Certificate-Based Authentication for Mac Computers

This article explains how Jamf Pro uses certificate-based authentication to verify that device certificates on Mac computers are valid.

As of v8.3, Jamf Pro allows you to enable certificate-based authentication (formerly called "certificate-based communication") for Mac computers. This is an important security feature that allows Jamf Pro to verify that device certificates on Mac computers are valid.

As of v8.4, a device certificate is installed on a computer when it is enrolled with Jamf Pro. (In v8.3, a device certificate is only installed on a computer when certificate-based authentication is enabled.) Jamf Pro tells the jamf binary that the computer needs a certificate, and the jamf binary creates a local keychain for the client using the API that is built into macOS. The new keychain is responsible for generating an RSA key pair, and the jamf binary sends the public key to Jamf Pro. Jamf Pro uses the public key to generate a device certificate, which it sends back to the computer. The computer stores its device certificate in its keychain, and Jamf Pro also stores a copy of the device certificate.

For all subsequent communication with Jamf Pro, the computer uses the private key in its keychain to sign any data that it sends. The signature is transmitted in an HTTP header. When certificate-based authentication is enabled, Jamf Pro reads and verifies the signature by comparing it to the data that is attached. If the computer fails to properly sign its messages, it is unable to communicate with Jamf Pro. This may occur if the computer's keychain is removed or if the computer tries to use a keychain that was not created for it.

Enabling Certificate-Based Authentication for Mac Computers

  1. Log in to Jamf Pro.
  2. In the top-right corner of the page, click Settings.
  3. Click Computer Management.
  4. In the "Computer Management–Management Framework" section, click Security.
  5. Click Edit.
  6. Select the Enable certificate-based communication checkbox.
  7. Click Save.