Compliance and Identity

© JAMF Software, LLC Laurent Pertois Senior Professional Services Engineer
Jamf

© JAMF Software, LLC Compliance and Identity Presentation agenda: A
bit of history DigiCert integration ADCS Connector Basics ADCS Connector Advanced

© JAMF Software, LLC Cesar A B C D E
F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

© JAMF Software, LLC Cesar A P A B C
D E F G H I J K L M N O P Q R S T U V W X Y Z B C D E F G H I J K L M N O Q R S T U V W X Y Z N C C Y R

© JAMF Software, LLC Cesar - Variation A B C
D E F G H I J K L M N O P Q R S T U V W X Y Z J U L E S C A R T V W X Y Z B D F G H I K M N O P Q

© JAMF Software, LLC Cesar - Weakness N C C
Y R C C

© JAMF Software, LLC Vigenere Clear Text : apple Secret
Key : poire Ciphered text : P X D I C

© JAMF Software, LLC Asymmetric Keys Recent Maths (prime numbers)
2 keys, private and public Easy key transmission

© JAMF Software, LLC Asymmetric Keys 1976: Diﬃe and Hellman
1978: Rivest, Shamir and Adleman

© JAMF Software, LLC PKI Trust Hierarchy History Key Negotiation
Validation

© JAMF Software, LLC “Are you www.apple.com?” “Of course, look
at my certificate” www.apple.com Certificate for www.apple.com Certification Authority Root CA

© JAMF Software, LLC Hierarchy Root Certificate Intermediate Certificate Leaf
Certificate

© JAMF Software, LLC History SSL 2 Netscape 1.1 1995
SSL 3 just after (bugs in 2) TLS 1.0 (SSL 3.1) 1999 by IETF TLS 1.1 en 2006 TLS 1.2 en 2008

© JAMF Software, LLC Validation Certiﬁcate Revokation List Online Certiﬁcate
Status Protocol

© JAMF Software, LLC Digicert Integration Replaces Symantec Integration Improved
settings and features Auto-Revoke!

© JAMF Software, LLC ADCS Connector - Prerequisites Windows Server
2016 or higher Be member of the same domain as the PKI or have a trust relationship with that domain .NET 4.5 or higher FQDN Ports (443 for Connector, 135, 49152-65535 for DCOM)

© JAMF Software, LLC ADCS Connector - Simple Setup CORP
domain

© JAMF Software, LLC ADCS Connector - Simple Setup foo.jamfcloud.com
adcsc.company.com pki.corp.company.com .\deploy.ps1 -fqdn adcsc.company.com -jamfProDn foo.jamfcloud.com -cleanInstall

© JAMF Software, LLC Template Template for ADCS Connector usage
Do not try to use an existing one, probably wrong Subject Name: Supply in Request Security: Connector server needs Read and Enroll

© JAMF Software, LLC ADCS Connector - Advanced Setup foo.jamfcloud.com
adcsc.company.com pki.corp.company.com pki2.corp.company.com

© JAMF Software, LLC ADCS Connector - Advanced Setup CORP
domain DMZ domain

adcsc.company.com pki.corp.company.com foo2.jamfcloud.com Multiple Jamf Pro Servers and One ADCS Connector

adcsc.company.com pki.corp.company.com foo2.jamfcloud.com pki2.corp.company.com Multiple Jamf Pro Servers and One ADCS Connector

© JAMF Software, LLC … PFX from your CA Make
it single line, no BEGIN/END CERTIFICATE Copy the single line Paste content in that ﬁeld

© JAMF Software, LLC ADCS Connector - Troubleshooting Everything is
fine! Logs here C:\inetpub\logs\LogFiles\W3SVC2 2019-09-23 22:07:41 193.108.164.2 GET /api/v1/version - 443 AdcsProxyAccessUser 193.108.165.29 Java-SDK - 200 0 0 12968 2019-09-23 22:07:46 193.108.164.2 POST /api/v1/certificate/request - 443 AdcsProxyAccessUser 193.108.165.29 Java-SDK - 200 0 0 4906 2019-09-23 22:07:46 193.108.164.2 POST /api/v1/certificate/retrieve - 443 AdcsProxyAccessUser 193.108.165.29 Java-SDK - 200 0 0 281 3 steps to acquire the certs, all with answer 200, we get a certificate

© JAMF Software, LLC ADCS Connector - Troubleshooting 403 16
error Logs here C:\inetpub\logs\LogFiles\W3SVC2 2019-07-19 09:06:20 10.196.172.64 GET /api/v1/version - 443 - 10.196.172.17 Java-SDK - 403 16 2148204809 0 Usually due to improper Root CA certiﬁcate in Intermediate folder in Windows

© JAMF Software, LLC ADCS Connector - Troubleshooting 403 16
error identify and ﬁx Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Move-Item -Destination Cert:\LocalMachine\CA

© JAMF Software, LLC ADCS Connector - Troubleshooting Other common
issues Can’t ﬁnd the template: check security, server requires Read and Enroll

© JAMF Software, LLC ADCS Connector - Troubleshooting Other common
issues ADCS Connector requires a proper FQDN Jamf Pro says IP or FQDN, only use FQDN Do not break TLS/SSL authentication or replay it GPOs could block authentication

© JAMF Software, LLC Thank you for listening! Give us
feedback by completing the 2-question session survey in the JNUC 2019 app. UP NEXT Deploying macOS Catalina 4-4:45 PM

Compliance and Identity

Compliance and Identity

More Decks by Jamf

Featured

Transcript