Install the Jamf AD CS Connector
Before you can integrate Jamf Pro with Active Directory Certificate Service (AD CS), you must install the Jamf AD CS Connector. This service securely transfers all communication between Jamf Pro and AD CS.
When you install the Jamf AD CS Connector, the installer automatically does the following:
-
Installs and configures the applications needed to run the Jamf AD CS Connector. For more information, see Installed Applications.
-
Installs the Jamf AD CS Connector.
-
Generates the certificates required to secure communication with Jamf Pro. For more information, see Jamf AD CS Connector Certificates.
Installed Applications
When you install the Jamf AD CS Connector, Microsoft Internet Information Services (IIS) for Windows Server is automatically installed. Microsoft IIS is the web application server that runs the Jamf AD CS Connector. A directory named AD CS Proxy is installed in the following location:
C:\inetpub\wwwroot\adcsproxy
For more information about IIS, see the following website:
https://www.iis.net
In addition, the following are automatically configured when you install the Jamf AD CS Connector:
-
IIS Client Certificate Mapping Authentication—IIS is automatically configured to enable communication between Jamf Pro and the Jamf AD CS Connector to take place using IIS Client Certificate Mapping Authentication.
For more information about IIS Client Certificate Mapping Authentication, see the Microsoft Configuration Reference Documentation. -
ASP.NET—This provides the application framework for the Jamf AD CS Connector and is integrated with the instance of the IIS web application.
Jamf AD CS Connector Certificates
When you install the Jamf AD CS Connector, the following certificates are automatically generated:
|
Certificate |
Details |
|
Server certificate (.pem or |
This certificate ensures trust between Jamf Pro and the Jamf AD CS Connector. It is a self-signed SSL certificate generated when the Jamf AD CS Connector is installed and allows IIS to validate client certificates. The server certificate is exported to the current working directory with the following filename: Note: The server certificate is required when configuring Jamf Pro to communicate with the Jamf AD CS Connector. |
|
Client certificate (.pfx or |
This certificate allows Jamf Pro to authenticate with the Jamf AD CS Connector. The client certificate is generated when the Jamf AD CS Connector is installed and is signed by the server certificate. It is exported in PFX format using a randomly generated password that is output to the shell during the Jamf AD CS Connector installation. Note: The client certificate and randomly generated password are required when configuring Jamf Pro to communicate with the Jamf AD CS Connector. |
Both certificates are required when configuring Jamf Pro to communicate with the AD CS Proxy Service.
Requirements
The Jamf AD CS Connector requires a server with the following:
-
Windows Server 2016 joined to a domain that has a trust relationship with the domain of the certificate authority
For more information about joining the server to a domain that has a trust relationship with the domain of the certificate authority, see the following Microsoft documentation:
Joining Server Computers to the Domain and Logging On -
.NET Framework 4.5 or later
For more information about .NET Framework, see the following website:
https://www.microsoft.com/net
Network Communication
The Jamf AD CS Connector requires the following TCP ports and protocols:
-
DCOM—The Jamf AD CS Connector uses Microsoft Distributed Component Object Model (DCOM) to communicate with AD CS. You must have the following TCP ports open for this communication:
-
135
-
49152-65535
For more information about Microsoft DCOM, see the following website:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b0 -
-
HTTPS—Jamf Pro initiates HTTPS connections with the Jamf AD CS Connector, typically on TCP port 443. The HTTPS port needs to opened, inbound, on your network firewall and also on the Windows Firewall running on the server on which the Jamf AD CS Connector is installed.
In addition, since the Jamf AD CS Connector host must be bound to the domain, the ports required by Microsoft to support binding should be open between the Jamf AD CS Connector host and AD domain controller.
For more information, see the Network Ports Used by Jamf Pro knowledge base article.
Installing the Jamf AD CS Connector
-
Log in to Jamf Nation and go to the following page:
https://www.jamf.com/jamf-nation/my/products -
Download the Jamf AD CS Connector to the server on which you plan to install it.
-
Log in to the server as a user with administrator privileges.
-
Double-click the Jamf AD CS Connector to decompress it.
-
Open PowerShell as administrator, and then run the installer by executing a command similar to the following:
.\deploy.ps1 -fqdn my.adcs-proxy.url -jamfProDn my.domain.name -cleanInstall
This command installs the Jamf AD CS Connector and generates the server and client certificates.
When the Jamf AD CS Connector installation is complete, you can configure settings in Jamf Pro to enable communication between Jamf Pro and the Jamf AD CS Connector.