You must associate the Venafi PKI instance with a computer or mobile device configuration profile in Jamf Pro so that when the configuration profile is deployed to a device, the correct certificate will be issued to the devices.

You can use either the Certificate payload or the SCEP payload in a configuration profile to issue Venafi certificates. After the configuration profile is installed on the devices and the certificates are issued, you can redistribute or revoke the certificates from a device if it falls out of scope.

One method to control scope is to use an extension attribute. For example, if you create an extension attribute to indicate an end user's status, such as "active" or "inactive", you can configure scope so that all "inactive" users are out of scope. This will cause certificates on the computers or mobile devices associated with inactive end users to be automatically revoked.

For more information about extension attributes, see the following sections in the Jamf Pro Administrator's Guide:

• Computer Extension Attributes

• Mobile Device Extension Attributes