[PacketFence-users] SCEP and Jamf

Wed, 28 Feb 2024 04:02:27 -0800 

Hello,

As we’ve scaled out the deployment of our EAP-TLS network that uses 
PacketFence, I noticed an issue affecting a small percentage of Apple devices 
(macOS / iPadOS / iOS) relating to SCEP.

- We have Jamf Pro acting as a SCEP Proxy for configuration profiles
- We’re using PacketFence for PKI and as a SCEP Server
- We’re using Microsoft Entra as an Application Proxy to expose PF’s SCEP URL 
to the internet. This app proxy URL is listed as the base URL for the SCEP 
server in Jamf
- The Jamf Pro configuration profiles we’re using for macOS and iPadOS/iOS are 
very similar and contain:
        - PacketFence Root Certificate
        - SCEP Payload specifying the CN subject to use for SCEP-issued machine 
certificates, retry delay, etc.
        - WiFi payload specifying SSID, auto-join, what username to use, etc.

The issue we are seeing with a fairly small number of devices (it’s currently 
affecting less than 2% of macOS and a little over 4% of iPadOS/iOS) are two 
Jamf Pro errors correlating with the configuration profile failing to push:

- Unable to obtain certificate from SCEP server at “our_Jamf_URL”. 
<MDM-SCEP:14006>
- The SCEP server returned an invalid response.

What is strange is that for these devices where the Jamf config profile is 
failing, I can find active SCEP certificates in PacketFence (Configuration > 
Integration > Certificates). They all show up in there and SCEP shows a green 
circle.

I can manually revoke the SCEP machine certificate for a device that failed in 
PacketFence, then re-push the Jamf config profile, and then it will install 
fine.

So why are Jamf configuration profiles failing only on a small minority of 
devices (with SCEP errors)? Probably related - why is PacketFence provisioning 
a SCEP certificate for them that Jamf is failing to install?

I’m wondering if there is a setting we need to adjust somewhere since that vast 
majority of devices are working fine.

Thanks,
Brad White
Client Systems Analyst
Peninsula School District
whi...@psd401.net
253.530.3710


_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to