Skip to content

Commit

Permalink
Merge pull request #294 from smallstep/carl/jamf-configprofile-download
Browse files Browse the repository at this point in the history
Show people how to download the config profile template instead of configuring Jamf manually
  • Loading branch information
tashian authored Jan 11, 2024
2 parents 711e272 + 5c3955f commit d17b415
Show file tree
Hide file tree
Showing 3 changed files with 41 additions and 135 deletions.
2 changes: 1 addition & 1 deletion step-ca/basic-certificate-authority-operations.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -241,7 +241,7 @@ When both the user and the host use certificates in a connection, you will have
- **The host authenticates the user**: When configured to trust the User CA key, a host delegates user identity to the SSH CA. When a user presents their certificate to a host during the SSH handshake, the host will trust it if it's signed by the User CA key, and it will alow any listed certificate principals (usernames) to sign in.
- **The user authenticates the host**: When configured to trust the Host CA key, clients delegate host identity to the CA. When a host presents its certificate to a user during the SSH handshake, the user will trust it if it's signed by the host CA key.

When [`step ca init`](../step-cli/reference/ca/init is run with `--ssh`, it creates two SSH CA key pairs: one for the host CA, and one for the user CA. The user CA key signs SSH user certificates, and the host CA key signs SSH host certificates.
When [`step ca init`](../step-cli/reference/ca/init) is run with `--ssh`, it creates two SSH CA key pairs: one for the host CA, and one for the user CA. The user CA key signs SSH user certificates, and the host CA key signs SSH host certificates.

### Requirements

Expand Down
172 changes: 39 additions & 133 deletions tutorials/apple-mdm-jamf-setup-guide.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -30,44 +30,34 @@ You will need:
- A test device or VM to enroll in MDM.
- A Jamf user for testing enrollment.

<Alert severity="info">
<div>
If you’re planning to deploy Wi-Fi and EAP-TLS using a JumpCloud RADIUS server, you will need to use an RSA CA.
This requires creating an Advanced Authority.
When creating the Authority, use key type `RSA_SIGN_PKCS1_2048_SHA256` for both root & intermediate CAs.
</div>
</Alert>

## Step-by-step instructions

In this section, we will set up an MDM profile that instructs devices to establish CA trust with your Smallstep CA, and to get a client certificate via Smallstep’s SCEP server.

### Configure Smallstep for Jamf

1. In the **Devices** tab, add a device collection and choose **Jamf**
2. Fill in the details related to your Jamf instance.
3. In the Devices tab, create a collection
4. Choose Jamf and select your Jamf instance and a Certificate Authority to use
5. Click **Accounts****Add Account****Wifi**
1. In the **Devices** tab, add a device collection and choose **Jamf Computers** for macOS devices, or **Jamf Devices** for other Apple devices
2. Fill in your Jamf instance URL and choose **Confirm**
3. Choose **WiFi**, then **Continue**
4. Enter your public IP and Wi-Fi SSID. Smallstep needs your public IP address in order to identify your network requests.
5. The other fields are optional. Select **Continue** when done.
6. Choose the **Configuration Profile** link on the top right of the accounts page to download a `.mobileconfig` template that you'll import into Jamf.

Smallstep will provide the following values, which you’ll need later:
<Alert severity="info">
<div>
Resist the temptation to manually install the `.mobileconfig` file for testing; it won’t work.
</div>
</Alert>

- A Jamf webhook URL, username and password to be used when configuring your Jamf webhook
- Your root CA certificate, for configuring the `Certificate` payload
- Your SCEP CA URL, for configuring the `SCEP` payload
- Your intermediate CA fingerprint, for configuring the `SCEP` payload
For the next step, you will need the **Jamf Settings** shown on this page.
These include a webhook URL, username and password to be used when configuring a Jamf `SCEP Challenge` webhook, below.

### Configure Jamf to use Smallstep

There are five steps to this part of the process:

1. Configure a SCEP dynamic challenge webhook
2. Create a configuration profile for testing
3. Add a [`Certificate` payload](https://support.apple.com/guide/deployment/certificates-payload-settings-dep91d2eb26/1/web/1.0) containing your root CA certificate
4. Add a [`SCEP` payload](https://support.apple.com/guide/deployment/scep-payload-settings-dep495a6d79/1/web/1.0) for requesting a client certificate
5. Complete and test your setup
#### Configure a SCEP Challenge webhook

### 1. Configure a SCEP dynamic challenge webhook
First, you'll need to add a SCEP Challenge webhook to your Jamf tenant configuration.
You'll only need to do this once.

1. In the Jamf dashboard, go to `Settings` and search for `Webhooks`
2. Click **+ New**
Expand All @@ -84,118 +74,21 @@ There are five steps to this part of the process:

4. Choose **Save** in the bottom right

### 2. Create a Configuration Profile for testing
#### Upload and Test the Configuration Profile

<Alert severity="warning">
<div>
Use a Device or Computer Level profile. These instructions do not apply to User Level profiles.
</div>
</Alert>

To test your setup, you can create a computer or mobile device Configuration Profile—or both—as needed. Some of the settings below are not available on mobile.

When you move from test into production, you’ll repeat the setup steps below in your production profiles.
Next, upload the Configuration Profile you downloaded from Smallstep, and map it to a test device.

**2a. Add a `Certificate` Payload to the Configuration Profile**
1. In the Jamf Dashboard, go to Configuration Profiles (for Computers or Devices)
2. Choose **Upload**.
3. **Choose File** and select the `.mobileconfig` template you downloaded from Smallstep
4. Choose the Scope tab, and select a device or user for testing. For the device to appear, the device should already be enrolled with a basic Jamf MDM profile.

This payload configures the device to trust your Smallstep Root CA. The device needs CA trust in order to request a client certificate.
Enrolled devices will immediately receive the configuration profile updates from Jamf and will be ready to join the network.
If you need to make changes, you can change the settings in Smallstep and download a new Configuration Profile template.

Use the following payload properties:
### Deploying Production Profiles

- Set a name, e.g. `Smallstep Root CA`
- Select Certificate Option: `Upload`
- Choose **Upload Certificate** and upload the PEM-formatted root CA certificate you received from Smallstep.

<Alert severity="warning">
<div>
Jamf requires the file extension to be `.cer` for it to appear in the file chooser, so you may need to rename your CA certificate file. The extensions `.cer`, `.crt`, and `.pem` all generally refer to the same PEM certificate format.
</div>
</Alert>

- Password is not required; it’s just a certificate, after all.
- Select ✅ **Allow all apps access**
- ✅ **Allow export from keychain** can be enabled or disabled

Choose Save in the bottom right to save the profile.

**2b. Add a `SCEP` Payload to the Configuration Profile**

The `SCEP` payload configures the device to get a client certificate from Smallstep, using Dynamic SCEP.

In the Configuration Profile, create a `SCEP` Payload with the following properties:

- Use the **SCEP URL** you received from Smallstep
- **Name** is optional; the name you choose will appear in the macOS or iOS Profiles settings panel
- **Redistribute Profile** can be used to request Jamf redistribute the profile a number of days before the certificate expires.

Redistributing the profile renews the SCEP client certificate. The correct value for this field depends on the client certificate’s validity period.

Because mobile devices and laptops are intermittently connected, we recommend redistribution at around 20% of the certificate lifetime.

A good starting point is to use a 45 day certificate, redistributed 30 days before it expires.

- Fill in the **Subject** as you wish.
- When using Redistribute Profile, `$PROFILE_IDENTIFIER` must be somewhere in your subject name. Use any subject name field for this — `OU`, `O`, `L`, `ST`, etc.
- `CN=$COMPUTERNAME` or `CN=$UDID` can be used as dynamic value. Other possible variable names are available; see the [Jamf documentation](https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Computer_Configuration_Profiles.html).
- A good starting point for this value is `CN=$UDID,L=$PROFILE_IDENTIFIER`
- Optional: Add **Subject Alternative Names (SANs)** as needed.
- Set **Challenge Type** to Dynamic. Jamf will use the Dynamic Challenge webhook configured earlier.
- The default notification threshold should be adjusted to be a fraction of the total certificate lifetime.
- Set **key size** to at least 2048 bits
- Select ✅ **Use as Digital Signature**
- Select ✅ **Use for Key Encipherment**
- For **Fingerprint**, use the Intermediate CA Fingerprint you received from Smallstep. This value is a hex-encoded MD5 or SHA1 hash with no delimiters.
- Only select **Allow export from Keychain** or **Allow all apps access** if you need them.
(This setting is only available on Computer profiles.)
- **Here's an example of the completed form**

![jamf scep.png](/graphics/jamf_scep.png)


Choose Save in the bottom right to save the profile.

<Alert severity="info">
<div>
We recommend adding both payloads to the same Configuration Profile, but you could use separate profiles, so long as the profile with the `Certificate` payload is applied before the profile with the `SCEP` payload.
</div>
</Alert>

### 3. Test your MDM Profile

After configuring the SCEP payload, it’s possible to add more payloads that make use of the SCEP certificate—for example, a VPN or Network/Wi-Fi payload—but we suggest testing this basic profile before you add payloads that use the certificate.

To test your Configuration Profile, attach a Scope:

1. In the **Configuration Profile** settings, choose the **Scope** tab
2. Select a device or user for testing. For the device to appear, the device should already be enrolled with a basic Jamf MDM profile.

<Alert severity="info">
<div>
Resist the temptation to download the profile from the Jamf admin panel and manually installing it; it won’t work.
</div>
</Alert>

## Adding Wi-Fi

Now that we have a basic working profile with CA trust and a client certificate, we’ll configure an EAP-TLS certificate Wi-Fi connection.

For this section, you will need a RADIUS server that your users will authenticate against. Check the certificate used by your RADIUS server for its common name.

1. In Jamf, create a Wi-Fi payload.
2. Configure your SSID and other basic network settings.
3. For Network Security, select WPA2 Enterprise or WPA3 Enterprise.
4. In the Protocols tab, select the EAP-TLS protocol.
5. Under the Trust tab, add a Trusted Certificate for your RADIUS server.

If your RADIUS server certificate is managed by Smallstep, choose your Smallstep Root CA Certificate payload here.

If your RADIUS server certificate is from a different PKI, you’ll need to add a new Certificate payload containing your RADIUS server’s Root CA certificate.

6. Under the Certificate Common Name, use the Common Name of your RADIUS server.

## Changing Production Profiles

As you plan changes to your configuration profile, it is recommended to stage your changes.
As you plan to deploy your configuration profile, it is recommended to stage your changes.
Here's one approach:
- Clone your production profile in Jamf
- Exclude your test computer or device from your production profile
Expand All @@ -205,6 +98,19 @@ Here's one approach:
- Re-add your test device to the production profile scope
- Finally, remove the cloned profile

### Running your own RADIUS server?

If you run your own RADIUS server, you'll need to modify your Configuration Profile to match your setup.
Link the Certificate Trust settings for your `Wi-Fi` Payload to your RADIUS server's Root CA certificate instead of Smallstep's. You may need to add an additional `Certificate` payload for your RADIUS server's Root CA.

<Alert severity="info">
<div>
If you’re planning to deploy Wi-Fi and EAP-TLS using a JumpCloud RADIUS server, you will need to use an RSA CA.
This requires creating an Advanced Authority.
When creating the Authority, use key type `RSA_SIGN_PKCS1_2048_SHA256` for both root & intermediate CAs.
</div>
</Alert>

### Troubleshooting

- Check the expected certificates have been deployed to the right stores on macOS: user vs. device; trusted roots; personal certificates.
Expand Down
2 changes: 1 addition & 1 deletion tutorials/intune-mdm-setup-guide.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -200,7 +200,7 @@ For this section, you will need a RADIUS server that your users will authenticat
Typically, thwill match the FQDN of your RADIUS server.
8. Under the Trust tab, add a Trusted Certificate for your RADIUS server.

If your RADIUS server certificate is managed by Smallstep, add your Smallstep Root CA and Smallstep Intermediate CA here.
If your RADIUS server certificate is managed by Smallstep, add the <a href="https://dl.smallstep.com/radius.smallstep.com-root.crt">Smallstep RADIUS Root CA PEM</a> here.

If your RADIUS server certificate is from a different PKI, you’ll need to add a new Certificate payload containing your RADIUS server’s Root CA certificate.
9. Under **Client Authentication**, for **Authentication method** choose SCEP Certificate.
Expand Down

0 comments on commit d17b415

Please sign in to comment.