Frequently Asked Questions
      Back to home
      1. Smallstep Knowledge Base
      2. Frequently Asked Questions

      How does Smallstep integrate with Jamf?

      FAQ: Trusted Device Inventory & Jamf Integration

      1. What is the primary problem that the Smallstep and Jamf® Pro integration addresses? The integration primarily addresses the vulnerability of traditional certificate issuance processes where certificates are granted based solely on user credentials, without verifying the device itself. This means that even personal or unauthorized devices, as long as the user can log in to Jamf, could gain access to sensitive resources. This poses a major security risk due to potential phishing, credential theft, and impersonation attacks. Smallstep's Trusted Device Inventories ensures only verified, trusted devices receive certificates.
      2. How does Smallstep's Trusted Device Inventory work with Jamf Pro to enhance security? Smallstep enhances security by integrating Jamf Pro’s device management with its high-assurance certificate workflows. This is achieved through several key steps:
        • Device Inventory Sync: Smallstep directly syncs with Jamf Pro via an API and webhooks to ensure only Jamf-managed devices are eligible for certificate issuance. This sync happens hourly with a full sync every 8 hours.
        • Dynamic SCEP Challenges: Smallstep introduces dynamic, short-lived challenges for SCEP certificate requests, validated by Smallstep to ensure the requesting device is legitimate.
        • High-Assurance Enrollment with Smallstep Agent: The Smallstep Agent, deployed via Jamf Pro, bootstraps the device's connection to Smallstep, performs device attestation leveraging technologies like the macOS Secure Enclave for cryptographic verification, and manages certificate provisioning and renewals automatically.
        • Device Identity Verification: Using ACME Device Attestation, Smallstep cryptographically binds credentials to trusted, company-owned devices.
      3. What is 'Device Attestation' and how does it improve security? Device Attestation is a process where the device proves its identity and trustworthiness by using hardware-based cryptographic keys. Specifically, the integration leverages ACME Device Attestation (ACME DA) standards. This process cryptographically ties credentials to the device, ensuring that only verified endpoints, that have proven they are legitimate and trustworthy, can access critical resources. This mechanism prevents unauthorized devices or impersonators from gaining access, as they would be unable to prove control over those cryptographic keys, making it significantly more secure than relying only on user credentials. This is done using the Secure Enclave on macOS.
      4. How does the Smallstep Agent play a role in this integration? The Smallstep Agent, distributed through Jamf Pro's policies, is crucial for the integration. It handles:
        • Bootstrapping device connections to Smallstep.
        • Performing device attestation.
        • Managing certificate provisioning.
        • Automating certificate renewals.
        • Providing real-time status information to the device list UI. This agent runs in the background, ensuring that devices continuously maintain their verified state and secure access, removing the need for manual certificate management.
      5. What steps are involved in setting up this integration? Setting up the integration requires several steps both in Jamf Pro and Smallstep. In Jamf Pro, the process includes creating an API client with necessary permissions for Smallstep, configuring a SCEP enrollment webhook, and uploading the Smallstep Agent package to Jamf's distribution network. It also involves creating scripts and policies to install and configure the agent. In Smallstep, it requires setting up the device management tab, adding the Jamf API credentials, and configuring the provisioner. Finally, creating a configuration profile in Jamf to distribute the agent and certificates completes the setup, linking the two platforms.
      6. Is the Smallstep and Jamf integration limited to macOS devices? While the initial release specifically focuses on integration with macOS devices and Jamf Pro, the Smallstep Trusted Inventories foundation is designed to be cross-platform. The Smallstep Agent is also available for Linux and Windows, and integrations with Intune are also planned, allowing flexibility to expand across all device types in the future. This means that the overall architecture supports extending the device identity concept to other platforms.
      7. What is SCEP and how does the integration use it? SCEP (Simple Certificate Enrollment Protocol) is used by Jamf to issue certificates. Traditionally, Jamf might use static or Microsoft CA challenges for SCEP requests. The integration uses dynamic, short-lived SCEP challenges. When a device requests a certificate, Jamf sends a request to a webhook that validates the request against Smallstep. This ensures the device is legitimate before issuing the certificate and adds a crucial layer of device identity verification for security. The Smallstep Agent uses the initial SCEP certificate to bootstrap its connection for higher assurance enrollment.
      8. What is a "Trusted Inventory" and why is it important for device security? A "Trusted Inventory" is a comprehensive, accurate, and dynamic catalog of all devices within a network, including details about their type, ownership, configuration, and security status. It serves as a fundamental component of device identity and security. This inventory is not static; it is continuously updated to reflect the ever-changing digital environment. A trusted inventory is the foundation for implementing a Zero Trust security model, which assumes no inherent trust and requires continuous verification of devices attempting to access the network. This ensures only authorized and trusted devices can access network resources, enhancing overall security and reducing potential vulnerabilities.