Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Compliance_and_Identity.pdf

Jamf
November 13, 2019
0
460

 Compliance_and_Identity.pdf

Jamf

November 13, 2019
Tweet

More Decks by Jamf

See All by Jamf
MDM for Everyone
jamf
0
83
Off-boarding in a Modern Deployment
jamf
0
430
Sharing Control to Improve Process and Relationships
jamf
0
31
Roll Your Own Configuration Profiles
jamf
0
370
Teaching the Teacher: Leveraging Jamf and Apple Resources for Professional Development with iPad
jamf
0
61
Jamf@SAP: Journey to 100,000 Mobile Devices
jamf
0
180
What's in the Blue Bin: Recycled Malware
jamf
0
190
Who's Afraid of the Command Line
jamf
0
150
Your Internal Beta Test Program: Opt-in/Opt-out via Self Service
jamf
0
120

Featured

See All Featured
Bootstrapping a Software Product
garrettdimon
PRO
301
110k
In The Pink: A Labor of Love
frogandcode
138
21k
Six Lessons from altMBA
skipperchong
20
3k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Code Reviewing Like a Champion
maltzj
513
39k
How to name files
jennybc
64
92k
Faster Mobile Websites
deanohume
297
30k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
186
16k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
For a Future-Friendly Web
brad_frost
171
8.9k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
The Art of Programming - Codeland 2020
erikaheidi
41
12k

Transcript

  1. None

  2. © JAMF Software, LLC Laurent Pertois Senior Professional Services Engineer

    Jamf

  3. © JAMF Software, LLC Compliance and Identity Presentation agenda: A

    bit of history DigiCert integration ADCS Connector Basics ADCS Connector Advanced

  4. © JAMF Software, LLC A bit of history

  5. © JAMF Software, LLC Spartan Scytale

  6. © JAMF Software, LLC Cesar

  7. © JAMF Software, LLC Cesar A B C D E

    F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

  8. © JAMF Software, LLC Cesar A P A B C

    D E F G H I J K L M N O P Q R S T U V W X Y Z B C D E F G H I J K L M N O Q R S T U V W X Y Z N C C Y R

  9. © JAMF Software, LLC Cesar - Variation A B C

    D E F G H I J K L M N O P Q R S T U V W X Y Z J U L E S C A R T V W X Y Z B D F G H I K M N O P Q

  10. © JAMF Software, LLC Cesar - Weakness N C C

    Y R C C

  11. © JAMF Software, LLC Vigenère

  12. © JAMF Software, LLC Vigenère Alphabet Secret Key

  13. © JAMF Software, LLC Vigenere Clear Text : apple Secret

    Key : poire Ciphered text : P X D I C

  14. © JAMF Software, LLC Enigma

  15. © JAMF Software, LLC Main Issues Key Transmission PICNIC Cryptanalysis

  16. © JAMF Software, LLC

  17. © JAMF Software, LLC Asymmetric Keys Recent Maths (prime numbers)

    2 keys, private and public Easy key transmission

  18. © JAMF Software, LLC Asymmetric Keys

  19. © JAMF Software, LLC Asymmetric Keys 1976: Diffie and Hellman

    1978: Rivest, Shamir and Adleman

  20. © JAMF Software, LLC Certificates Identity Elements

  21. © JAMF Software, LLC Identity

  22. © JAMF Software, LLC Elements

  23. © JAMF Software, LLC PKI Trust Hierarchy History Key Negotiation

    Validation

  24. © JAMF Software, LLC Root CA

  25. © JAMF Software, LLC “Are you www.apple.com?” “Of course, look

    at my certificate” www.apple.com Certificate for www.apple.com Certification Authority Root CA

  26. © JAMF Software, LLC Hierarchy Root Certificate Intermediate Certificate Leaf

    Certificate

  27. © JAMF Software, LLC Hierarchy

  28. © JAMF Software, LLC History SSL 2 Netscape 1.1 1995

    SSL 3 just after (bugs in 2) TLS 1.0 (SSL 3.1) 1999 by IETF TLS 1.1 en 2006 TLS 1.2 en 2008

  29. © JAMF Software, LLC Validation Certificate Revokation List Online Certificate

    Status Protocol

  30. © JAMF Software, LLC

  31. © JAMF Software, LLC Digicert Integration Replaces Symantec Integration Improved

    settings and features Auto-Revoke!

  32. © JAMF Software, LLC ADCS Connector

  33. © JAMF Software, LLC ADCS Connector - Prerequisites Windows Server

    2016 or higher Be member of the same domain as the PKI or have a trust relationship with that domain .NET 4.5 or higher FQDN Ports (443 for Connector, 135, 49152-65535 for DCOM)

  34. © JAMF Software, LLC ADCS Connector communication HTTPS DCOM

  35. © JAMF Software, LLC ADCS Connector - Simple Setup CORP

    domain

  36. © JAMF Software, LLC ADCS Connector - Simple Setup foo.jamfcloud.com

    adcsc.company.com pki.corp.company.com .\deploy.ps1 -fqdn adcsc.company.com -jamfProDn foo.jamfcloud.com -cleanInstall

  37. © JAMF Software, LLC ADCS Connector - Simple Setup

  38. © JAMF Software, LLC ADCS Connector - Simple Setup

  39. © JAMF Software, LLC …

  40. © JAMF Software, LLC Template Template for ADCS Connector usage

    Do not try to use an existing one, probably wrong Subject Name: Supply in Request Security: Connector server needs Read and Enroll

  41. © JAMF Software, LLC …

  42. © JAMF Software, LLC …

  43. © JAMF Software, LLC ADCS Connector - Advanced Setup foo.jamfcloud.com

    adcsc.company.com pki.corp.company.com pki2.corp.company.com

  44. © JAMF Software, LLC …

  45. © JAMF Software, LLC ADCS Connector - Advanced Setup CORP

    domain DMZ domain

  46. © JAMF Software, LLC …

  47. © JAMF Software, LLC ADCS Connector - Advanced Setup foo.jamfcloud.com

    adcsc.company.com pki.corp.company.com foo2.jamfcloud.com Multiple Jamf Pro Servers and One ADCS Connector

  48. © JAMF Software, LLC ADCS Connector - Advanced Setup foo.jamfcloud.com

    adcsc.company.com pki.corp.company.com foo2.jamfcloud.com pki2.corp.company.com Multiple Jamf Pro Servers and One ADCS Connector

  49. © JAMF Software, LLC ADCS Connector - Advanced Setup adcsc.company.com

    Change IIS Certificate for the ADCS Connector

  50. © JAMF Software, LLC …

  51. © JAMF Software, LLC ADCS Connector - Advanced Setup Use

    Service account for ADCS Connector

  52. © JAMF Software, LLC …

  53. © JAMF Software, LLC ADCS Connector - Advanced Setup Change

    authentication certificate for ADCS Connector HTTPS

  54. © JAMF Software, LLC …

  55. © JAMF Software, LLC … PFX from your CA Make

    it single line, no BEGIN/END CERTIFICATE Copy the single line Paste content in that field

  56. © JAMF Software, LLC ADCS Connector - Troubleshooting Everything is

    fine! Logs here C:\inetpub\logs\LogFiles\W3SVC2 2019-09-23 22:07:41 193.108.164.2 GET /api/v1/version - 443 AdcsProxyAccessUser 193.108.165.29 Java-SDK - 200 0 0 12968 2019-09-23 22:07:46 193.108.164.2 POST /api/v1/certificate/request - 443 AdcsProxyAccessUser 193.108.165.29 Java-SDK - 200 0 0 4906 2019-09-23 22:07:46 193.108.164.2 POST /api/v1/certificate/retrieve - 443 AdcsProxyAccessUser 193.108.165.29 Java-SDK - 200 0 0 281 3 steps to acquire the certs, all with answer 200, we get a certificate

  57. © JAMF Software, LLC ADCS Connector - Troubleshooting 403 16

    error Logs here C:\inetpub\logs\LogFiles\W3SVC2 2019-07-19 09:06:20 10.196.172.64 GET /api/v1/version - 443 - 10.196.172.17 Java-SDK - 403 16 2148204809 0 Usually due to improper Root CA certificate in Intermediate folder in Windows

  58. © JAMF Software, LLC ADCS Connector - Troubleshooting 403 16

    error identify and fix Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Move-Item -Destination Cert:\LocalMachine\CA

  59. © JAMF Software, LLC ADCS Connector - Troubleshooting Other common

    issues Can’t find the template: check security, server requires Read and Enroll

  60. © JAMF Software, LLC ADCS Connector - Troubleshooting Other common

    issues ADCS Connector requires a proper FQDN Jamf Pro says IP or FQDN, only use FQDN Do not break TLS/SSL authentication or replay it GPOs could block authentication

  61. © JAMF Software, LLC Thank you for listening! Give us

    feedback by completing the 2-question session survey in the JNUC 2019 app. UP NEXT Deploying macOS Catalina 4-4:45 PM