Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Automating Certificate Deployment with Jamf & Symantec Managed PKI

9d350fa2294e1192f8f12b0ebf1a1d8b?s=47 Jamf
October 25, 2018

Automating Certificate Deployment with Jamf & Symantec Managed PKI

Presentation from JNUC 2018, the world's largest rally of Apple IT administrators.

Session:
Automating Certificate Deployment with Jamf & Symantec Managed PKI

Presented by:
Isaac Ordonez, Mann Consulting
Jeff Vrieling, Jamf

View all session slides, recordings and more at https://www.jamf.com/events/jamf-nation-user-conference/2018/.

9d350fa2294e1192f8f12b0ebf1a1d8b?s=128

Jamf

October 25, 2018
Tweet

Transcript

  1. None
  2. © JAMF Software, LLC Isaac Ordonez Sr. Consultant Mann Consulting

    Jeff Vrieling Professional Service Engineer Jamf
  3. © JAMF Software, LLC Automated Certificate Deployment with Jamf and

    Symantec Managed PKI Presentation agenda: Goals & Certs Services Configuration Demo
  4. © JAMF Software, LLC Goals & Certs

  5. © JAMF Software, LLC Goals - Security • No passwords

    for users • Require devices in MDM Better security for clients
  6. © JAMF Software, LLC Goals - Fully hosted • Lower

    IT overhead • Security patched by vendor • Don’t need expertise in PKI Monthly spend, no servers, no certificate person
  7. © JAMF Software, LLC Why Certificates • Similar to a

    passport • Can be issued to user or device • Not exportable • 6.4 quadrillion years to crack* More secure than passwords
  8. © JAMF Software, LLC An Identity

  9. © JAMF Software, LLC

  10. © JAMF Software, LLC “Are you really Isaac Ordonez?” “Yes,

    here is my certificate” jnuc.ordonez.tv Certificate granted to Isaac Ordonez Certificate Authority (CA) Root Cert
  11. © JAMF Software, LLC Services

  12. © JAMF Software, LLC (Digicert) Symantec Managed PKI • Signs

    and validates certificates • Cost $6-9 device per year • $2,000 Setup cost • Support built in to Jamf Pro Turnkey hosted PKI service
  13. © JAMF Software, LLC RADIUS • Authentication, Authorization and Accounting

    • Ethernet, WiFi, VPN, etc. • Industry standard • Foxpass/FreeRADIUS/others Remote Authentication Dial-In User Service
  14. © JAMF Software, LLC • Accepts certificates for auth •

    Google/Okta/O365/OneLogin support • ~$3k per year for 25 w/TLS auth • ~$30k per year for 1000 w/TLS auth Hosted RADIUS (+LDAP) auth
  15. © JAMF Software, LLC HTTPs client authentication • HTTPs servers

    require certificate from client • No data transmitted until validated • MDM required for access Require certificates for HTTPs sites
  16. © JAMF Software, LLC Configuration

  17. © JAMF Software, LLC Config - Symantec - Install Client

    • Install Symantec Client • Install Symantec Chrome Extension Configure Symantec Instance
  18. © JAMF Software, LLC

  19. © JAMF Software, LLC Config - Symantec - Login to

    PKI • Install administrator certificate • Fix private key access settings Configure Symantec Instance
  20. © JAMF Software, LLC

  21. © JAMF Software, LLC Config - Symantec - Setup the

    PKI • Create a certificate profile • Define certificate settings • Download your public CA and save • Connect to Jamf Pro Configure Symantec Instance
  22. © JAMF Software, LLC

  23. © JAMF Software, LLC Config - Foxpass - Server certificate

    • Send Foxpass your Symantec Root CA • Foxpass sends you a server certificate (Steps not shown)
  24. © JAMF Software, LLC Config - Foxpass & Meraki •

    Create a RADIUS client for your network • Set WiFi to WPA2-Enterprise • Use Secret and IP for RADIUS server Set up RADIUS
  25. © JAMF Software, LLC

  26. © JAMF Software, LLC Config - Apache - HTTPs client

    auth • Enable SSLVerifyClient • Specify Symantec Public CA as PEM Easy to set up
  27. © JAMF Software, LLC

  28. © JAMF Software, LLC Config - Jamf Pro - Configuration

    Profile • Include Symantec CA & Foxpass certificates • Define client certificate mapping • Match certificate profile OID • Create WiFi payload Create configuration profile
  29. © JAMF Software, LLC

  30. © JAMF Software, LLC Config - Jamf Pro - Smart

    Group • Smart group for valid usernames • Scope configuration profile Smart group of valid usernames
  31. © JAMF Software, LLC

  32. © JAMF Software, LLC Demo - Certificate Verification • Client

    - Profiles • Jamf Pro - Inventory • Symantec PKI - Certificates • Client - Keychain - No exporting key! Multiple locations to view certificate
  33. © JAMF Software, LLC

  34. © JAMF Software, LLC Demo - Connect to WiFi •

    WiFi connection is automatic • Review Meraki logs • Review Foxpass logs Connect and review logs
  35. © JAMF Software, LLC

  36. © JAMF Software, LLC Demo - Connect to HTTPs site

    ! • HTTPs handshake fails, no data passed Example of a client without certificate
  37. © JAMF Software, LLC

  38. © JAMF Software, LLC Demo - Connect to HTTPs site

    " • HTTPs handshake success • Web resources load Example of a client with certificate
  39. © JAMF Software, LLC

  40. © JAMF Software, LLC Services • Foxpass - foxpass.com •

    Symantec MPKI • www.digicert.com/client-certificates/ • Jamf Pro - Jamf.com Where to get trials and sign up
  41. © JAMF Software, LLC Services • Email support@mann.com • Jamf

    Professional Services Want help setting it up?
  42. © JAMF Software, LLC Questions?

  43. © JAMF Software, LL THANK YOU!