Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Compliance_and_Identity.pdf

Jamf
November 13, 2019
570

 Compliance_and_Identity.pdf

Jamf

November 13, 2019
Tweet

Transcript

  1. © JAMF Software, LLC Compliance and Identity Presentation agenda: A

    bit of history DigiCert integration ADCS Connector Basics ADCS Connector Advanced
  2. © JAMF Software, LLC Cesar A B C D E

    F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
  3. © JAMF Software, LLC Cesar A P A B C

    D E F G H I J K L M N O P Q R S T U V W X Y Z B C D E F G H I J K L M N O Q R S T U V W X Y Z N C C Y R
  4. © JAMF Software, LLC Cesar - Variation A B C

    D E F G H I J K L M N O P Q R S T U V W X Y Z J U L E S C A R T V W X Y Z B D F G H I K M N O P Q
  5. © JAMF Software, LLC Vigenere Clear Text : apple Secret

    Key : poire Ciphered text : P X D I C
  6. © JAMF Software, LLC Asymmetric Keys Recent Maths (prime numbers)

    2 keys, private and public Easy key transmission
  7. © JAMF Software, LLC “Are you www.apple.com?” “Of course, look

    at my certificate” www.apple.com Certificate for www.apple.com Certification Authority Root CA
  8. © JAMF Software, LLC History SSL 2 Netscape 1.1 1995

    SSL 3 just after (bugs in 2) TLS 1.0 (SSL 3.1) 1999 by IETF TLS 1.1 en 2006 TLS 1.2 en 2008
  9. © JAMF Software, LLC ADCS Connector - Prerequisites Windows Server

    2016 or higher Be member of the same domain as the PKI or have a trust relationship with that domain .NET 4.5 or higher FQDN Ports (443 for Connector, 135, 49152-65535 for DCOM)
  10. © JAMF Software, LLC ADCS Connector - Simple Setup foo.jamfcloud.com

    adcsc.company.com pki.corp.company.com .\deploy.ps1 -fqdn adcsc.company.com -jamfProDn foo.jamfcloud.com -cleanInstall
  11. © JAMF Software, LLC Template Template for ADCS Connector usage

    Do not try to use an existing one, probably wrong Subject Name: Supply in Request Security: Connector server needs Read and Enroll
  12. © JAMF Software, LLC ADCS Connector - Advanced Setup foo.jamfcloud.com

    adcsc.company.com pki.corp.company.com pki2.corp.company.com
  13. © JAMF Software, LLC ADCS Connector - Advanced Setup foo.jamfcloud.com

    adcsc.company.com pki.corp.company.com foo2.jamfcloud.com Multiple Jamf Pro Servers and One ADCS Connector
  14. © JAMF Software, LLC ADCS Connector - Advanced Setup foo.jamfcloud.com

    adcsc.company.com pki.corp.company.com foo2.jamfcloud.com pki2.corp.company.com Multiple Jamf Pro Servers and One ADCS Connector
  15. © JAMF Software, LLC ADCS Connector - Advanced Setup adcsc.company.com

    Change IIS Certificate for the ADCS Connector
  16. © JAMF Software, LLC ADCS Connector - Advanced Setup Change

    authentication certificate for ADCS Connector HTTPS
  17. © JAMF Software, LLC … PFX from your CA Make

    it single line, no BEGIN/END CERTIFICATE Copy the single line Paste content in that field
  18. © JAMF Software, LLC ADCS Connector - Troubleshooting Everything is

    fine! Logs here C:\inetpub\logs\LogFiles\W3SVC2 2019-09-23 22:07:41 193.108.164.2 GET /api/v1/version - 443 AdcsProxyAccessUser 193.108.165.29 Java-SDK - 200 0 0 12968 2019-09-23 22:07:46 193.108.164.2 POST /api/v1/certificate/request - 443 AdcsProxyAccessUser 193.108.165.29 Java-SDK - 200 0 0 4906 2019-09-23 22:07:46 193.108.164.2 POST /api/v1/certificate/retrieve - 443 AdcsProxyAccessUser 193.108.165.29 Java-SDK - 200 0 0 281 3 steps to acquire the certs, all with answer 200, we get a certificate
  19. © JAMF Software, LLC ADCS Connector - Troubleshooting 403 16

    error Logs here C:\inetpub\logs\LogFiles\W3SVC2 2019-07-19 09:06:20 10.196.172.64 GET /api/v1/version - 443 - 10.196.172.17 Java-SDK - 403 16 2148204809 0 Usually due to improper Root CA certificate in Intermediate folder in Windows
  20. © JAMF Software, LLC ADCS Connector - Troubleshooting 403 16

    error identify and fix Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Move-Item -Destination Cert:\LocalMachine\CA
  21. © JAMF Software, LLC ADCS Connector - Troubleshooting Other common

    issues Can’t find the template: check security, server requires Read and Enroll
  22. © JAMF Software, LLC ADCS Connector - Troubleshooting Other common

    issues ADCS Connector requires a proper FQDN Jamf Pro says IP or FQDN, only use FQDN Do not break TLS/SSL authentication or replay it GPOs could block authentication
  23. © JAMF Software, LLC Thank you for listening! Give us

    feedback by completing the 2-question session survey in the JNUC 2019 app. UP NEXT Deploying macOS Catalina 4-4:45 PM