JAMF SCHOOL SCEP Configuration
This document guides you through the configuration of Jamf School to use SCEP with Foxpass.
Follow the steps and the screenshots below to configure JAMF SCHOOL to use Foxpass's SCEP for an EAP-TLS network.
Download Foxpass CA Certificate
- Go to the Foxpass EAP-TLS page and download the 'Active Server CA'.
SCEP endpoint
Note the SCEP URL and challenge password for SCEP endpoint(if created already) on the SCEP page and proceed to Configure Profile section of this documentation. If SCEP endpoint is not configured refer below for the steps.
- Click 'Create SCEP endpoint' button.
- For user certificate verification, set 'Verification Type' to 'User' and for device certificate verification set 'Verification Type' to 'Device'.
- Authentication Type - Challenge password
- Client Certificate Authority - Select Client CA from the dropdown.
- Click 'Create' button.
- SCEP endpoint is created.
- Note the unique endpoint. It will be mentioned below 'Unique Endpoint' heading.
- Note the challenge password.
- Note the thumbprint of the Client CA used in the SCEP endpoint from the EAP-TLS page.
Configure Profile in JAMF School
- Go to 'Profiles' and click 'Create Profile' button.
- Select 'macOS '.
- Select 'Device Enrollment'.
- Give a name to profile and click 'Next'.
- Use and configure time filter as per your use case.
Configure SCEP
Click on 'SCEP' under 'General Payload' and then click 'Configure'.
- URL: SCEP URL noted earlier.
- Name : Your choice. For example: Foxpass SCEP
To configure the Device certificate type, you have two options: either Sync devices from JAMF on the Devices page, or select 'None' for the verification type when creating an SCEP endpoint on the SCEP page.
- Subject: CN = %udid% for device certificate or CN=%Email% for a user certificate
- Subject Alternative Name Type: RFC 822 Name
- Subject Alternative Name Value: Leave it blank.
- Challenge: Paste the challenge password noted earlier.
- Key Size : 2048
- Fingerprint: Paste the thumbprint noted earlier.
Configure Certificates
- Click on 'Certificates' under 'General Payload'.
- Click Choose File > Select the previously downloaded active server CA from Foxpass.
- Click 'Upload certificate'.
- Click Save.
Configure Networks
- Click on 'Networks' under 'General Payload'.
- Click 'Configure'.
- Network Interface: Wi-Fi
- SSID: Your network's SSID Note: this must match EXACTLY, including capital letters.
- Security: WPA2 Enterprise
- For Protocols, Supported Types: TLS
- Username: Your username
- Identity certificate: Select SCEP(configured earlier) from the dropdown.
- Select 'Trust' and then check Foxpass Server CA certificate.
Enroll your device.
- On your macOS device, open a browser and go to your device enrollment URL. The enrollment URL is the full URL of your Jamf School server followed by /enroll. You can enroll your device as per your use case. This documentation highlights 'On-device' enrollment instructions.
- Locate Network ID in your JAMF School account by going to Devices > Enroll Device(s) > On-device enrollment (iOS & macOS).
- Enter your Network ID and click Enroll.
- The mobileconfig will be downloaded on your device. Click on the profile downloaded.
- Go to System Preferences > Profiles on your macOS device.
- Click on 'Install' to install the profile.
- Follow the on-screen instructions and install the profile.
- In JAMF School account, go to 'Devices' > 'Inventory'. Your device will appear here.
- Now, go to Users in JAMF School account.
- Click on Users > <your user's name > Devices.
- Click 'Assign device' button.
- Select your device and assign it.
- Your device will be assigned to the user.
- Click on the Device name.
- Click on 'Managed Profiles' and then click 'Add Profiles'.
- Select the 'Foxpass' profile created earlier and click 'Add'.
- The Foxpass profile will get installed on your device.
- You can check 'Activity log' for details/errors.
- A client certificate will be issued and you can locate it on the Foxpass EAP-TLS page.
- If everything is configured correctly in your JAMF school account and your access point, your device will get connected to the SSID configured.
- For logging, you can check logs on the RADIUS logs page of Foxpass.
Troubleshooting Steps
- Profile Not Installing: Verify the SCEP URL, challenge password, and certificate details in Jamf School.
- Certificate Issues: Ensure the device’s date and time are correct. Re-upload the Foxpass CA certificate if necessary.
- Network Connection Problems: Confirm the SSID, security type, and EAP type settings are accurate.
- SCEP Enrollment Failures: Check the SCEP server and Foxpass settings, including the challenge and fingerprint.
- Device enrolled showing inactive in JAMF - Refer this article to troubleshoot.
Updated 5 months ago