Server Series – Jamf AD CS Connector

Download Windows Server 2022 from: https://www.microsoft.com/en-us/evalcenter/
– Install Windows Server 2022
* Windows Server 2019 System Requirements:
Processor: 1.4 GHz 64-bit processor
RAM: 512 MB
Disk Space: 32 GB
Network – Gigabit (10/100/1000baseT) Ethernet adapter
Optical Storage – DVD drive (if installing the OS from DVD media)
Video – Super VGA (1024 x 768) or higher-resolution (optional)
Input Devices – Keyboard and mouse (optional)
Internet – Broadband access (optional)

There may come a time when we may need to deliver a certificate from our Certificate Authority to a computer for certificate based authentication to secure corporate resources. Maybe you’d like to use a machine certificate for EAP authentication to your computers so they can connect to your corporate network. Deploying certificates can be a daunting task, but don’t worry, the Jamf AD CS connector comes to the rescue by making the job easy and scalable with Jamf Pro.

Another benefit to using the Jamf AD CS Connector is the fact that it is a proxy between a Jamf Pro server and an internal Active Directory Certificate Service (ADCS). This reduces the risk of having your internal CA exposed to the public Internet.

In this guide, we will go through the set up of the Jamf AD CS connector and set up a configuration profile in Jamf Pro that will deliver a machine certificate from our Certificate Authority (set up earlier in this series) to a macOS computer already enrolled in our Jamf Pro server. The Jamf AD CS Connector requirements will be listed below, they can also be found on the AD CS documentation found here: Installing the Jamf AD CS Connector

* Jamf AD CS Connector Server Requirements:
– Windows Server 2019 or 2019
– AD CS Connector Server must be joined to a domain that has a trust relationship with the domain of the Certificate Authority server
– .NET Framework 4.5 or late
– PowerShell 5.1

* Jamf AD CS Connector Network Requirements
– Port 135 and ports 49152-65535 (DCOM) open inbound from the AD CS connector to the internal CA.
– Port 443 open inbound from the Jamf Pro server to the AD CS connector
– A Fully Qualified Domain Name (FQDN) for your AD CS Connector server. This absolutely needs to be externally resolvable if you are using Jamf Cloud.

To make sense of what this looks like for our network, refer to the diagrams below:

We will now walk through the actual installation of the AD CS Connector service, which is actually really easy since Jamf was awesome and packaged this in a PowerShell script that we can run.

Before we go step-by-step into the AD CS Connector installation, make sure that your server is ready and joined to your test lab domain before continuing.

Set the DNS address on our computer to our domain controller from the previous guides. Press Start and search for View Network Connections.
2. Right-click on the Ethernet adapter, and select Properties
3. Choose Internet Protocol Version 4 (TCP/IPv4), and open Properties
4. Under the General tab, select the radio button for Use the following DNS server addresses:
5. Enter the IP address of your domain controller, click OK, then click Close
6. Now we need to rename and join this computer to our domain. Press Start and search for About your PC
7. Scroll down on the ‘About’ section and find Rename this PC (advanced)
8. Under the Computer Name tab, select Change…
9. Change the Computer name: value and choose the radio button for Domain, then enter the value for your domain (ex. newDomain.ad), then click OK
10. You will be prompted for a domain administrator password. Close the About window, you should see a message that says Wecome to the newDomain.ad domain, click OK, then click OK on the next pop up. Click Close on the system properties, and restart the computer.

Now that our server is joined to the domain, we can start setting up the Jamf AD CS Connector.

1. Download the latest ADCS Connector installer from here. The installer will be listed under Products > Other Products > Jamf AD CS Connector. Once the compressed file is downloaded, go ahead and extract it.

2. Open PowerShell as an administrator

3. In PowerShell, run to set your execution policy:

Set-ExecutionPolicy Unrestricted

4. Navigate to the unzipped ADCS Connector folder:

cd "C:\Users\user\Downloads\adcs-connector-1.0.0\ADCS Connector\"

5. Run the deploy.ps1 script with the following (you will need the FQDN of the AD CS Connector Server and the Jamf Pro Server), then choose [R] to Run Once.

.\deploy.ps1 -fqdn ADCS-01.zero.ad -jamfProDn JPS-01.zero.ad -cleanInstall

Note: If you need to find the FQDN of your AD CS computer, run the following in PowerShell:

[System.Net.Dns]::GetHostByName($env:computerName)

6. Once the deploy.ps1 script is complete, you will need to take note of the ‘Client cert keystore password’. You will be prompted for this password when we set up the connection in Jamf Pro, save it somewhere safe for now.

7. That’s it for our AD CS Connector, the services should be running and we are now ready to integrate with Jamf Pro. Navigate to your Jamf Pro server and log in.

8. Once logged into Jamf Pro, navigate to Jamf Pro > Settings > Global Management > PKI Certificates > + Configure New Certificate Authority

9. Choose Active Directory Certificate Services (AD CS)

10. You will need to input the FQDN of your certificate authority server. To gather this, you can run the following in PowerShell on your CA:

[System.Net.Dns]::GetHostByName($env:computerName)

11. For the CA name, you can open Certificate Authority on the CA and you should be presented with this information:

12. In the URL field, enter the FQDN of the AD CS Connector server.

13. Upload the server certificate generated by the .ps1 script. This will be located in the same folder as the deploy.ps1 script and will be named adcs-proxy-ca

14. Upload the client certificate generated by the .ps1 script. This will be located in the same folder as the deploy.ps1 script and will be named client-cert

15. Save your configuration.

Now that the Jamf AD CS Connector server is all set up and we have our certificate authority settings configured in Jamf Pro, we need to set up a certificate template on our CA to use when distributing certificates. To do that:

1. On the CA, open Certification Authority

2. Right-click on Certificate Templates > Click Manage

3. Right-click on Computer > Click Duplicate Template

4. Go to the General Tab, give the Template a display name

5. Check the box to ‘Publish certificate in Active Directory’

6. Go to Compatibility tab, change Certificate recipient to Windows 10 / Server 2016

7. Go to Subject Name tab, change to ‘Supply in the request’

8. Go to Security tab, click Add

9. Change the Object Type to computers

10. Search for your AD CS Connector server and add

11. Give your AD CS Connector server Read and Enroll privileges

12. Click Apply

13. Go back to Certification Authority

14. Right-click on Certificate Template > New > Certificate Template To Issue

15. Choose the new certificate template that was created.

Almost ready! We now need to create a configuration profile in Jamf Pro. Jamf Pro will use this configuration profile to deliver the certificate from the CA to the computer.

  1. Navigate to Jamf Pro > Computers > Configuration Profiles > New
  2. Give the configuration profile a Name
  3. Configure the Certificate payload
  4. Give the certificate a name
  5. Change the certificate option to the CA
  6. Certificate subject: CN=$SERIALNUMBER
  7. Template name: make sure this matches the template name created on the CA
  8. Adjust scope and save.

Now, if all goes according to plan, you should see your computers in scope get a certificate issued to them from your CA. You can verify on your enrolled macOS computers by opening up Keychain Access and finding the certificate in your System’s keychain.

If you chose to deploy the configuration profile at the User level, the certificate will be deployed in the login keychain items.

Thanks for checking it out!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: