This article explains setting up a Cloudpath Enrollment System SCEP integration with JAMF for Apple device management.
Table of Contents
- Cloudpath Configuration
- JAMF Configuration
>CONFIGURATION PROFILE
>SCEP SETTING
>CERTIFICATE SETTING
>NETWORK SETTING
NOTE: JAMF User and user group mapping has not been covered in this module.
Cloudpath Configuration
Create a SCEP Key
In the Cloudpath admin user interface, go to Certificate Authority>>> Manage Templates, then select the Certificate Template that will be used to issue the user/device certificates to the JAMF managed devices. Click on the “Manage” icon for the certificate template.
Select the SCEP Keys tab and under SCEP Keys , click on the “Add SCEP Key” button.
In the “Create SCEP Key” page, set a display name and description for the SCEP key. Set an expiration date if required. Select “Require Challenge Password” and enter password. Leave the Configuration Information section at the default settings. Click Save.
Back in the SCEP Keys tab of the certificate template, click on the “Show” icon under SCEP Enroll URL column.
This will reveal the full SCEP Key URL. Copy the full SCEP Enroll URL to a text editor (Notepad) for later use.
The Root CA will be used in a later step to create a Trusted Certificate profile in JAMF.
To export the CA certificate, go to Certificate Authority>>>Manage CAs. Expand the Root section.
In the Public Key section, click on the “Download PEM” button. This will download a Base64 encoded DER file.
Perform the same steps for the Intermediate CA certificate
Get OCSP hash from Intermediate CA, it will be used in JAMF config later.
JAMF Configuration
CONFIGURATION PROFILES
Login into JAMF select Configuration Profiles>>>>New
Name: Name the profile and Save.
SCEP SETTING
SCEP>>>Configure SCEP.
URL: SCEP url copied earlier from Cloudpath SCEP profile created earlier.
Subject: CN=$DEVICENAME for IOS
Subject: CN=$COMPUTERNAME for OSX
Challenge and Verify Challenge: From Cloudpath SCEP Profile
Retires: 2
Retry Delay: 3
Key Size: 2048
Fingerprint: OCSP Hash from Cloudpath Intermediate CA
CERTIFICATE SETTING
Select Certificate>>>Configure Certificate
Import Root CA
Upload Root cert downloaded earlier from Cloudpath.
Click on + to add more cert.
Import Intermediate CA
Upload Intermediate cert downloaded earlier from Cloudpath.
NETWORK SETTING
Network >>>Configure Network>>>Configure
Service Set Identifier(SSID😞 Name of the SSID
Security Type: WPA2 Enterprise
Accepted EAP Types: TLS
Select TRUST tab as shown in this screenshot.
Identity Certificate: Select SCEP profile created earlier.
Trusted Certificates: Select Root CA and Intermediate CA.
Hi Vijay
For the CN, can we use other format that gets the username instead of the text $DEVICENAME. Please see screenshot below for reference.
Hi @froi_borja_ama,
I have not tested with username, but for cert assignment with username, I assume changing this setting in JAMF to CN=$USERNAME should work.
Let me know if it works.
