Overview
The Jamf AD CS Connector allows you to add Active Directory Certificate Services (AD CS) as a PKI Provider in Jamf Pro. AD CS can then be used as a certificate authority (CA) for issuing certificates to computers and mobile devices via configuration profiles.
The connector is a SSL-secured web application that receives client certificate requests through Jamf Pro and runs using Microsoft's IIS web server. After a request is received from Jamf Pro, the connector converts the web request to Microsoft's native DCOM protocol, passes it to your AD CS server, and then returns the AD CS's certificate request number. Jamf Pro then sends the request number back to AD CS via the Jamf ADCS Connector to check if the completed certificate has been generated. After the certificate is ready, it is returned to Jamf Pro to be re-packed for distribution to a managed device. Devices never connect directly to the connector, so firewall rules can be used to restrict access. Only Jamf Pro will have the client certificate needed to authenticate to the service.
The process is similar to the one used by Microsoft's NDES (SCEP) Server role in that both services create secure web front-ends to AD CS. The main differences are that the Jamf AD CS Connector requires a client certificate to authenticate connections rather than a challenge password. In addition, the Jamf AD CS Connector supports the use of multiple templates whereas an NDES server uses a single AD CS certificate template.
- Installing the Jamf AD CS Connector
The Jamf AD CS Connector runs as a service on a Windows server that allows Jamf Pro to communicate with the AD CS certificate authority server.
- Adding the Jamf AD CS Connector as a PKI Provider in Jamf Pro
- This involves configuring settings in Jamf Pro to define the location of the connector and AD CS Servers, and adding client and server certificates to permit authentication between Jamf Pro and the connector.
- Configuration Profiles
- Jamf Pro allows you to distribute certificates via configuration profiles using AD CS as the CA.
- In-house Apps
- You can distribute in-house apps, developed with the Jamf Certificate SDK, to establish identities for supporting certificate-based authentication.These allow you to perform Single Sign-On (SSO) or other actions specific to your environment.allows you to apply a Managed App Configuration to the app during distribution to enable the app to request the necessary certificates.
AD CS Communication Overview
Jamf Pro uses the Jamf AD CS Connector to communicate with AD CS to obtain certificates. The following diagrams illustrate some common implementations of the Jamf ADCS Connector.
Jamf Cloud with Jamf AD CS Connector in the DMZ
The following diagram illustrates how communication flows between Jamf Pro and AD CS if the Jamf AD CS connector is hosted in the DMZ. Jamf Pro authenticates to the JamfAD CS Connector server with a client certificate, and then the AD CS Connector contacts the Microsoft CA over DCOM to request the certificate.
Jamf Cloud with a DMZ Reverse Proxy Layer
The following diagram illustrates how communication flows between Jamf Pro and AD CS if you are using a reverse proxy or load balancer with the AD CS Connector. A reverse proxy may be used in the DMZ to reduce the number of open ports required from the DMZ to the internal network, or when a network environment does not allow DMZ-based hosts to be bound to AD.
On-premise Jamf Pro Server in the DMZ
The following diagram illustrates how communication flows between Jamf Pro and AD CS using the Jamf AD CS Connector if the Jamf Pro server is hosted in the DMZ.
Devices on the internal network must be able to communicate with Jamf Pro in order to receive a certificate.
In a clustered environment, each node must be able to communicate with the Jamf AD CS Connector.
