Trusted Device Inventory for Jamf

Linda Ikechukwu

Follow Smallstep

We’re thrilled to introduce Trusted Device Inventories for Jamf Pro. Until now, Jamf Pro had no straightforward way to confirm that only trusted, company-owned devices could enroll.

By integrating Jamf’s MDM capabilities with Smallstep’s high-assurance workflows, you can now ensure that certificates are issued exclusively to only verified company devices—protecting resources, simplifying processes, and bringing real high-assurance device identity into Jamf Pro.

Most organizations rely on Jamf Pro plus a standard CA to distribute credentials for Wi-Fi, VPN, or other internal services. After a user authenticates (whether by credentials or SSO), Jamf sends the device a configuration profile containing the shared secret or challenge needed to request a certificate from the CA. However, these profiles—and their embedded secrets—are fully portable. They can be copied or intercepted and installed on any machine. Because standard MDM workflows don’t verify the underlying hardware, the CA will happily issue certificates to that machine, granting it the same certificate-based privileges as a legitimate, company-owned device

As portable credentials have increasingly fuelled major security breaches (e.g., the 2024 Snowflake data breach), enabling phishing, credential theft, and impersonation attacks, it’s clear we need a stronger security foundation.

The lack of hardware-based validation at the MDM layer is a security gap. Device identity is the missing link. By using ACME Device Attestation (ACME DA)—a new standard for high-assurance device identity, created by Google and Smallstep—we can cryptographically bind credentials to trusted, company-owned devices so that only verified company-owned devices can access critical resources like Wi-Fi networks, VPNs, GitHub repos, financial dashboards, or GDPR-scoped databases.

Jamf without Smallstep means:

• No way to enforce which devices are allowed to enroll: Certificates are issued based on user credentials alone, with no validation of whether the device itself is trusted.
• Static SCEP Challenges: Many MDM setups rely on a single, never-changing secret. And if it is leaked, anyone can generate a valid certificate.
• Tedious certificate renewals: IT teams are left to manually manage certificate lifecycles, increasing operational overhead.
• Limited cross-platform visibility: Jamf is great for macOS, but many orgs also manage Windows, Linux, or BYOD—leading to multiple certificate workflows and blind spots.

Why Smallstep + Jamf Is Better Together

With Smallstep’s Trusted Inventories, we’ve reimagined how Jamf Pro device enrollment works.

1. Sync Device Inventories: Smallstep talks directly to Jamf Pro (via webhooks and API) to keep an up-to-date inventory of company-owned devices. Any device not in Jamf’s inventory is blocked from requesting certificates.
2. Dynamic SCEP Challenges: This is a huge improvement from the static SCEP certificate enrollment process used by many MDMs, where a single, long-lived “challenge password” is used to authenticate all certificate requests. And, if anyone gets hold of that static “challenge password”, they can generate valid certs for unapproved devices. With Dynamic SCEP, instead of a shared secret, each certificate request gets a unique, short-lived challenge. Even if an attacker captures one challenge, it’s only valid for a short window and tied to a specific device identity check. This prevents rogue devices from slipping through unnoticed. If a device can’t prove it’s on your Jamf inventory, it never even makes it to the certificate-issuing phase.
3. ACME Device Attestation (ACME DA): This is where the hardware-based validation happens before a certificate is ever issued. When a device attempts to enroll, Smallstep requests a hardware attestation statement (from Apple’s Secure Enclave or a TPM). Smallstep confirms that this hardware attestation is legitimate and ties it back to the device record in Jamf. If the device’s hardware identity doesn’t match Jamf’s inventory, enrollment fails. By binding the certificate to the device’s hardware, even if someone copies the cert, it won’t function on a different machine.
4. Automated Lifecycle and Renewals: Once devices pass the trust check and receive certificates, they renew automatically—no extra manual steps for admins. This applies to both standard certificate-based Wi-Fi/VPN and higher-security use cases.
5. Cross-Platform Scalability: Although this release targets Jamf + macOS, our Trusted Device Inventories architecture extends seamlessly to Windows, Linux, or Intune-managed endpoints. You’ll have one place to see and manage all your devices.

What you can do with Smallstep + Jamf

Our Jamf integration supports two primary use cases. You can adopt either one, or both, depending on your organization’s needs:

Certificate-Based Wi-Fi (or VPN) with Jamf

If you already use Jamf Pro to push out Wi-Fi or VPN credentials, our Jamf Trusted Device Inventory integration makes that process more secure by default. Devices will now have to prove they’re legitimate before receiving certificates.

High-Assurance Device Identity

For teams handling sensitive data or IP, certificate-based access isn’t enough if the device itself isn’t verified. By leveraging ACME Device Attestation (ACME DA), we cryptographically bind credentials to trusted, company-owned devices, such that only verified devices can access high-value resources—like financial dashboards, GitHub repos, or GDPR-scoped PII—closing the gap on impersonation and credential theft.

A truly centralized device inventory for all your organization’s needs

This is more than a Jamf + Mac solution. Our new device inventory capability goes beyond Apple and extends to Windows and Linux systems. You can rely on Smallstep as a single source of truth for device identity—across all device types.

• Watch our demo video here
• Explore the official documentation here
• Try it out now