smallstep_full_white

Connect Jamf Pro to Smallstep

Smallstep can integrate with Jamf Pro to synchronize your device inventory, and enroll your fleet with Smallstep using the Smallstep Agent. In this document, we will configure your Jamf Pro instance for use with your Smallstep team.

Prerequisites

You will need:

Step-by-step instructions

Create an API Client in Jamf Pro

This API client will allow Smallstep to read your Jamf device inventory and manage the webhooks necessary for ongoing inventory syncing.

  1. In Jamf Pro, choose ⚙️ Settings

  2. Under the System tab, choose API Roles and Clients

  3. Add an API Role

    Display name: Smallstep

    For Privileges, choose:

    • Read Mobile Devices
    • Read Computers
    • Webhooks: Create, Delete, Read, Update

  4. Next, in the API Clients tab, add a Client

    • Display name: Smallstep
    • API Roles: Smallstep
    • Enabled: Yes, choose Enable
    • Choose Save

  5. Choose Generate client secret

  6. Temporarily save the Client ID and Client Secret. You’ll use them in the next step.

Connect Jamf to Smallstep

Let’s add the Jamf API credentials you just created to Smallstep.

  1. In the Smallstep UI, go to the Device Management tab in ⛭ Settings
  2. Under Jamf, choose ➕ Connect
  3. Enter the API credentials from Jamf
  4. Choose Add Platform. Your device inventory will start syncing from Jamf to Smallstep.
  5. Temporarily save the Webhook URL, Username, and Password presented.

Configure a SCEP Enrollment webhook in Jamf Pro

For compatibility reasons, Smallstep may use ACME or SCEP for certificate enrollment. The SCEP Enrollment webhook allows Jamf to request a dynamic, short-lived challenge string from Smallstep during a SCEP request. The challenge string is injected into a SCEP payload for your clients to authenticate to Smallstep.

  1. In Jamf Pro, choose ⚙️ Settings
  2. Under the Global tab, Choose Webhooks
  3. Add a new Webhook
    1. Display name: Smallstep
    2. Webhook URL: (details from step #2)
    3. Authentication Type: Basic
      1. Basic Authentication Username: (details from step #2)
      2. Basic Authentication Password: (details from step #2)
      3. Basic Authentication Verify Password: (details from step #2)
    4. Content Type: JSON
    5. Webhook Event: SCEPChallenge
  4. Choose Save

Create an Agent Package for Distribution

In this step, you’ll upload the Smallstep agent package to Jamf’s distribution network.

  1. Download the latest package from packages.smallstep.com
  2. In Jamf Pro, choose ⚙️ Settings
  3. Under the Computer Management tab, Choose Packages
  4. Add a new Package
    1. Display name: Smallstep Agent
    2. Filename: (upload from step #1)
  5. Choose Save

Create an Agent Bootstrap Script

This step will install a script on your client devices that bootstraps the connection between your devices and Smallstep.

  1. In Jamf Pro, choose ⚙️ Settings
  2. Under the Computer Management tab, Choose Scripts
  3. Add a new Script
    1. In the General tab, for Display Name: Smallstep Agent Install
    2. In the Script tab:

      • Mode: Shell/Bash

      • Content:

        launchctl stop com.smallstep.launchd.Agent
/Applications/SmallstepAgent.app/Contents/MacOS/SmallstepAgent svc install
  4. Choose Save

Create an Agent Installation Policy

Next, we’ll configure the Script we just created to run on your client devices.

  1. In Jamf Pro, choose 💻 Computers
  2. Under the Content Management tab, choose Policies
  3. Add a new Policy

    1. Under Options → General:

      • Display name: Smallstep Agent
      • Trigger: Login
      • Execution Frequency: Ongoing

      Note: With this policy, the package will be installed at the device’s next check-in, typically within 15 minutes.

    2. Under Options → Packages → Configure

      • Choose the Smallstep Agent package you created earlier
      • Distribution Point: (choose desired distribution point)
      • Action: Install

    3. Under Options → Scripts → Configure

      • Add the Smallstep Agent Install script you created earlier

    4. Under Scope, select your desired policy scope. The agent will be installed on all devices in this scope.

  4. Choose Save

Configure an Agent Enrollment Profile

In this step, we’ll tie everything together by configuring Jamf to distribute the Smallstep Agent.

  1. In the Smallstep dashboard, choose Certificate Manager
    1. Select Authorities
    2. Select the Smallstep Agents authority
    3. Download the Root Certificate
    4. Under the Provisioners section of the page, choose the provisioner beginning with integration-jamf
    5. Temporarily save the URL shown on the page, eg. https://agents.example.ca.smallstep.com/scep/integration-jamf-b967f507
  2. In the Smallstep dashboard, choose ⚙️ Settings
    1. Temporarily save the Team Slug value
  3. In Jamf Pro, choose 🖥️ Computers
  4. Under the Content Management tab, Choose Configuration Profiles
  5. Add a new Configuration Profile

    1. Choose Options → General

      • Name: Smallstep

    2. Add a Managed Login Items payload

      • Rule type: Bundle Identifier
      • Rule value: com.smallstep.Agent

    3. Add a Certificate payload

      • Certificate Name: Smallstep Agents Authority
      • Certificate Option: Upload
      • Certificate Upload: (upload the Root certificate you downloaded earlier)
      • Allow all apps access: ☑️

    4. Add a SCEP payload

      • URL: (paste the provisioner URL you saved earlier)
      • Name: Smallstep
      • Redistribute Profile: 7 days
      • Challenge Type: Dynamic
      • Key Size: 2048
      • Allow all apps access: ☑️

    5. Select Options → Application & Custom Settings → External Applications

      Add new custom settings:

      • Options → External Applications → Source: Custom Schema
      • Options → External Applications → Preference Domain: com.smallstep.Agent
      • Options → External Applications → Custom Schema

        1. Choose Add Schema

        2. Copy the following JSON in to the window and choose Save

          {
  "title": "Smallstep Agent (com.smallstep.agent)",
  "description": "Configure settings for the Smallstep Agent.",
  "properties": {
    "TeamSlug": {
      "type": "string",
      "title": "Smallstep Details: Team",
      "description": "The slug for your organization's Smallstep team, available in the Smallstep dashboard under Settings.",
      "property_order": 10
    },
    "Certificate": {
      "type": "string",
      "title": "Smallstep (Debug): Certificate URI",
      "description": "A KMS URI that points to a certificate that can be used for agent bootstrapping.",
      "property_order": 10
    }
  }
}
        • Options → External Applications → Custom Schema → Smallstep Details: Team: (paste the Team Slug you saved earlier)
        • Options → External Applications → Custom Schema → Smallstep Details: Certificate URI: mackms:label=$PROFILE_IDENTIFIER;se=false;tag=
      1. Finally, set the profile scope:
        1. Choose Edit
        2. Set the desired scope. This should mirror the scope you chose when creating the Policy in step 5.
        3. Choose Save

Your Smallstep team is now linked to Jamf. The devices that you scoped will receive a certificate and have the agent installed and running.

Confirmation

There's two ways to confirm installation on an endpoint:

  • In the Smallstep UI, go to the device's profile page. In the Device Registration section, you'll see an Enrolled At timestamp.
  • Alternatively, on the device itself, run /Applications/SmallstepAgent/Contents/MacOS/SmallstepAgent version to see that the agent is installed. And, in System Settings, check Login Items to confirm that there is a Smallstep Agent entry.