Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Automating Certificate Deployment with Jamf & Symantec Managed PKI

Jamf
October 25, 2018

Automating Certificate Deployment with Jamf & Symantec Managed PKI

Presentation from JNUC 2018, the world's largest rally of Apple IT administrators.

Session:
Automating Certificate Deployment with Jamf & Symantec Managed PKI

Presented by:
Isaac Ordonez, Mann Consulting
Jeff Vrieling, Jamf

View all session slides, recordings and more at https://www.jamf.com/events/jamf-nation-user-conference/2018/.

Jamf

October 25, 2018
Tweet

More Decks by Jamf

Other Decks in Technology

Transcript

  1. © JAMF Software, LLC
    Isaac Ordonez
    Sr. Consultant

    Mann Consulting
    Jeff Vrieling
    Professional Service Engineer

    Jamf

    View full-size slide

  2. © JAMF Software, LLC
    Automated Certificate Deployment
    with Jamf and Symantec Managed PKI
    Presentation agenda:

    Goals & Certs

    Services

    Configuration

    Demo

    View full-size slide

  3. © JAMF Software, LLC
    Goals & Certs

    View full-size slide

  4. © JAMF Software, LLC
    Goals - Security
    • No passwords for users

    • Require devices in MDM
    Better security for clients

    View full-size slide

  5. © JAMF Software, LLC
    Goals - Fully hosted
    • Lower IT overhead

    • Security patched by vendor

    • Don’t need expertise in PKI
    Monthly spend, no servers, no certificate person

    View full-size slide

  6. © JAMF Software, LLC
    Why Certificates
    • Similar to a passport

    • Can be issued to user or device

    • Not exportable

    • 6.4 quadrillion years to crack*
    More secure than passwords

    View full-size slide

  7. © JAMF Software, LLC
    An Identity

    View full-size slide

  8. © JAMF Software, LLC

    View full-size slide

  9. © JAMF Software, LLC
    “Are you really Isaac Ordonez?”
    “Yes, here is my certificate”
    jnuc.ordonez.tv
    Certificate granted

    to Isaac Ordonez
    Certificate Authority (CA)
    Root Cert

    View full-size slide

  10. © JAMF Software, LLC
    Services

    View full-size slide

  11. © JAMF Software, LLC
    (Digicert) Symantec Managed PKI
    • Signs and validates certificates

    • Cost $6-9 device per year

    • $2,000 Setup cost

    • Support built in to Jamf Pro
    Turnkey hosted PKI service

    View full-size slide

  12. © JAMF Software, LLC
    RADIUS
    • Authentication, Authorization and Accounting

    • Ethernet, WiFi, VPN, etc.

    • Industry standard

    • Foxpass/FreeRADIUS/others
    Remote Authentication Dial-In User Service

    View full-size slide

  13. © JAMF Software, LLC
    • Accepts certificates for auth

    • Google/Okta/O365/OneLogin support

    • ~$3k per year for 25 w/TLS auth

    • ~$30k per year for 1000 w/TLS auth
    Hosted RADIUS (+LDAP) auth

    View full-size slide

  14. © JAMF Software, LLC
    HTTPs client authentication
    • HTTPs servers require certificate from client

    • No data transmitted until validated

    • MDM required for access
    Require certificates for HTTPs sites

    View full-size slide

  15. © JAMF Software, LLC
    Configuration

    View full-size slide

  16. © JAMF Software, LLC
    Config - Symantec - Install Client
    • Install Symantec Client

    • Install Symantec Chrome Extension
    Configure Symantec Instance

    View full-size slide

  17. © JAMF Software, LLC

    View full-size slide

  18. © JAMF Software, LLC
    Config - Symantec - Login to PKI
    • Install administrator certificate

    • Fix private key access settings
    Configure Symantec Instance

    View full-size slide

  19. © JAMF Software, LLC

    View full-size slide

  20. © JAMF Software, LLC
    Config - Symantec - Setup the PKI
    • Create a certificate profile

    • Define certificate settings

    • Download your public CA and save

    • Connect to Jamf Pro
    Configure Symantec Instance

    View full-size slide

  21. © JAMF Software, LLC

    View full-size slide

  22. © JAMF Software, LLC
    Config - Foxpass - Server certificate
    • Send Foxpass your Symantec Root CA

    • Foxpass sends you a server certificate
    (Steps not shown)

    View full-size slide

  23. © JAMF Software, LLC
    Config - Foxpass & Meraki
    • Create a RADIUS client for your network

    • Set WiFi to WPA2-Enterprise

    • Use Secret and IP for RADIUS server
    Set up RADIUS

    View full-size slide

  24. © JAMF Software, LLC

    View full-size slide

  25. © JAMF Software, LLC
    Config - Apache - HTTPs client auth
    • Enable SSLVerifyClient

    • Specify Symantec Public CA as PEM
    Easy to set up

    View full-size slide

  26. © JAMF Software, LLC

    View full-size slide

  27. © JAMF Software, LLC
    Config - Jamf Pro - Configuration Profile
    • Include Symantec CA & Foxpass certificates

    • Define client certificate mapping

    • Match certificate profile OID

    • Create WiFi payload
    Create configuration profile

    View full-size slide

  28. © JAMF Software, LLC

    View full-size slide

  29. © JAMF Software, LLC
    Config - Jamf Pro - Smart Group
    • Smart group for valid usernames

    • Scope configuration profile
    Smart group of valid usernames

    View full-size slide

  30. © JAMF Software, LLC

    View full-size slide

  31. © JAMF Software, LLC
    Demo - Certificate Verification
    • Client - Profiles

    • Jamf Pro - Inventory

    • Symantec PKI - Certificates

    • Client - Keychain - No exporting key!
    Multiple locations to view certificate

    View full-size slide

  32. © JAMF Software, LLC

    View full-size slide

  33. © JAMF Software, LLC
    Demo - Connect to WiFi
    • WiFi connection is automatic

    • Review Meraki logs

    • Review Foxpass logs
    Connect and review logs

    View full-size slide

  34. © JAMF Software, LLC

    View full-size slide

  35. © JAMF Software, LLC
    Demo - Connect to HTTPs site !
    • HTTPs handshake fails, no data passed
    Example of a client without certificate

    View full-size slide

  36. © JAMF Software, LLC

    View full-size slide

  37. © JAMF Software, LLC
    Demo - Connect to HTTPs site "
    • HTTPs handshake success

    • Web resources load
    Example of a client with certificate

    View full-size slide

  38. © JAMF Software, LLC

    View full-size slide

  39. © JAMF Software, LLC
    Services
    • Foxpass - foxpass.com

    • Symantec MPKI

    • www.digicert.com/client-certificates/

    • Jamf Pro - Jamf.com
    Where to get trials and sign up

    View full-size slide

  40. © JAMF Software, LLC
    Services
    • Email [email protected]

    • Jamf Professional Services
    Want help setting it up?

    View full-size slide

  41. © JAMF Software, LLC
    Questions?

    View full-size slide

  42. © JAMF Software, LL
    THANK YOU!

    View full-size slide