AppViewX Integration with JAMF

What is JAMF

The advantages of using Jamf are as follows:
  • The Industry Standard for Apple Device Management - The various products in the Jamf suite allow for seamless setup and deployment of devices, all offered in a single consolidated solution.
  • Cloud-Based Mobility - Jamf Now is the ideal solution for small and medium enterprises as it empowers setting up, protecting, and managing devices right from one product.
  • Device Management Tool for The Pros – An ultimate EMM (Enterprise Mobility Management) tool for your users. Jamf Pro features application and device management, deployment, security capabilities, inventory collection, and more.
  • Enhanced Identity Management - Jamf Connect offers the flexibility to remotely and centrally manage passwords, groups, and users. It provides access to corporate cloud resources and applications that offer an advanced security and identity approach.
  • Mac-Exclusive Endpoint Protection - Jamf Protect, developed natively on the iOS architecture offers deep visibility into any operations or threats at the endpoints. It has a dashboard, extensive reporting, and real-time alerts on the built-in security framework for macOS.

Deployment Models

SCEP obtains certificates from the CA and distributes them to managed mobile devices, providing a simplified way of handling large-scale certificate distribution. If you do not want computers or mobile devices to communicate directly with a SCEP server, you can configure settings that enable Jamf Pro to proxy the communication between a SCEP server and the computers and mobile devices in your environment. This allows Jamf Pro to communicate directly with a SCEP server to obtain certificates and install them on the device.
Jamf Pro can be configured using computers or mobile devices to communicate directly with a SCEP server.

Prerequisites

  1. Disabling the checkbox in the Global Management > PKI Certificates screen.
    1. Login to JamfCloud (Sample URLs are mentioned below):
      1. Cloud-hosted— https://JAMF_PRO_URL.jamfcloud.com
      2. On-premise— https://JAMF_PRO_URL.com:8443
    2. Click Settings > All Settings > Global Management > PKI Certificates.
    3. Ensure to disable the checkbox labeled Enable Jamf Pro as SCEP Proxy for configuring profiles.
      Note: This is an important step to enable this deployment model.
  2. Configure the Challenge Password in the SCEP Configuration and AppViewX endpoints.
    Note: Challenge Passphrase is mandatory for MAC devices to connect to AppViewX SCEP Node.
  3. The MAC device should be able to connect to the SCEP server on port 30022.

Direct Communication with SCEP Server

Obtaining the Certificate Thumbprint/Fingerprint

  1. Log in to the AppViewX platform using valid credentials.
  2. Hover on the menu icon and select CERT+.
  3. Click Certificate Inventory on the left menu and select the certificate type (Server, Client, or Code Signing).
    The certificates with the common names are displayed on the right.
  4. From the Common Name column, click on the desired certificate.
    All valid certificates are displayed.
  5. Click the desired RA certificate to display the details.
  6. Click the three dots on the issuer certificate to display the Download Certificate option.
  7. Click Download Certificate and save the certificate in the desired format.
  8. Open the downloaded certificate.
  9. Click the Details tab and then select the Thumbprint field.
    The full value is displayed in the section below.
  10. Copy this hex value and paste in the text pad. Use this value in the Fingerprint field in JAMF Pro (described in the section below).
    Consequently, another way to obtain the hex value without having to manually delete the colons in the thumbprint can is described below.
  11. Execute steps 1 to 5 described above.
  12. Click the Issuer certificate.
  13. In the Certificate Details pop-up, click the Thumbprint value.
    The full value is displayed in the section below.
  14. Copy this hex value and paste in the text pad. Ensure to remove all the colons before using it in the Fingerprint field in JAMF Pro (described in the section below).

Configuring SCEP

  1. Navigate to SCEP Configuration Profiles screen.
  2. In the URL field, enter the AppViewX server’s publicly exposed SCEP URL.
  3. In the Name field, enter the desired name for this configuration.
  4. From the Redistribute Profile dropdown, choose a value to specify the number of days before the certificate needs to be renewed. For example, if you want a certificate to be renewed 15 days before expiry, then set the Redistribute Profile to 15 days.
  5. In the Subject field, enter the variable names. The $ (dollar) sign may be used with the variable name. Refer to the Mobile Device Configuration Profiles page to learn about the variable names supported in Jamf.
  6. From the Subject Alternative Name Type dropdown, select None.
  7. From the Challenge Type dropdown, select the following:
    1. Static - If you want all computers and mobile devices to use the same challenge password, choose “Static” and specify a challenge password. The challenge password will be used as the pre-shared secret for automatic enrollment.
    2. Dynamic - If you are using a non-Microsoft CA and you want each computer and mobile device to use a unique challenge password, choose “Dynamic”. The Dynamic challenge type requires use of the Classic API and membership in the Jamf Developer Program. The Dynamic challenge uses the "Fingerprint" or "Thumbprint" to authenticate the user instead of a username and password. The Thumbprint hash value for the Fingerprint field in Jamf Pro can be found on the profile you receive. Before selecting this option, contact your Jamf account representative to learn more about the Jamf Developer Program and the additional steps you need to take to use this option.
      Note: Currently, CERT+ does not support the dynamic challenge passphrase.
  8. In the Challenge and Verify Challenge fields, enter the AppViewX SCEP Challenge Password configured in AppViewX SCEP UI.
    Note: This is a mandatory step. The Challenge password is mandatory while using this deployment model. The same challenge password set in the prerequisite should be configured in the JAMF.
  9. In the Retry Delay field, enter a desired value (in seconds).
  10. In the Certificate Expiration Notification Threshold field, enter the number of days before the certificate expiration at which a notification will start displaying.
  11. From the Key Size dropdown, select value 2048.
  12. Select the checkboxes Use as digital signature and Use for key encipherment.
  13. In the Fingerprint field, enter the hex string to be used as a fingerprint.
  14. Select the checkboxes Allow export from keychain and Allow all apps access.
  15. Click Save.

Initiating the Enrollment from a Device

This section provides details of testing the Jamf cloud configuration performed in the previous section. It is recommended to open the JamfPro Enrollment URL using a Safari browser, as other browsers are not capable of identifying the received configuration profile and installation to the machine. Follow the instructions shown in the MacOS screen.

  1. Enter the URL, for example - https://avxjamf.jamfcloud.com/enroll/ in the Safari browser.
  2. Enter a valid username and password.
  3. Leave the Assign to user field empty and click Enroll.
  4. To continue with the enrollment (installation of CA certificate), click Continue.
  5. To confirm installation of the CA Certificate, click Install.
  6. To continue with the enrollment (installation of the MDM profile), click Continue.
  7. To confirm installation of the MDM Profile, click Install, and enter the valid credentials to carry out the installation.
  8. After the installation is complete, the following message is displayed – “The enrollment process is completed.”
  9. Wait for approximately one minute for the installation of the Profile and Certificate. (Profile contains SCEP configuration and during the installation process, the device directly sends a SCEP request to the AppVIewX Server.)
  10. After the installation, the profiles can be verified by clicking System Preferences > Profile. All the installed profiles must be visible.
    Note: Deleting the MDM profile deletes all the information from the Profiles. A fresh enroll may be tried later.
  11. To verify the certificate, navigate to Keychains (User/System) and validate the certificates that were Installed for each configuration profiles with the respective CN Name.

Troubleshooting

The failed commands or errors can be viewed here for troubleshooting.