Jamf Pro Integration

Deploy WPA-Enterprise WiFi configuration profiles and EAP-TLS certificates to managed Mac, iPhone, and iPad devices using Jamf Pro with SCEP enrollment.

Overview

The Jamf Pro integration enables:

• WiFi profile deployment to Mac, iPhone, iPad
• SCEP certificate enrollment for EAP-TLS
• Automatic provisioning for managed devices
• Configuration profiles for secure WiFi

Prerequisites

• IronWifi account with WPA-Enterprise configured
• Jamf Pro subscription
• Apple devices enrolled in Jamf
• IronWifi SCEP service enabled

Architecture

Apple Device → Jamf Pro → Configuration Profile → IronWifi RADIUS
                  ↓
              SCEP → IronWifi CA → Device Certificate

IronWifi SCEP Configuration

Enable SCEP

1. Log in to IronWifi Console
2. Go to Settings > SCEP
3. Enable SCEP service
4. Configure CA settings:
   • Key Size: 2048-bit
   • Validity: 365 days
   • Subject: CN format
5. Note your SCEP URL: https://scep.ironwifi.com/your-org

Download Root Certificate

1. In SCEP settings, download the Root CA certificate
2. You'll upload this to Jamf Pro

Jamf Pro Configuration

Step 1: Upload Root CA Certificate

1. In Jamf Pro, go to Configuration Profiles
2. Create new profile for your scope
3. Add Certificate payload
4. Upload IronWifi root CA certificate
5. Name it descriptively (e.g., "IronWifi Root CA")

Step 2: Create SCEP Profile

1. In the same or separate configuration profile
2. Add SCEP payload

SCEP Settings:

• URL: https://scep.ironwifi.com/your-org/pkiclient.exe
• Name: IronWifi Device Certificate
• Subject: CN=$SERIALNUMBER or CN=$USERNAME
• Subject Alternative Name Type: RFC 822 Name
• Subject Alternative Name Value: $EMAIL
• Challenge Type: Static (enter IronWifi challenge password)
• Key Size: 2048
• Use as digital signature: Yes
• Use for key encipherment: Yes

Step 3: Create WiFi Profile

1. Add Wi-Fi payload to configuration profile

WiFi Settings:

• Service Set Identifier (SSID): Your secure network name
• Hidden Network: Check if SSID is hidden
• Auto Join: Enable
• Security Type: WPA2 Enterprise
• Protocols: TLS
• Identity Certificate: Select the SCEP payload

Trust Settings:

• Trusted Certificates: Select the root CA certificate payload
• Trusted Server Certificate Names: Your RADIUS server name

Step 4: Configure Scope

1. Click Scope tab
2. Add target devices or groups:
   • All Managed Devices
   • Specific departments
   • Device groups

Profile Types

macOS Configuration

Additional Settings:

• System Extension: May need allowlist for 802.1X
• Login Window: Enable if pre-login WiFi needed
• User Mode: User or Computer authentication

iOS/iPadOS Configuration

Settings:

• Per-App VPN: Can combine with WiFi profile
• Managed Apps: Restrict WiFi to managed apps
• Disable MAC randomization: Recommended for tracking

Deployment Strategies

Automatic Enrollment

For DEP/ADE enrolled devices:

1. Assign profile to PreStage Enrollment
2. WiFi configures during setup
3. Device ready with WiFi immediately

User-Initiated Enrollment

For BYOD scenarios:

1. User enrolls via Jamf enrollment portal
2. Profiles install automatically
3. WiFi available after enrollment

Self Service

Make WiFi profile available in Self Service:

1. Set profile to Self Service scope
2. Users install when needed
3. Good for optional networks

Certificate Management

Certificate Lifecycle

1. Enrollment: SCEP issues certificate at profile install
2. Renewal: Auto-renew before expiration
3. Revocation: Revoke via IronWifi when device unenrolled

Renewal Settings

In SCEP payload:

• Allow export from keychain: No (recommended)
• Auto-renewal: Enable if available

Revocation

When device is wiped or unenrolled:

1. Certificate removed from device
2. Mark certificate revoked in IronWifi
3. Revoked cert cannot authenticate

Troubleshooting

Certificate Not Installing

1. Check SCEP URL is correct
2. Verify challenge password
3. Review Jamf Pro logs
4. Check device communication with SCEP server

WiFi Not Connecting

1. Verify certificate installed (Settings > General > Profiles)
2. Check WiFi profile settings
3. Review IronWifi authentication logs
4. Test with manual connection

Profile Not Deploying

1. Check scope configuration
2. Verify device is in scope
3. Force device check-in
4. Review Jamf Pro management history

Monitoring

Jamf Pro

• Configuration profile status
• Device compliance
• Certificate deployment reports

IronWifi

• Authentication logs
• Certificate-based auth success rate
• Device connection history

Best Practices

1. Test on pilot devices before broad deployment
2. Use Smart Groups for targeted deployment
3. Enable auto-renewal for certificates
4. Monitor expiration dates
5. Document configuration for IT team
6. Consider failover WiFi for emergencies

Integration with Jamf Connect

If using Jamf Connect for identity:

1. Use Jamf Connect credentials for WiFi
2. SSO experience for end users
3. Leverage existing identity infrastructure

Related Topics

• SCEP Configuration
• macOS EAP-PEAP Setup
• EAP-TLS Overview