Enabling Jamf Pro as SCEP Proxy for Configuration Profiles

Jamf Pro allows you to create configuration profiles with payloads that contain certificates for user access to resources such as VPN or Wi-Fi. Enabling Jamf Pro as SCEP Proxy for a configuration profile allows Jamf Pro to communicate with your SCEP server to install the certificate directly on computers or mobile devices.

Before you can distribute a configuration profile with Jamf Pro as SCEP Proxy for the certificates included in the profile, you must enable Jamf Pro as SCEP Proxy in the PKI Certificate settings. This allows you to use Jamf Pro as SCEP Proxy in the configuration profile that you create.

Note: You must enable Jamf Pro as SCEP Proxy in the configuration profile for each profile created to distribute certificates. For more information about configuration profiles, see Computer Configuration Profiles and Mobile Device Configuration Profiles in the Jamf Pro Documentation.
  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the Global section, click PKI certificates .
  3. Click the Management Certificate Template tab, and then click External CA.
  4. Click Edit .
  5. Select Enable Jamf Pro as SCEP Proxy for configuration profiles.
    Important:

    If you are using the Jamf Pro built-in CA for device enrollment, ensure that you do not select Use a SCEP-enabled external CA for computer and mobile device enrollment. Selecting this option requires you to re-enroll all devices with Jamf Pro.

  6. Enter a base URL for the SCEP server.
  7. (Optional) Enter the name of the instance in the Name field.
    Note:

    For Microsoft certificate authorities, SERVERNAME-MSCEP-RA is an example.

  8. Choose the type of challenge password to use from the Challenge Type pop-up menu:

    • If you want all computers and mobile devices to use the same challenge password, choose Static and specify a challenge password. The challenge password will be used as the pre-shared secret for automatic enrollment.

    • (Jamf Pro 10.32.0 or later) If you want to use non-Microsoft CA with a SCEP Dynamic challenge type, you can create a webhook using the event SCEPChallenge. The receiving web server is sent information about the enrolling device and the configuration profile. This allows the returning message body to be used as the SCEP challenge for that enrollment. For more information on webhooks, see Webhooks in the Jamf Pro Documentation and the following page in the Jamf developer resources: https://developer.jamf.com/developer-guide/docs/webhooks.

    • If you are using a Microsoft CA and you want each computer and mobile device to use a unique challenge password, choose Dynamic-Microsoft CA.

      When using the Dynamic-Microsoft CA challenge type, the Username field requires the down-level logon name format. For more information, see the following Microsoft documentation: User Name Formats.

    • If you are using an Entrust CA, choose Dynamic-Entrust, and then do the following:

      1. Enter the name of your Digital ID Configuration that issues certificates for Entrust in the Digital ID Configuration Name field.

      2. Enter the iggroup variable defined in your Entrust Digital ID Configuration in the Group Name field.

      3. Click Add to enter additional RDN variables, and then enter the variable name and value.

  9. Click Save .
If you are using an external CA, you need to provide the signing and CA certificates for the external CA after saving. This is done by uploading a signing certificate keystore (.jks or .p12) that contains both certificates to Jamf Pro. For instructions, see "Uploading Signing and CA Certificates for an External CA" on the PKI Certificates page in the Jamf Pro Documentation. If you are using the Jamf Pro built-in CA, no action is necessary after saving.

Creating a Configuration Profile with Jamf Pro as SCEP Proxy

  1. In Jamf Pro, click Computers or Devices at the top of the sidebar.
  2. Click Configuration Profiles in the sidebar.
  3. Click New .
  4. Use the General payload to configure basic settings, including the level at which to apply the profile and the distribution method. Only payloads and settings that apply to the selected level are displayed for the profile.
  5. Select the SCEP payload and click Configure.
  6. Select Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile. The PKI Certificates settings are applied to the configuration profile.
    Note:

    You can customize the profile by modifying the Subject and Subject Alternative Name Type settings.

  7. Enter the name of the instance in the Name field.
    Note:

    For Microsoft certificate authorities, SERVERNAME-MSCEP-RA is an example. If you do not enter a name, SCEP Proxy is populated by default in the Name field.

  8. If you are using an Entrust CA, do the following:
    1. Enter the name of your Digital ID Configuration that issues certificates for Entrust in the Digital ID Configuration Name field.
    2. Enter the iggroup variable defined in your Entrust Digital ID Configuration in the Group Name field.
    3. Click Add to add additional RDN variables, and then enter the variable name and value.
  9. Use the rest of the payloads to configure the settings you want to apply including the certificates you want to distribute with the profile.
    Note:

    It is recommended that you distribute one certificate per configuration profile.

  10. Click the Scope tab and configure the scope of the profile.
    Note:

    For more information, see Scope in the Jamf Pro Documentation.

  11. (Optional) If you chose to distribute the profile in Self Service, click the Self Service tab to configure Self Service settings for the profile.
    Note:

    For more information, see Items Available to Users in Jamf Self Service for macOS and Mobile Device Configuration Profiles in the Jamf Pro Documentation.

  12. Click Save .

If you want to disable Jamf Pro as SCEP Proxy for configuration profiles in the PKI Certificates settings, you must first disable Jamf Pro as SCEP Proxy for any configuration profiles that have the option enabled.