Creating a Signing Certificate Using Jamf Pro's Built-in CA to Use for Signing Configuration Profiles and Packages
This article explains how to create a signing certificate using Jamf Pro's built-in certificate authority (CA), which you can then use to sign custom configuration profiles and packages that are automatically trusted when installed on managed devices. Trust is automatically established as the root CA certificate is included within the Jamf Pro MDM profile.
Creating a signing certificate generated by the Jamf Pro built-in CA provides the following benefits:
Marks custom configuration profiles as trusted and "Verified" when end users view the profile
Allows uploading custom configuration profiles as read-only within Jamf Pro if needed
Allows custom packages to be signed with a certificate that is trusted by managed computers. This allows packages to meet trust requirements when installed by an MDM command, such as a PreStage enrollment package. For more information, see Computer PreStage Enrollments in the Jamf Pro Documentation.
Packages deployed via a Jamf Pro policy do not need to be signed.
Creating a Signing Certificate Using the Jamf Pro Built-in CA
Installing the Certificate to Use for Signing Purposes
Signing a Custom Configuration Profile with the Installed Certificate
- Method 1—Use Apple Configurator 2
-
Open the configuration profile in Apple Configurator 2. You can download Apple Configurator 2 from the Mac App Store.
Navigate to
.Select the Jamf Pro signing certificate created previously.
Save the configuration profile.
- Method 2—Use the Command Line
Open Terminal and enter a command similar to the following:
/usr/bin/security cms -S -N "<common name of certificate>" -i <input path to unsigned profile> -o <output path for signed profile>
For example, if the certificate common name was "JamfSign", the command would be the following:
/usr/bin/security cms -S -N "JamfSign" -i ~/Desktop/Custom.mobileconfig -o ~/Desktop/Custom-signed.mobileconfig
Signing a Custom Package File with the Installed Certificate
- Method 1—Use Composer
Open Composer Preferences.
Ensure the Build flat PKGs checkbox is selected.
- Select the Sign with: checkbox and choose your certificate from the pop-up menu.
- Click Save.
When a new package is created with these settings, it will be signed by the certificate.
- Method 2—Use the Command Line
Open Terminal and enter a command similar to the following:
/usr/bin/productsign --sign "<common name of certificate>" <input path to unsigned package> <output path to signed package>
For example, if the certificate common name was "JamfSign", the command would be the following:
/usr/bin/productsign --sign "JamfSign" ~/Desktop/CustomPackage.pkg ~/Desktop/CustomPackage-signed.pkg
Additional Information
- For additional information about creating custom configuration profiles, see the Deploying Custom Configuration Profiles Using Jamf Pro article.
- For additional information about building custom packages, see the Composer User Guide.