Automating Certificate Deployment with Jamf & Symantec Managed PKI

Transcript

1. None

2. © JAMF Software, LLC Isaac Ordonez Sr. Consultant Mann Consulting

   Jeff Vrieling Professional Service Engineer Jamf

3. © JAMF Software, LLC Automated Certificate Deployment with Jamf and

   Symantec Managed PKI Presentation agenda: Goals & Certs Services Configuration Demo

4. © JAMF Software, LLC Goals & Certs

5. © JAMF Software, LLC Goals - Security • No passwords

   for users • Require devices in MDM Better security for clients

6. © JAMF Software, LLC Goals - Fully hosted • Lower

   IT overhead • Security patched by vendor • Don’t need expertise in PKI Monthly spend, no servers, no certificate person

7. © JAMF Software, LLC Why Certificates • Similar to a

   passport • Can be issued to user or device • Not exportable • 6.4 quadrillion years to crack* More secure than passwords

8. © JAMF Software, LLC An Identity

9. © JAMF Software, LLC

10. © JAMF Software, LLC “Are you really Isaac Ordonez?” “Yes,

    here is my certificate” jnuc.ordonez.tv Certificate granted to Isaac Ordonez Certificate Authority (CA) Root Cert

11. © JAMF Software, LLC Services

12. © JAMF Software, LLC (Digicert) Symantec Managed PKI • Signs

    and validates certificates • Cost $6-9 device per year • $2,000 Setup cost • Support built in to Jamf Pro Turnkey hosted PKI service

13. © JAMF Software, LLC RADIUS • Authentication, Authorization and Accounting

    • Ethernet, WiFi, VPN, etc. • Industry standard • Foxpass/FreeRADIUS/others Remote Authentication Dial-In User Service

14. © JAMF Software, LLC • Accepts certificates for auth •

    Google/Okta/O365/OneLogin support • ~$3k per year for 25 w/TLS auth • ~$30k per year for 1000 w/TLS auth Hosted RADIUS (+LDAP) auth

15. © JAMF Software, LLC HTTPs client authentication • HTTPs servers

    require certificate from client • No data transmitted until validated • MDM required for access Require certificates for HTTPs sites

16. © JAMF Software, LLC Configuration

17. © JAMF Software, LLC Config - Symantec - Install Client

    • Install Symantec Client • Install Symantec Chrome Extension Configure Symantec Instance

18. © JAMF Software, LLC

19. © JAMF Software, LLC Config - Symantec - Login to

    PKI • Install administrator certificate • Fix private key access settings Configure Symantec Instance

20. © JAMF Software, LLC

21. © JAMF Software, LLC Config - Symantec - Setup the

    PKI • Create a certificate profile • Define certificate settings • Download your public CA and save • Connect to Jamf Pro Configure Symantec Instance

22. © JAMF Software, LLC

23. © JAMF Software, LLC Config - Foxpass - Server certificate

    • Send Foxpass your Symantec Root CA • Foxpass sends you a server certificate (Steps not shown)

24. © JAMF Software, LLC Config - Foxpass & Meraki •

    Create a RADIUS client for your network • Set WiFi to WPA2-Enterprise • Use Secret and IP for RADIUS server Set up RADIUS

25. © JAMF Software, LLC

26. © JAMF Software, LLC Config - Apache - HTTPs client

    auth • Enable SSLVerifyClient • Specify Symantec Public CA as PEM Easy to set up

27. © JAMF Software, LLC

28. © JAMF Software, LLC Config - Jamf Pro - Configuration

    Profile • Include Symantec CA & Foxpass certificates • Define client certificate mapping • Match certificate profile OID • Create WiFi payload Create configuration profile

29. © JAMF Software, LLC

30. © JAMF Software, LLC Config - Jamf Pro - Smart

    Group • Smart group for valid usernames • Scope configuration profile Smart group of valid usernames

31. © JAMF Software, LLC

32. © JAMF Software, LLC Demo - Certificate Verification • Client

    - Profiles • Jamf Pro - Inventory • Symantec PKI - Certificates • Client - Keychain - No exporting key! Multiple locations to view certificate

33. © JAMF Software, LLC

34. © JAMF Software, LLC Demo - Connect to WiFi •

    WiFi connection is automatic • Review Meraki logs • Review Foxpass logs Connect and review logs

35. © JAMF Software, LLC

36. © JAMF Software, LLC Demo - Connect to HTTPs site

    ! • HTTPs handshake fails, no data passed Example of a client without certificate

37. © JAMF Software, LLC

38. © JAMF Software, LLC Demo - Connect to HTTPs site

    " • HTTPs handshake success • Web resources load Example of a client with certificate

39. © JAMF Software, LLC

40. © JAMF Software, LLC Services • Foxpass - foxpass.com •

    Symantec MPKI • www.digicert.com/client-certificates/ • Jamf Pro - Jamf.com Where to get trials and sign up

41. © JAMF Software, LLC Services • Email [email protected] • Jamf

    Professional Services Want help setting it up?

42. © JAMF Software, LLC Questions?

43. © JAMF Software, LL THANK YOU!