If you are using an organizational or third-party CA that supports SCEP, you can use it to issue management certificates to computers and mobile devices. When a device checks in with Jamf Pro, the device communicates with the SCEP server to obtain the certificate.
If you do not want computers or mobile devices to communicate directly with a SCEP server and you are using an external CA, you can use Jamf Pro to obtain management certificates from the SCEP server and install them on devices during enrollment. You can also enable Jamf Pro as SCEP Proxy to issue device certificates via configuration profiles. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.
Integrating an external CA with Jamf Pro involves the following steps:
Specifying SCEP parameters for the external CA
Uploading a signing certificate and CA certificate for the external CA
Jamf recommends performing changes to a SCEP-enabled external CA (i.e., the Use a SCEP-enabled external CA for computer and mobile device enrollment checkbox is selected under ) before enrolling computers and devices. If you make changes to a SCEP-enabled external CA after enrollment, you will need to re-enroll all enrolled computers and devices to restore trusted communication to the Jamf Pro server.