Configuration Profiles option.

Jamf shows the Configuration Profiles pane on the right-hand side.
Find the profile that you created earlier and click on its name.
In the bottom-right corner of the right-hand side pane, click on the Edit icon.
In the left-hand menu of the right-hand side pane, click on the Network option.
In the right-hand side pane, click on the + icon in the top-right corner to create another network configuration. Then, scroll down to the newly created network configuration to set the following properties:
1. In the Network Interface field, select the Any Ethernet option.
2. In the Protocols tab of the Network Security Settings section in the right-hand side pane, in the Accepted EAP Types field, activate only the TLS checkbox.
3. In the Trust tab of the Network Security Settings section in the right-hand side pane, in the Identity Certificate field, select the SCEP option.
4. In the Trusted Certificates section, click on the checkboxes next to the display names of the certificates that you uploaded earlier.
5. In the CERTIFICATE COMMON NAME section, click on the Add button and add the following name: clear-rad.portnox.com. Then, click on the Save button.
  
  Note:
  To learn more about this option, read the following topic: Trusted certificate server names.
Click on the Save icon in the bottom-right corner to save the configuration profile.

Important:

If you get the following error from Jamf: The SCEP server "scep.portnox.com" rejected the request, check the SCEP password in Portnox Cloud that you configured (Settings > Services > GENERAL SETTINGS > SCEP Services > Password) and make sure it has no white spaces or any other unusual characters.