Set Up Security Components

Before enrolling mobile devices, use the JAMF Software Server (JSS) to set up the security components that are required for managing mobile devices:

  • Public key infrastructure (PKI)

  • SSL certificate

  • Push certificate


To ensure secure communication with the Apple Push Notification service (APNs), the JSS requires a public key infrastructure (PKI) that supports certificate-based authentication. The PKI must include the following components:

  • A certificate authority (CA) that supports Simple Certificate Enrollment Protocol (SCEP)

  • A signing certificate

  • A CA certificate

The JSS includes a preconfigured PKI that uses a built-in CA with support for SCEP. There is no configuration necessary to use the built-in CA—the signing and CA certificates are created and stored for you. The built-in CA is used by default to issue certificates to both computers and mobile devices.

You can also configure your own PKI if you have access to an external CA that supports SCEP. The external CA can be a CA hosted by your organization or by a trusted third-party vendor. If you integrate an external CA with the JSS, this CA will be used to issue certificates to mobile devices.

For instructions on integrating with an external CA, see the Public Key Infrastructure section in the Casper Suite Administrator’s Guide.

SSL Certificate

The JSS requires a valid SSL certificate to ensure that mobile devices communicate with the JSS and not an imposter server.

For instructions on creating or uploading an SSL certificate, see the SSL Certificate section in the Casper Suite Administrator’s Guide.

Push Certificate

The JSS requires a valid push certificate to communicate with Apple Push Notification service (APNs). This communication is required to enroll and manage mobile devices.

An assistant in the JSS guides you through the following steps to create a new push certificate (.pem) and upload it to the JSS:

  1. Obtain a signed certificate request (CSR) from JAMF Nation.

  2. Create the push certificate in Apple’s Push Certificates Portal by logging into the portal, uploading the signed CSR obtained from JAMF nation, and downloading the resulting push certificate.

  3. Upload the push certificate to the JSS.


To create a push certificate, you need:

  • A valid JAMF Nation account
    To create a JAMF Nation account, go to:

  • A valid Apple ID (A corporate Apple ID is recommended.)

  • If you are renewing a push certificate that was originally obtained from Apple’s iOS Developer Program (iDEP), you must use the Apple ID for the iDEP Agent account used to obtain the certificate.

Creating a Push Certificate

  1. Log in to the JSS with a web browser.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/12322750/Settings_icon-2.png .

  3. Click Global Management.
    On a smartphone or iPod touch, this option is in the pop-up menu.

  4. Click Push Certificates images/download/thumbnails/12322750/Push_Certificates.png .

  5. Click New images/download/thumbnails/12322750/New_icon-3.png and do one of the following:

    • If the server hosting the JSS has an outbound connection, select Download signed CSR from JAMF Nation.
      The JSS connects to JAMF Nation over port 443 and obtains the signed CSR.

    • If the server hosting the JSS does not have an outbound connection, select Download CSR and sign later using JAMF Nation.

  6. Follow the onscreen instructions to create and upload the push certificate (.pem).

Administrator's Guide Reference Sections

Copyright | Privacy | Terms of Use | Security
Copyright JAMF Software, LLC 2016