Configuring Certificates for the Jamf SCCM Plug-in 3.40 or Later Using an Enterprise Certificate Authority

Updated: 20 August 2021
Product: Jamf Pro

This article explains how to create and configure a certificate using an enterprise certificate authority for the Jamf SCCM plug-in 3.40 or later.

There are one or more certificates that must be configured before you install the Jamf SCCM Proxy 3.40 or later. The following table shows the required certificates and the servers on which they must exist:

Certificate Jamf SCCM Proxy Service Server SCCM Server
ISV Proxy Certificate✔ (Requires private key)
CA Certificate Chain

Creating an ISV proxy certificate using an enterprise CA involves the following steps:

  1. Creating a certificate template

  2. Creating an ISV proxy certificate from the template

  3. Copying the ISV proxy certificate to the SCCM server

  4. Registering the ISV proxy certificate with SCCM

General Requirements

Configuring certificates for the Jamf SCCM plug-in using an enterprise CA involves creating an ISV proxy certificate.

To do this, you need:

  • A PKI with a third-party CA (This cannot be the CA that is built into Jamf Pro.)

  • A PKI certificate with a SHA-2 signature algorithm

  • A Windows computer with the Certification Authority snap-in

  • Console access to the SCCM server

  • Administrative rights to the SCCM Console

Step 1: Creating a Certificate Template

Requirements

To issue a SHA-256 certificate from your enterprise CA, your CA must be running Windows Server 2008 or higher, and using the default hash algorithm SHA-256 (SHA-256 must be the default hash algorithm of any certificate issued from your Root or Subordinate CA). Your CA must also be using the Cryptographic Next Generation (CNG) provider, not the Cryptographic Storage Provider (CSP).

  1. On a Windows computer with the Certification Authority snap-in, open the Certification Authority.
  2. Expand the certificate authority in the sidebar.
  3. Right-click the Certificate Templates folder and select Manage.
  4. In the Template Manager window, right-click the Workstation template and select Duplicate Template.
  5. On the Compatibility tab in the dialog that appears, select the Windows Server 2003 or Windows Server 2008 option, and click OK.
  6. On the Cryptography tab, select the provider category of Legacy Cryptographic Storage Provider.
    Note:

    Verify that the minimum key size is 2048 and that requests are made by the following provider: Microsoft Enhanced RSA and AES Cryptographic Provider.

  7. On the General tab, enter a display name for the template, and select the Publish certificate in Active Directory checkbox.
  8. Click the Subject Name tab and choose Common name from the Subject name format pop-up menu.
  9. Click the Security tab and ensure that the user that you plan to use to create the ISV proxy certificate has read and enroll permissions. Then click OK.
  10. Close the Template Manager window.
  11. In the Certification Authority tool, right-click the Certificate Templates folder in the sidebar and select New > Certificate Template to Issue.
  12. Choose the template you just created and click OK.

Step 2: Creating an ISV Proxy Certificate from the Template

  1. On the Windows computer on which you plan to install the Jamf SCCM Proxy Service, open Microsoft Management Console (MMC).
  2. From the menu bar, choose File > Add/Remove Snap-in.
  3. Select Certificates in the list of snap-ins and click the Add button.
  4. Select the Computer account option and click Next.
  5. Select the Local computer (the computer this console is running on) option.
  6. Click Finish and click OK. The certificate is displayed below the Console Root folder in the sidebar.
  7. Expand the Certificates (Local Computer) heading.
  8. Right-click the Personal folder under the Certificates (Local Computer) heading, and select All Tasks > Request New Certificate.
  9. Follow the onscreen instructions and select the checkbox next to the template you just created. Then click Enroll.
    Note:

    If the template is not listed, verify that the user you are using to create the ISV proxy certificate has read and enroll permissions.

    The newly created certificate is displayed in the list of certificates.

  10. Right-click the newly created certificate and select Properties.
  11. Enter a friendly name for the certificate and click OK. It is recommended that you use "Jamf SCCM Proxy Certificate" for the friendly name.
  12. Click OK again.
  13. Right-click the certificate and select All Tasks > Export.
  14. Follow the onscreen instructions to export the certificate as a DER-encoded .cer file.

Step 3: Copying the ISV Proxy Certificate to the SCCM Server

If you created the ISV proxy certificate on a server other than the SCCM server, copy the ISV proxy certificate (.cer) to the SCCM server. You can skip this step if you created the ISV proxy certificate on the SCCM server.

Step 4: Registering the ISV Proxy Certificate with SCCM

  1. On the SCCM server, open SCCM and click the Administration category in the sidebar.
  2. Expand the Security folder.
  3. Right-click the Certificates heading and select Register or Renew ISV Proxy.
  4. In the Register or Renew ISV Proxy dialog, select the Register certificate for a new ISV proxy option and browse for the ISV proxy certificate (.cer).
  5. Click OK to close the Register or Renew ISV Proxy dialog.
  6. Take note of the certificate GUID for the ISV proxy certificate. You will need to enter this when you install the Jamf SCCM Proxy Service.
    Note:

    If the Certificate GUID column is not displayed, right-click the column header and select Certificate GUID.