Safely Configuring SSL Certificate Verification

Configuring the SSL Certificate Verification setting in Jamf Pro ensures that computers only communicate with a host server that has a valid SSL certificate. This prevents computers from communicating with an imposter server and protects against man-in-the-middle attacks. This article explains how to safely configure the SSL Certificate Verification setting.
Note:

As of Jamf Pro 9.98, the Enable SSL Certificate Verification checkbox located in the Security settings in Jamf Pro has been changed to the SSL Certificate Verification pop-up menu. For more information on how this change may impact your environment, see Change to the SSL Certificate Verification Setting in Jamf Pro 9.98 or Later.

Configuring SSL certificate verification includes the following:

  1. Ensuring the SSL certificate in Jamf Pro is valid. (On-premise instances only)
  2. Ensuring that all computers verify the certificate.
  3. Configuring SSL certificate verification.

Step 1: Ensuring the SSL Certificate in Jamf Pro is Valid (On-premise Instances Only)

To ensure the SSL certificate in Jamf Pro is valid, log in to Jamf Pro and navigate to Settings > System Settings > Apache Tomcat Settings and verify that the SSL certificate has not expired.

If the SSL certificate has expired, see the SSL Certificate section in the Jamf Pro Administrator's Guide for instructions on creating or uploading a new SSL certificate.

Step 2: Ensuring that all Computers Verify the Certificate

Before enabling the SSL Certificate Verification setting, use the Jamf Pro Certificate Validation extension attribute to collect the certificate verification status from each computer. Then, use a smart computer group to ensure all computers trust the certificate.

  1. Create the Jamf Pro Certificate Verification extension attribute:
    1. In Jamf Pro, navigate to Settings > Computer Management > Extension Attributes and click New From Template.
    2. In the Jamf category, click the Jamf Pro Certificate Validation extension attribute.
    3. Do not modify the default settings.
    4. Click Save.
  2. Create the smart computer group:
    1. In Jamf Pro, navigate to Computers > Smart Computer Groups and click New.
    2. Click Criteria > Add > Show Advanced Criteria and choose Jamf Pro Certificate Validation.
    3. Choose is not from the Operator pop-up menu, and then type Success in the Value field.
    4. Click Add.
    5. Choose Last Inventory Update.
    6. Choose before yyyy/mm/dd from the Operator pop-up menu, and then type a date after the Jamf Pro Certificate Verification extension attribute was created in the Value field.
    7. Choose or from the And/Or column.
    8. Click Save and then click View.

    Computers that have not submitted an inventory update since the extension attribute was created return a blank certificate validation status. Including the Last Inventory Update criteria returns those computers in the smart computer group membership.

    Verify that the inventory of all computers has been updated after creating the extension attribute to ensure an accurate amount of computers is returned.

    If no computers are returned, all computers have verified the certificate and you can safely enable the certificate verification setting.

    Important:

    If computers are returned, do not enable the SSL Certificate Verification setting. Contact your Jamf account representative for assistance.

Step 3: Configuring SSL Certificate Verification

  1. In Jamf Pro, go to Settings > Computer Management > Security > Edit.
  2. Select an option from the SSL Certificate Verification pop-up menu and click Save.

Consider the following when configuring SSL Certificate Verification:

  • If you are using the self-signed certificate from Apache Tomcat that is built into Jamf Pro, you must select Always except during enrollment.

  • If you are using an SSL certificate from an internal CA or a trusted third-party vendor, select either Always or Always except during enrollment. It is recommended that you use Always if computers in your environment are configured to trust the certificate before they are enrolled.