Use this task to configure Jamf as your
device manager.
Before you begin
- You must have administrative permission to complete this
task.
- Log in to the IBM® Security Verify
administration console as an Administrator.
About this task
Note: If you are using MacOS Safari, you might
encounter an issue in which you are not prompted for the client certificates that the Jamf device manager issued. To resolve the issue, you
must configure the MacOS Keychain identity preference.
- On your Mac system, go to Keychain Access.
- Add an Identity Preference for the client certificate.
- Set the identity preference location to tenant authentication URL +
(space) + (com.apple.Safari). For example,
https://{mtls_enabled_tenant_name}/usc.
The identity preference is now found in and the
certificate prompt works correctly.
Procedure
-
Select .
-
Select Add device manager.
- Select the JAMF as the type of device manager that you want to set
up.
-
Select Next.
- On the General settings page, provide the following
information.
- Enter the Device manager name in the provided field.
- Select the Identity provider from the menu.
- Select the Trust type from the menu. For
Device trust selection, the users need to login with their configured first
factor authentication mechanism. Device trust only confirms if the authentication is done from
managed device or not.
Note: The Device trust feature CI-114829 can be enabled
upon request. To request this feature, contact your IBM Sales representative or IBM contact and
indicate your interest in enabling this capability. Create a support ticket if you have permission.
IBM Security Verify trial subscriptions cannot create support tickets.
- Select whether to enable just-in-time provisioning for user accounts.
Note: The
Just-in-Time (JIT) provisioning for user accounts is only applicable in case of User and
device trust selection.
- Select the Client certificate validity period. By
default, the selection is 3 years.
- Specify the maximum number of certificates for each device.
- Specify how many minutes that the user and device information is kept.
-
Select Next.
- On the API credentials page, enter the API details of your
application in Jamf.
- Provide your username and password to connect to the Jamf API.
- Leave the Sync device information checkbox selected.
- Provide your tenant name.
-
Select
Unique user identifier
from a predefined list of attributes, or select
Custom Rule to specify attribute mappings. If you select to
use a custom rule, you can add custom attributes and a rule. Type the rule to compute the attribute
value. For example,
requestContext.email[0].split('@')[0]
Note: requestContext
and
idsuser
are populated with the
following client certificate attributes, if available:
subjectCN, subjectDN, subjectO, subjectOU,
subjectC, subjectL, subjectST, subjectE, subjectUid, subjectAlternativeNameEmail.
Note: The custom rule selection is not applicable to Device trust.
However, you can enter the appropriate attribute in the provided field.
Click
Run
test to make sure the rule works.
- Select the user ID location from the menu.
-
Select Test credentials to verify your credentials.
- Click Next.
- On the User properties page (opens in case of
User and device trust selection) or Device properties (opens in case of Device
trust selection), map the device manager attributes to IBM Security Verify attributes.
- Select the device manager attribute,
- Optional: Select a transform from the menu.
- Required: Select the Verify attribute that you want
to map the attribute to.
- Select how you want to store the attribute in the user's profile.
- Optional: Click Add attributes.
If you
select to use a custom rule, you can add custom attributes one at a time and a rule. Type the rule
to compute the attribute value. For example,
idsuser.email[0].split('@')[0]
Click
Run test to make
sure the rule works.
-
Click OK.
- Click Next.
- Create the root certificate profile.
Follow the instructions that are
provided.
- Download the following root and intermediate certificates
.zip files that are provided.
-
Log in to the Jamf portal and select Computers.
-
Select Configuration Profiles and select the configuration profile and
select Edit. If the profile doesn't exist, you must create one.
-
Select Certificate in the profile's navigation menu.
-
To create a root certificate, select Configure or the
+ toolbar button.
- Name the root certificate, for example
JAMF_RootCA_Cert).
- Upload the root certificate profile that you downloaded in step a.
-
Select Save
- Repeat steps b-h for the intermediate certificate.
-
Select Next.
- On the SCEP certificate profile page, enter the API details of your
application.
- If you already have a SCEP certificate profile, select Values only.
- Provide the SCEP subject.
- Select the challenge type.
- Static
- Type and confirm a challenge or password.
- Dynamic
- Complete the Webhook configuration page.
- Select Save and continue.
- If you are creating a SCEP certificate profile, select Show with
steps and follow the instructions.
- Log in to the Jamf portal and select Computers.
- Select Configuration Profiles and select the configuration profile and
select Edit.
- Select SCEP in the profile's navigation menu.
- To create an SCEP certificate, select Configure or the
+ button.
- Use the following configuration settings:
- Name
- SCEP_CERTIFICATE.
- Redistribute Profile
- 3 days.
- Subject
- Use the Subject value that is provided by your Verify tenant. For example,
CN=$EMAIL::,OU=v::v1,OU=d::$JSSID,OU=r::cloudIdentityRealm,O=mdm::isvdev.jamfcloud.com
- Subject alternative name
- None.
- Challenge type
-
- Static
- Type and confirm a challenge or password.
- Dynamic
- Complete the Webhook configuration page.
- Retries
- 3.
- Retry Delay
- 10.
- Key size (bits)
- 2048.
- Certificate Expiration Notification Threshold
- 14.
- Use as digital signature
- Selected.
- Use for key encipherment
- Selected.
- SCEP server URLs
- Use the SCEP URL value that is provided by your Verify tenant.
- Select Save.
- Select Save and continue.
If you selected to use a dynamic password, complete the next step.
If you selected to use a static password, skip to Set the
scopes.
- Provide the Webhook configuration information.
- In the Jamf tenant, navigate to
.
- Create a new webhook.
- Use the following configuration settings.
- Display name
- Provide a valid display name.
- Enabled
- Select the checkbox.
- Authentication type
- Basic authentication
Provide the username, password, and verify the password.
- Connection timeout
- Set it or leave it to the default values.
- Read timeout
- Set it or leave it to the default values.
- Content type
- JSON
- Webhook Event
- Select SCEPChallenge.
- Save the configuration.
- Click Save and continue.
- Set the scopes.
Follow the instructions.
-
Log in to the Jamf portal and select Computers.
-
Select Configuration Profiles and select the configuration profile and
select Edit.
-
Select the
.
- Under the Selected Deployment Targets section, add the
computers, computer groups, users, user groups, buildings, and departments that you want to deploy
to.
-
Select Save.
-
Select Next.
- Test the configuration.
Follow the instructions.
-
Select Complete setup.
- Review your settings.
- Select Save changes.