Add Jamf Pro install docs [CON-198] #368
Conversation
| "property_order": 10 | ||
| }, | ||
| "Certificate": { | ||
| "type": "string", | ||
| "title": "Smallstep (Debug): Certificate URI", | ||
| "description": "A KMS URI that points to a certificate that can be used for agent bootstrapping.", | ||
| "property_order": 10 |
There was a problem hiding this comment.
Are the order indices the same intentionally?
|
|
||
| - Read Mobile Devices | ||
| - Read Computers | ||
| - Webhooks: Create, Delete, Read, Update |
There was a problem hiding this comment.
This is currently not required, as we're not creating webhooks programmatically (at least not yet, afaik). I guess it's fine for future use cases, and so users don't need to update it.
Co-authored-by: Herman Slatman <[email protected]>
Co-authored-by: Herman Slatman <[email protected]>
Co-authored-by: Herman Slatman <[email protected]>
| ### 3. Configure a SCEP Enrollment webhook in Jamf Pro | ||
|
|
||
| Smallstep uses Dynamic SCEP certificate enrollment. This webhook allows Jamf to request a dynamic, short-lived challenge string from Smallstep during MDM enrollment. The challenge string is injected into a [SCEP payload](https://developer.apple.com/documentation/devicemanagement/scep) for your clients to authenticate to Smallstep. | ||
| Smallstep uses Dynamic SCEP certificate enrollment. This webhook allows Jamf to request a dynamic, short-lived challenge string from Smallstep during a SCEP certificate request. The challenge string is injected into a [SCEP payload](https://developer.apple.com/documentation/devicemanagement/scep) for your clients to authenticate to Smallstep. |
There was a problem hiding this comment.
Yes, much better.
Technically, it'll be retrieved before the request, but it's fine in this context.
To make it more clear why SCEP is needed at all, maybe in the first line it needs something along the lines of Smallstep issues certificates using Dynamic SCEP (a.o.). Not thrilled by the "a.o.", so maybe something else, but I think it should somehow indicate that it's only used for specific use cases, and that it's not the only way certificates will be issued.
There was a problem hiding this comment.
Good point. I did one more round on this, to put SCEP into context a bit better.
|
@joshdrake any feedback on Herman's comments? |
tashian
changed the title
| 3. Add a new **Policy** | ||
| 1. Under Options → General: | ||
| - Display name: Smallstep Agent | ||
| - Trigger: Login |
There was a problem hiding this comment.
@joshdrake is Login still the correct trigger? Or should this be set to Recurring Check-in? The note below suggests it should be Recurring Check-in.
There was a problem hiding this comment.
@tashian I'm not actually sure what operators would typically use for ensuring software installs. I suppose "Recurring Check-In" is better in that it does not require a restart/relog to evaluate the policy.
There was a problem hiding this comment.
Ok I'll add a PR to update it
|
Outside of the comment re: policy trigger, this lgtm! |
No description provided.