Fortinet white logo
Fortinet white logo
7.4.0

Provisioning ZTNA certificates to FortiClient (iOS) using Jamf

Provisioning ZTNA certificates to FortiClient (iOS) using Jamf

EMS supports integration with the Jamf mobile device management (MDM) platform. EMS can connect to Jamf for zero trust network access (ZTNA) certificate provisioning to iOS devices that will be used for client authentication with FortiOS.

FortiClient Cloud, EMS in high availability mode, and EMS with multitenancy enabled do not support this feature.

This feature requires EMS 7.2.2 and later versions.

To provision ZTNA certificates to FortiCient (iOS) using Jamf:
  1. Configure an administrative account:
    1. In Jamf, go to Settings > User accounts and groups.
    2. Click New, then create a standard account.
    3. From the Access Level dropdown list, do one of the following:
      1. Select Full Access to allow access to all Jamf sites when integrating the default Jamf site with EMS.
      2. To integrate a custom Jamf site with EMS, select Site Access.
    4. From the Privilege Set dropdown list, select Administrator.
    5. Set the credentials as desired, then click Save.

  2. Create an enrollment invitation:
    1. Go to Devices > Enrollment Invitations.
    2. Click New.
    3. Under Enrollment Method, select User-Initiated Enrollment.
    4. Configure other settings as desired, then click Next.
    5. Continue with the configuration, adding recipient email addresses and message details as desired. Jamf sends an email or SMS message with enrollment details to the configured recipients.
  3. Add a FortiClient application to install on iOS devices after they enroll:
    1. Go to Devices > Mobile Device Apps.
    2. Click New.
    3. Select App Store app or apps purchased in volume and click Next.
    4. Search for and add FortiClient as the application.
    5. On the General tab, from the Distribution Method dropdown list, select Install Automatically/Prompt Users to Install.
    6. On the Scope > Targets tab, select the desired devices and users for which to install the FortiClient application.
    7. On the App Configuration tab, enter the following in the Preferences field:
      <dict>
      <key>jamf_device_id</key>
      <string>$JSSID</string>
      <key>mac_address</key>
      <string>$MACADDRESS</string>
      <key>udid</key>
      <string>$UDID</string>
      <key>invitation_code</key>
      <string>_VjE6MTkyLjE2OC4xLj...</string> </dict>

      FortiClient (iOS) 7.2.3 and later versions support invitation_code, which supports entering a FortiClient Cloud or on-premise EMS invitation code to allow FortiClient to connect.

    8. Configure other fields as desired, then click Save.
  4. In EMS, configure the Jamf integration:
    1. Go to System Settings > MDM Integration.
    2. Enable the MDM integration.
    3. From the Vendor dropdown list, select Jamf.
    4. In the Site URL field, enter your Jamf instance site URL.
    5. In the Username and Password fields, enter the credentials that you configured in step 1.
    6. If desired, configure the desired site. If this field is empty, EMS integrates with the default Jamf site.
    7. Click Test Connection. Once successful, click Save.

  5. The user accesses the enrollment link on their iOS device and enters their details as prompted to complete the enrollment process. Once the device is enrolled, the user is prompted to install FortiClient. After installation, FortiClient registers to EMS. After connecting to EMS, the ZTNA certificate (SCEP) is installed on the endpoint. You can verify this by going to General settings > VPN & Device Management > More Details.

The following shows an endpoint that is enrolled with MDM and has an MDM profile installed on the EMS endpoint summary page:

Provisioning ZTNA certificates to FortiClient (iOS) using Jamf

Provisioning ZTNA certificates to FortiClient (iOS) using Jamf

EMS supports integration with the Jamf mobile device management (MDM) platform. EMS can connect to Jamf for zero trust network access (ZTNA) certificate provisioning to iOS devices that will be used for client authentication with FortiOS.

FortiClient Cloud, EMS in high availability mode, and EMS with multitenancy enabled do not support this feature.

This feature requires EMS 7.2.2 and later versions.

To provision ZTNA certificates to FortiCient (iOS) using Jamf:
  1. Configure an administrative account:
    1. In Jamf, go to Settings > User accounts and groups.
    2. Click New, then create a standard account.
    3. From the Access Level dropdown list, do one of the following:
      1. Select Full Access to allow access to all Jamf sites when integrating the default Jamf site with EMS.
      2. To integrate a custom Jamf site with EMS, select Site Access.
    4. From the Privilege Set dropdown list, select Administrator.
    5. Set the credentials as desired, then click Save.

  2. Create an enrollment invitation:
    1. Go to Devices > Enrollment Invitations.
    2. Click New.
    3. Under Enrollment Method, select User-Initiated Enrollment.
    4. Configure other settings as desired, then click Next.
    5. Continue with the configuration, adding recipient email addresses and message details as desired. Jamf sends an email or SMS message with enrollment details to the configured recipients.
  3. Add a FortiClient application to install on iOS devices after they enroll:
    1. Go to Devices > Mobile Device Apps.
    2. Click New.
    3. Select App Store app or apps purchased in volume and click Next.
    4. Search for and add FortiClient as the application.
    5. On the General tab, from the Distribution Method dropdown list, select Install Automatically/Prompt Users to Install.
    6. On the Scope > Targets tab, select the desired devices and users for which to install the FortiClient application.
    7. On the App Configuration tab, enter the following in the Preferences field:
      <dict>
      <key>jamf_device_id</key>
      <string>$JSSID</string>
      <key>mac_address</key>
      <string>$MACADDRESS</string>
      <key>udid</key>
      <string>$UDID</string>
      <key>invitation_code</key>
      <string>_VjE6MTkyLjE2OC4xLj...</string> </dict>

      FortiClient (iOS) 7.2.3 and later versions support invitation_code, which supports entering a FortiClient Cloud or on-premise EMS invitation code to allow FortiClient to connect.

    8. Configure other fields as desired, then click Save.
  4. In EMS, configure the Jamf integration:
    1. Go to System Settings > MDM Integration.
    2. Enable the MDM integration.
    3. From the Vendor dropdown list, select Jamf.
    4. In the Site URL field, enter your Jamf instance site URL.
    5. In the Username and Password fields, enter the credentials that you configured in step 1.
    6. If desired, configure the desired site. If this field is empty, EMS integrates with the default Jamf site.
    7. Click Test Connection. Once successful, click Save.

  5. The user accesses the enrollment link on their iOS device and enters their details as prompted to complete the enrollment process. Once the device is enrolled, the user is prompted to install FortiClient. After installation, FortiClient registers to EMS. After connecting to EMS, the ZTNA certificate (SCEP) is installed on the endpoint. You can verify this by going to General settings > VPN & Device Management > More Details.

The following shows an endpoint that is enrolled with MDM and has an MDM profile installed on the EMS endpoint summary page: