Overview

Certificates are required for Jamf Pro to communicate with and verify the identity of the computers and mobile devices in your environment. Certificates can also be distributed to allow users to access resources such as VPN or Wi-Fi.

A certificate authority (CA) is a trusted entity that signs and issues the certificates required for certificate-based authentication. Large-scale certificate distribution is simplified by using the Simple Certificate Enrollment Protocol (SCEP) to obtain certificates from the CA and distribute them to the devices in your environment. To issue device certificates, you can use the Jamf Pro built-in CA, integrate with a trusted third-party CA (Symantec), or set up your own external CA that supports SCEP. You can use the PKI Certificates settings in Jamf Pro to set up and manage the certificates in your environment.

When a device that needs a certificate checks in with Jamf Pro, the device communicates with the SCEP server to obtain the certificate. You can enable Jamf Pro to proxy this communication between a SCEP server and the devices in your environment so that devices do not need to access the SCEP server. With Jamf Pro enabled as SCEP Proxy, Jamf Pro communicates directly with the SCEP server to obtain certificates and install them directly on devices. The following diagram explains the communication of Jamf Pro as SCEP Proxy:
  1. Computers and mobile devices that need a certificate to access resources such as VPN or Wi-Fi check in with Jamf Pro.

  2. Jamf Pro communicates with the SCEP server to obtain the certificate from the SCEP server.
    Note:

    In a clustered environment, communication is handled by the Jamf Pro web app that receives the request.

  3. Jamf Pro installs the certificate directly on the computer or mobile device.

Jamf Pro supports the following certificate properties:

  • SHA-512

  • SHA-256

  • SHA-1

  • DES3

  • AES

For more information about the network ports that Jamf Pro uses for communication, see the Network Ports Used by Jamf Pro article.

You can enable Jamf Pro as SCEP Proxy for the following:

  • Configuration profiles

    Enabling Jamf Pro as SCEP Proxy for configuration profiles allows you to create profiles that contain a certificate that Jamf Pro obtains from the SCEP server and installs on devices. For example, you can distribute a configuration profile that contains a VPN certificate, and Jamf Pro obtains the certificate from the SCEP server and installs it on devices.

  • Device enrollment

    If your environment uses an external CA that supports SCEP, you can use Jamf Pro to obtain device management certificates from the SCEP server and install them on devices.