You can integrate instances of Jamf Pro 10.23.0 or later with the Venafi Trust Protection Platform (TPP) to manage certificates. Venafi is a service provider that gives a single interface for many certificate authorities, enabling the request, renewal, and revocation of certificates. Venafi operates as a certificate manager between Jamf Pro and a certificate provider, such as Active Directory Certificate Services (AD CS) and DigiCert.

You can use the PKI Certificates settings in Jamf Pro to integrate with Venafi TPP. The procedure requires configuring Jamf Pro and Venafi TPP simultaneously. It is important to note that each configuration is unique to your environment, and additional steps may be necessary.

Integrating Jamf Pro with Venafi TPP involves the following steps:

  1. Configuring Venafi TPP

  2. Installing and configuring the Jamf PKI Proxy and configuring Venafi TPP settings in Jamf Pro

  3. Creating a configuration profile including a certificate payload in Jamf Pro

General Requirements

The following components are required:

  • Jamf PKI Proxy 1.4.0 or later

  • Venafi Trust Protection Platform (TPP)

Before integrating Venafi TPP with Jamf Pro, ensure that you have:

  • Configured access to Venafi TPP and have acquired the required Venafi TPP credentials. These credentials must have the ability to manage certificates via the Venafi API.

  • A policy configured for issuing certificates.


When using service-generated CSRs, the private key is generated and stored in Venafi TPP and then sent to the computer or mobile device. This provides the ability to decrypt data that was encrypted with the public key. In addition, when using service-generated CSRs, some of the configuration profile payload settings may not be applicable based on the Venafi policy setup.

The only requirement for a policy in Venafi TPP is that a CA template be configured on the policy. The configuration profile payload will supply the Common Name and Friendly Name.


To issue and revoke certificates with a Venafi integration, the Venafi user configured on the Venafi CA will need the following permissions in Venafi TPP: View, Read, Write, Create, Revoke, Private Key Read. The Venafi TPP user must also have Allow WebSDK Access enabled in Venafi TPP.


Jamf Pro uses the Jamf PKI Proxy to communicate with Venafi to obtain certificates. Jamf Pro communicates with the Jamf PKI Proxy using mTLS v1.2 through v1.3.