|
| 1 | +--- |
| 2 | +title: Configure your endpoints for Smallstep Enterprise Relay |
| 3 | +updated_at: December 08, 2025 |
| 4 | +html_title: Configure your Apple endponts to use Smallstep's Enterprise MASQUE Relay |
| 5 | +description: This tutorial describes how to deploy Smallstep's enterprise MASQUE relay service |
| 6 | +--- |
| 7 | + |
| 8 | +## Before you begin |
| 9 | + |
| 10 | +To get your Relay set up, you will need to give Smallstep the following information: |
| 11 | + |
| 12 | +- **Relay Trust Bundle**. This will be used by the Relay to verify client certificates. |
| 13 | +This bundle needs to include both Root and Intermediate CA certificates for any CAs you want your Relay to trust. |
| 14 | +These can include Smallstep or custom CAs. |
| 15 | +A typical configuration will include the Smallstep Account Root and Intermediate CA. |
| 16 | +- **Relay Region**. The GCP region for the relay, eg. `US_CENTRAL1` |
| 17 | + |
| 18 | +## Client Configuration |
| 19 | + |
| 20 | +Once we have your details, |
| 21 | +Smallstep will create your relay server and give you the Relay URL, |
| 22 | +which you’ll need to configure clients. |
| 23 | + |
| 24 | +Your new Relay will accepts client certificates from the CAs you asked us to configure in the Relay Trust Bundle. |
| 25 | +Usually this will include your team’s Accounts Intermediate CA. |
| 26 | +If they will use ACME Device Attestation, your clients will need to trust the Accounts Root CA. |
| 27 | +You can download the Accounts Root CA certificate from your [Authorities](https://smallstep.com/app/?next=/cm/authorities) page. |
| 28 | + |
| 29 | +The Relay’s server certificate is issued by your team’s Workloads Intermediate CA. |
| 30 | +So, your clients will need to trust the Workloads Root CA. |
| 31 | +You can download the Workloads Root CA certificate from your [Authorities](https://smallstep.com/app/?next=/cm/authorities) page. |
| 32 | + |
| 33 | +## Example: Create a Jamf Configuration Profile |
| 34 | + |
| 35 | +In this example, we’ll use Jamf Pro to configure endpoints connecting to a Smallstep Relay. |
| 36 | + |
| 37 | +**In the Smallstep console:** |
| 38 | + |
| 39 | +1. Visit [Authorities](https://smallstep.com/app/?next=/cm/authorities). |
| 40 | + 1. Select the **Smallstep Accounts** authority |
| 41 | + 2. Download the Root Certificate |
| 42 | + 3. Under the Provisioners section of the page, choose the provisioner named `acme-da` |
| 43 | + 4. Temporarily save the **URL shown on the page, eg.** `https://accounts.example.ca.smallstep.com/acme/acme-da/directory` |
| 44 | +2. Return to [Authorities](https://smallstep.com/app/?next=/cm/authorities) |
| 45 | + 1. Select the **Smallstep Workloads** authority |
| 46 | + 2. Download the Root Certificate |
| 47 | + |
| 48 | +**In Jamf Pro:** |
| 49 | + |
| 50 | +1. Choose 🖥️ **Computers** |
| 51 | +2. Under the **Content Management** tab, choose **Configuration Profiles** |
| 52 | +3. Add a new Configuration Profile |
| 53 | + 1. Choose **Options → General** |
| 54 | + - Name: Smallstep |
| 55 | + 2. For ACME CA trust, add a [**Certificate payload**](https://support.apple.com/guide/deployment/certificates-payload-settings-dep91d2eb26/web) |
| 56 | + - Certificate Name: **Smallstep Accounts Authority** |
| 57 | + - Certificate Option: **Upload** |
| 58 | + - Certificate Upload: (upload the Accounts Root CA certificate) |
| 59 | + - Allow all apps access: ☑️ |
| 60 | + 3. For Relay server trust, add a [**Certificate payload](https://support.apple.com/guide/deployment/certificates-payload-settings-dep91d2eb26/web)** |
| 61 | + - Certificate Name: **Smallstep Workloads Authority** |
| 62 | + - Certificate Option: **Upload** |
| 63 | + - Certificate Upload: (upload the Workloads Root CA certificate) |
| 64 | + - Allow all apps access: ☑️ |
| 65 | + 4. Add a [ACMECertificate Payload](https://support.apple.com/guide/deployment/automated-certificate-management-environment-depb95c66a07/web) |
| 66 | + - URL: (paste the ACME provisioner URL you saved earlier) |
| 67 | + - Name: Smallstep |
| 68 | + - Redistribute Profile: 7 days |
| 69 | + - Key Size: `384` |
| 70 | + - Key Type: `ECSECPrimeRandom` |
| 71 | + - Client Identifier: `$SERIALNUMBER` |
| 72 | + - Subject: `/CN=$SERIALNUMBER/L=$PROFILEIDENTIFIER` |
| 73 | + - Hardware Bound: ✅ |
| 74 | + - Attest: ✅ |
| 75 | + - Key Usage: `0xB` |
| 76 | + - Extended Key Usage: `1.3.6.1.5.5.7.3.2\` |
| 77 | + 5. Add a [Relay payload](https://developer.apple.com/documentation/devicemanagement/relay) |
| 78 | + 1. Relays: Add the URL for your Smallstep Enterprise Relay |
| 79 | + 2. Match domains: Up to you |
| 80 | + 3. Exclude domains: Up to you |
0 commit comments