Integrating with Jamf Pro¶

Integrate Zero Touch PKI with Jamf Pro to deliver certificates to Apple devices using Simple Certificate Enrollment Protocol (SCEP).

During integration, you download the root and issuing CA certificates from Zero Touch PKI and create SCEP profiles in Jamf Pro for your CAs, users, and devices. Jamf Pro requests and installs certificates from the SCEP endpoint on your Zero Touch PKI instance and authenticates through a static challenge password.

Prerequisites¶

• Jamf Pro administrator credentials.
• A Jamf Pro cloud tenant with enrolled and managed devices.
• A Zero Touch PKI account to download your root and issuing CA certificates.
• A static SCEP challenge password provided by CyberArk.
• A SCEP-enabled Zero Touch PKI certificate policy configured by CyberArk.
• SCEP service URLs from Zero Touch PKI for both devices and users, provided by CyberArk.
• The SHA-1 fingerprint of your Zero Touch PKI SCEP registration authority (RA) certificate, provided by CyberArk.

Step 1: Download CA certificates¶

In Zero Touch PKI, download the root and issuing CA certificates for use in Jamf Pro profiles.

1. Sign in to Zero Touch PKI.

2. Click Certificate Authorities.

3. To the right of your root and issuing CAs, in the three-dot menu, click Download PEM Chain.

4. Securely store the downloaded certificates for use in the next step.

Step 2: Distribute the root and issuing CA certificate¶

In Jamf Pro, create configuration profiles to distribute the Zero Touch PKI root and issuing CAs. This creates a trust chain that enables your devices to trust certificates issued by Zero Touch PKI. For the steps to complete, see the Jamf Pro documentation.

When adding the profile, do the following:

1. Create CA profiles: In Configuration Profiles, create two profiles—one each for the root and issuing CAs. Add the following:

   • Name: Enter Root CA Distribution or Issuing CA Distribution.
   • Payload: Select Certificate.
   • File: Upload the Zero Touch PKI root or issuing CA certificate.

2. Scope the profile to your devices: Add the devices and users that receive certificates and save the profile. To learn more, see Scope in the Jamf Pro documentation.

Step 3: Create a device SCEP profile¶

In Jamf Pro, add a configuration profile that distributes device certificates with the Zero Touch PKI SCEP service. This profile defines how Jamf Pro requests certificates.

1. Create a new configuration profile: In Configuration Profiles, create a profile for devices named Device SCEP Profile.

2. Add a SCEP payload: Add a SCEP payload with the following options:

   • URL: Add the device SCEP URL provided by CyberArk.
   About SCEP server URLs

   An example SCEP server URL is https://ztpki.eu.venafi.com/aec7e9f0-3d01-4d81-974d-be31ea1cbc95/pkiclient.exe.

   This URL matches your instance's base domain and varies by region (in this case, eu for Europe). It also contains a unique identifier that routes the request to the correct policy ID.

   • Subject Name: Use the variable CN=$COMPUTERNAME. For a list of variables, see Computer Configuration Profiles.

3. Add a Subject Alternative Name (SAN): Set the type to DNS and use the variable $COMPUTERNAME.

   About SAN formatting

   In the SAN field, enter only the required variable. For example, for a DNS SAN, use $COMPUTERNAME rather than CN=$COMPUTERNAME to avoid certificate provisioning errors.

4. Set a challenge type: Set a static challenge type and add the challenge password provided by CyberArk.

5. Choose key usage options: Set a key size to match your policy (typically 2048) and select Digital Signature & Key Encipherment.

6. Add the SCEP RA certificate fingerprint: In Fingerprint, enter the SCEP RA certificate fingerprint provided by CyberArk.

7. Choose retry options: Set retries to three with a delay of five seconds.

8. Scope and save the profile: Scope the profile to your device groups and save it.

Step 4: Create a user SCEP profile¶

In Jamf Pro, add a configuration profile that distributes user certificates with the Zero Touch PKI SCEP service.

1. Create a new configuration profile: In Configuration Profiles, create a profile for users named User SCEP Profile.

2. Add a SCEP payload: Add a SCEP payload with the following options:

   • URL: Add the user SCEP URL provided by CyberArk.
   • Subject Name: Use variables such as CN=$USERNAME or CN=$UPN based on your Active Directory configuration.

3. Add a Subject Alternative Name (SAN): Set the type to RFC822 Name and use the variables $EMAIL or $UPN.

4. Set a challenge type: Set a static challenge type and add the challenge password provided by CyberArk.

5. Choose key usage options: Set a key size to match your policy (typically 2048) and select Digital Signature & Key Encipherment.

6. Add the SCEP RA certificate fingerprint: In Fingerprint, enter the SCEP RA certificate fingerprint provided by CyberArk.

7. Choose retry options: Set retries to three with a delay of five seconds.

8. Scope and save the profile: Scope the profile to your user groups and save it.

Step 5: Verify the integration¶

To test the integration, enroll a test device. Ensure the following:

• Device and user certificates are issued and appear in the device keychain.
• SAN fields are populated correctly.
• Certificates are used for expected purposes such as Wi-Fi authentication.

Troubleshooting¶

If certificates aren't issued:

• Check for configuration errors in the Jamf Pro profiles.
• Confirm the static password provided by CyberArk is correct.
• Ensure your devices are properly scoped and connected.
• In the SAN fields, verify all attributes.
• In the SAN fields, confirm variable mappings in the SCEP payload.

Related links¶

• Connectors overview
• Distributing Venafi Certificates Using the SCEP Protocol
• Mobile Device Configuration Profiles