Overview
Certificates are required for Jamf Pro to communicate with and verify the identity of the computers and mobile devices in your environment. Certificates can also be distributed to allow users to access resources such as VPN or Wi-Fi.
A certificate authority (CA) is a trusted entity that signs and issues the certificates required for certificate-based authentication. Large-scale certificate distribution is simplified by using the Simple Certificate Enrollment Protocol (SCEP) to obtain certificates from the CA and distribute them to the devices in your environment. To issue device certificates, you can use the Jamf Pro built-in CA, integrate with a trusted third-party CA (Symantec), or set up your own external CA that supports SCEP. You can use the PKI Certificates settings in Jamf Pro to set up and manage the certificates in your environment.

Computers and mobile devices that need a certificate to access resources such as VPN or Wi-Fi check in with Jamf Pro.
- Jamf Pro communicates with the SCEP server to obtain the certificate from the SCEP server.Note:
In a clustered environment, communication is handled by the Jamf Pro web app that receives the request.
Jamf Pro installs the certificate directly on the computer or mobile device.
Jamf Pro supports the following certificate properties:
SHA-512
SHA-256
SHA-1
DES3
AES
For more information about the network ports that Jamf Pro uses for communication, see the Network Ports Used by Jamf Pro article.
You can enable Jamf Pro as SCEP Proxy for the following:
- Configuration profiles—
Enabling Jamf Pro as SCEP Proxy for configuration profiles allows you to create profiles that contain a certificate that Jamf Pro obtains from the SCEP server and installs on devices. For example, you can distribute a configuration profile that contains a VPN certificate, and Jamf Pro obtains the certificate from the SCEP server and installs it on devices.
- Device enrollment—
If your environment uses an external CA that supports SCEP, you can use Jamf Pro to obtain device management certificates from the SCEP server and install them on devices.