Hello Brad, We have seen issues on Mac OS X “recent” version getting a certificate.
To answer your last question why the cert is in PF, because PF did his job by providing the certificate and then the process fails in the next steps following that cert issuing. Thanks, Ludovic Zammit Product Support Engineer Principal Lead Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Feb 27, 2024, at 6:23 PM, Brad White via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > Hello, > > As we’ve scaled out the deployment of our EAP-TLS network that uses > PacketFence, I noticed an issue affecting a small percentage of Apple devices > (macOS / iPadOS / iOS) relating to SCEP. > > - We have Jamf Pro acting as a SCEP Proxy for configuration profiles > - We’re using PacketFence for PKI and as a SCEP Server > - We’re using Microsoft Entra as an Application Proxy to expose PF’s SCEP URL > to the internet. This app proxy URL is listed as the base URL for the SCEP > server in Jamf > - The Jamf Pro configuration profiles we’re using for macOS and iPadOS/iOS > are very similar and contain: > - PacketFence Root Certificate > - SCEP Payload specifying the CN subject to use for SCEP-issued machine > certificates, retry delay, etc. > - WiFi payload specifying SSID, auto-join, what username to use, etc. > > The issue we are seeing with a fairly small number of devices (it’s currently > affecting less than 2% of macOS and a little over 4% of iPadOS/iOS) are two > Jamf Pro errors correlating with the configuration profile failing to push: > > - Unable to obtain certificate from SCEP server at “our_Jamf_URL”. > <MDM-SCEP:14006> > - The SCEP server returned an invalid response. > > What is strange is that for these devices where the Jamf config profile is > failing, I can find active SCEP certificates in PacketFence (Configuration > > Integration > Certificates). They all show up in there and SCEP shows a green > circle. > > I can manually revoke the SCEP machine certificate for a device that failed > in PacketFence, then re-push the Jamf config profile, and then it will > install fine. > > So why are Jamf configuration profiles failing only on a small minority of > devices (with SCEP errors)? Probably related - why is PacketFence > provisioning a SCEP certificate for them that Jamf is failing to install? > > I’m wondering if there is a setting we need to adjust somewhere since that > vast majority of devices are working fine. > > Thanks, > Brad White > Client Systems Analyst > Peninsula School District > whi...@psd401.net > 253.530.3710 > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!WNkitAcACqAEWKcZRhDGFz_kEP2sTFpH71jMJryRtY7uxYcyCAoxIFpVR5I4tTgLUiZ5t6E7XmMXFf8xeMchCsf6O8kx6r_HO69ZYA$ >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
