Adding a Jamf device manager

Use this task to configure Jamf as your device manager.

Before you begin

Note: The mtlsidaas global tenants for device managers are now deprecated and will be removed after March 2024. Go to Obtaining a vanity hostname to request a vanity domain. For more information, see Adding a device manager.
  • You must have administrative permission to complete this task.
  • Log in to the IBM® Security Verify administration console as an Administrator.

About this task

Note: If you are using MacOS Safari, you might encounter an issue in which you are not prompted for the client certificates that the Jamf device manager issued. To resolve the issue, you must configure the MacOS Keychain identity preference.
  1. On your Mac system, go to Keychain Access.
  2. Add an Identity Preference for the client certificate.
  3. Set the identity preference location to tenant authentication URL + (space) + (com.apple.Safari). For example, https://{mtls_enabled_tenant_name}/usc.
The identity preference is now found in Keychain Access > login > All items and the certificate prompt works correctly.

Procedure

  1. Select Authentication > Device managers.
  2. Select Add device manager.
  3. Select the JAMF as the type of device manager that you want to set up.
  4. Select Next.
  5. On the General settings page, provide the following information.
    • The name of the device manager.
    • Select the identity source from the menu.
    • Select whether you want to enable just-in-time provisioning.
    • Specify the maximum number of certificates for each device.
    • Specify how many minutes that the user and device information is kept.
  6. Select Next.
  7. On the API credentials page, enter the API details of your application in Jamf.
    1. Provide your username and password to connect to the Jamf API.
    2. Leave the Sync device information checkbox selected.
    3. Provide your tenant name.
    4. Select Unique user identifier from a predefined list of attributes, or select Custom Rule to specify attribute mappings.
      If you select to use a custom rule, you can add custom attributes and a rule. Type the rule to compute the attribute value. For example, 
      requestContext.email[0].split('@')[0]
      Note: requestContext and idsuser are populated with the following client certificate attributes, if available:

      subjectCN, subjectDN, subjectO, subjectOU, subjectC, subjectL, subjectST, subjectE, subjectUid, subjectAlternativeNameEmail.

      Click Run test to make sure the rule works.
    5. Select the user ID location from the menu.
    6. Select Test credentials to verify your credentials.
  8. Click Next.
  9. On the User properties page, map the device manager attributes to IBM Security Verify attributes.
    1. Select the device manager attribute,
    2. Optional: Select a transform from the menu.
    3. Required: Select the Verify attribute that you want to map the attribute to.
    4. Select how you want to store the attribute in the user's profile.
  10. Optional: Click Add attributes.
    If you select to use a custom rule, you can add custom attributes one at a time and a rule. Type the rule to compute the attribute value. For example, 
    idsuser.email[0].split('@')[0]
    Click Run test to make sure the rule works.
  11. Click OK.
  12. Click Next.
  13. Create the root certificate profile.
    Follow the instructions that are provided.
    1. Download the following root and intermediate certificates .zip files that are provided.
    2. Log in to the Jamf portal and select Computers.
    3. Select Configuration Profiles and select the configuration profile and select Edit. If the profile doesn't exist, you must create one.
    4. Select Certificate in the profile's navigation menu.
    5. To create a root certificate, select Configure or the + toolbar button.
    6. Name the root certificate, for example JAMF_RootCA_Cert).
    7. Upload the root certificate profile that you downloaded in step a.
    8. Select Save
    9. Repeat steps b-h for the intermediate certificate.
  14. Select Next.
  15. On the SCEP certificate profile page, enter the API details of your application.
    • If you already have a SCEP certificate profile, select Values only.
      1. Provide the SCEP subject.
      2. Select the challenge type.
        Static
        Type and confirm a challenge or password.
        Dynamic
        Complete the Webhook configuration page.
      3. Select Save and continue.
    • If you are creating a SCEP certificate profile, select Show with steps and follow the instructions.
      1. Log in to the Jamf portal and select Computers.
      2. Select Configuration Profiles and select the configuration profile and select Edit.
      3. Select SCEP in the profile's navigation menu.
      4. To create an SCEP certificate, select Configure or the + button.
      5. Use the following configuration settings:
        Name
        SCEP_CERTIFICATE.
        Redistribute Profile
        3 days.
        Subject
        Use the Subject value that is provided by your Verify tenant. For example, CN=$EMAIL::,OU=v::v1,OU=d::$JSSID,OU=r::cloudIdentityRealm,O=mdm::isvdev.jamfcloud.com
        Subject alternative name
        None.
        Challenge type
        Static
        Type and confirm a challenge or password.
        Dynamic
        Complete the Webhook configuration page.
        Retries
        3.
        Retry Delay
        10.
        Key size (bits)
        2048.
        Certificate Expiration Notification Threshold
        14.
        Use as digital signature
        Selected.
        Use for key encipherment
        Selected.
        SCEP server URLs
        Use the SCEP URL value that is provided by your Verify tenant.
      6. Select Save.
      7. Select Save and continue.
    If you selected to use a dynamic password, complete the next step. If you selected to use a static password, skip to Set the scopes.
  16. Provide the Webhook configuration information.
    1. In the Jamf tenant, navigate to Settings > Webhooks.
    2. Create a new webhook.
    3. Use the following configuration settings.
      Display name
      Provide a valid display name.
      Enabled
      Select the checkbox.
      Authentication type
      Basic authentication

      Provide the username, password, and verify the password.

      Connection timeout
      Set it or leave it to the default values.
      Read timeout
      Set it or leave it to the default values.
      Content type
      JSON
      Webhook Event
      Select SCEPChallenge.
    4. Save the configuration.
    5. Click Save and continue.
  17. Set the scopes.
    Follow the instructions.
    1. Log in to the Jamf portal and select Computers.
    2. Select Configuration Profiles and select the configuration profile and select Edit.
    3. Select the Scope > Edit.
    4. Under the Selected Deployment Targets section, add the computers, computer groups, users, user groups, buildings, and departments that you want to deploy to.
    5. Select Save.
  18. Select Next.
  19. Test the configuration.
    Follow the instructions.
  20. Select Complete setup.
    1. Review your settings.
    2. Select Save changes.