Overview
Jamf Pro allows you to add Active Directory Certificate Services (AD CS) as a PKI Provider in Jamf Pro. This allows you to use AD CS as the certificate authority (CA) for distributing certificates to computers and mobile devices via configuration profiles.
Adding AD CS as a PKI Provider for certificate distribution involves the following steps:
-
Install the Jamf AD CS Connector
The Jamf AD CS Connector is a service that allows Jamf Pro to securely communicate with the AD CS certificate authority server. -
Integrate Jamf Pro with AD CS
Integrating with AD CS involves configuring settings in Jamf Pro to define the location of the CA server for Jamf Pro. In addition, you can use Jamf Pro to configure settings for the Jamf AD CS Connector to establish secure communication between Jamf Pro and AD CS.
After communication between Jamf Pro and AD CS has been established, you can use the following technologies in Jamf Pro for certificate management:
-
Configuration Profiles—Jamf Pro allows you to distribute certificates via configuration profiles using AD CS as the CA.
-
In-house Apps—You can distribute in-house apps developed with the Jamf Certificate SDK to establish identities to support certificate-based authentication to perform Single Sign-On (SSO) or other actions specific to your environment. Jamf Pro allows you to apply a Managed App Configuration to the app during distribution to enable the app to request the necessary certificates.
Communication Overview
Jamf Pro uses the Jamf AD CS Connector to communicate with AD CS to obtain certificates. The following diagram illustrates how communication is transferred to and from Jamf Pro and AD CS using the Jamf AD CS Connector:
This communication process is started when devices check in with Jamf Pro. If a device requires a certificate (in response to the Jamf Certificate SDK or to a configuration profile), a certificate signing request (CSR) is generated by Jamf Pro and sent to AD CS. AD CS processes the CSR and sends a Request ID back to Jamf Pro. Jamf Pro provides the Request ID to AD CS. When the certificate is ready, AD CS sends it to Jamf Pro and the certificate (.p12) is distributed to the device. All communication between Jamf Pro and AD CS takes place using the Jamf AD CS Connector.