Enabling Jamf Pro as SCEP Proxy for Enrollment

If your environment uses an external CA that supports SCEP, you can use Jamf Pro to obtain management certificates from the SCEP server and install them directly on computers and mobile devices during enrollment with Jamf Pro. The certificates establish a connection between the devices and the Jamf Pro server allowing you to perform inventory, configuration, security management, and distribution tasks on the devices. For more information about enrollment, see Computer Enrollment Methods and Mobile Device Enrollment Methods in the Jamf Pro Documentation.

Important: Changing from Jamf Pro 's built-in CA to an external CA requires you to re-enroll all devices with Jamf Pro.
  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the Global section, click PKI certificates .
  3. Click the Management Certificate Template tab, and then click External CA.
  4. Click Edit .
  5. Select Use a SCEP-enabled external CA for computer and mobile device enrollment.
    Note:

    This setting is already selected if your environment is configured to use an external CA. If you switch from the built-in CA to an external CA, you need to re-enroll all devices with Jamf Pro after saving the changes.

  6. Select Use Jamf Pro as SCEP Proxy for computer and mobile device enrollment.
    Note:

    If your environment is configured to use Jamf Pro as SCEP Proxy for mobile device enrollment prior to Jamf Pro 10.0.0 via the Jamf API, all management certificates will now be distributed to both computers and mobile devices with Jamf Pro as SCEP Proxy once these settings are saved.

  7. Enter a base URL for the SCEP server.
  8. (Optional) Enter the name of the instance in the Name field. For Microsoft certificate authorities, SERVERNAME-MSCEP-RA is an example.
  9. Choose the type of challenge password to use from the Challenge Type pop-up menu:

    • If you want all computers and mobile devices to use the same challenge password, choose Static and specify a challenge password.The challenge password will be used as the pre-shared secret for automatic enrollment.

    • If you are using a non-Microsoft CA and you want each computer and mobile device to use a unique challenge password, choose Dynamic. The Dynamic challenge type requires use of the Jamf API and membership in the Jamf Developer Program. The Dynamic challenge uses the Fingerprint or Thumbprint to authenticate the user instead of a username and password. The Thumbprint hash value for the Fingerprint field in DynamicJamf Pro Fingerprint can Thumbprint the profile you receive. Before selecting this option, contact your Jamf account representative to learn more about the Jamf Developer Program and the additional steps you need to take to use this option.

    • If you are using a Microsoft CA and you want each computer and mobile device to use a unique challenge password, choose Dynamic-Microsoft CA. When using the Dynamic-Microsoft CA challenge type, the Username field requires the down-level logon name format. For more information, see the following Microsoft documentation: User Name Formats.

    Note:

    If you choose the Dynamic or Dynamic-Microsoft CA challenge type, you must use user-initiated enrollment to enroll computers and mobile devices so that a unique challenge password is used for each device. For more information, see User-Initiated Enrollment for Computers and User-Initiated Enrollment for Mobile Devices in the Jamf Pro Documentation.

    • If you are using an Entrust CA, choose Dynamic-Entrust.

      1. Enter the name of your Digital ID Configuration that issues certificates for Entrust in the Digital ID Configuration Name field.

      2. Enter the iggroup variable defined in your Entrust Digital ID Configuration in the Group Name field.

      3. Click Add to enter additional RDN variables, and then enter the variable name and value.
        Important:

        JAMF Device Certificate must be entered in the Group Name field. If you have defined JAMF Device Certificate as a value in an RDN variable name in your Entrust Digital ID Configuration, click Add to enter the variable name and JAMF Device Certificate value.

  10. Click Save .

After saving, you need to provide the signing and CA certificates for the external CA. This is done by uploading a signing certificate keystore (.jks or .p12) that contains both certificates to Jamf Pro. For instructions, see "Uploading Signing and CA Certificates for an External CA" in the PKI Certificates section of the Jamf Pro Documentation.

Important: Changing from Jamf Pro 's built-in CA to an external CA requires you to re-enroll all devices with Jamf Pro.
After the PKI Certificates settings are saved, you can use Jamf Pro as SCEP Proxy to install management certificates directly on devices during enrollment with Jamf Pro.