Secure Your Apple Fleet with Jamf + Smallstep

Oct 28

Register today

Secure VPN access from trusted devices

Smallstep provides hardware-bound, short-lived VPN certificates, issued only after cryptographically verifying device authenticity. No static keys, no guesswork—just verifiable trust directly tied to your VPN authentication.

Contact us
background graphic
MDM integration iconMDM integration
Automate config & renewal iconAutomate configuration & renewal
Hardware-bound credentials
Icon of a user with a heartZero touch deployment
Cross-platform coverageCross-platform client support
ADCS Drop-In Replacement iconReplacement for AD CS
Smallstep VPN certificate-based authentication diagram - laptop with hardware-bound TPM Secure Enclave keys connecting to enterprise resources via ACME Device Attestation - replacing passwords with short-lived certificates for Zero Trust network access

Move beyond password and token-based VPN logins

Smallstep replaces passwords, tokens, and pre-shared keys with VPN client certificates that can't be stolen, reused, or phished. Certificates are bound directly to hardware-secured keys (TPM or Secure Enclave) and issued only after cryptographic attestation verifies device authenticity.

SCEP protocol dumpster fire graphic illustrating security issues with legacy device certificates

Upgrade from weak enrollment

Static passwords and pre-baked SCEP payloads are risky and outdated. Smallstep modernizes enrollment with ACME Device Attestation through the Smallstep agent, verifying devices cryptographically before issuing short-lived certificates. For scenarios without the agent, Smallstep supports Dynamic SCEP via your MDM as a secure alternative. Either way, you achieve scalable, secure VPN authentication.

A laptop with the Smallstep logo surrounded by a cluster of logos

Consistent access policy for every device

With Smallstep's agent, you can extend high-assurance VPN authentication to every device in your environment, even edge cases that fall outside of traditional management tools. Whether you are managing macOS, Windows, or Linux devices, you can deliver VPN configurations and certificates to them with Smallstep. The agent handles certificate provisioning and lifecycle management behind the scenes. No brittle scripts. No manual installs.

SSH network topology - distributed infrastructure, certificate-based remote access paths

Deploy certificate-based VPN access with zero friction

Quickly upgrade your existing VPN with turn key integrations that leverage device identity without impacting end-users. The Smallstep agent runs in the background, provisioning certificates and handling renewals without interrupting user experience. Eliminate the need for users to enter credentials or download profiles. Authorized devices will join VPN automatically, using ACME DA for zero-touch deployment. Employees stay productive and IT avoids manual certificate setup and management chaos.

Smallstep ACME certificate management dashboard with 32,175 attested devices across all platforms

Learn more about the platform

The Smallstep platform helps mitigate numerous cybersecurity threats – from phishing to advanced hardware attacks – without impacting end-user workflows.

Learn more
gradient background

Ready to Modernize VPN Access?

Join the teams replacing passwords and shared secrets with high assurance device identity. While Smallstep's agent software is currently only able to manage IPSec VPN connections, Smallstep also supports native certificate-based authentication or Radius/EAP-TLS and works with VPNs based on SSL/TLS, and IKEv2. This includes support for OpenVPN and StrongSwan as well as commercial VPNs from Aruba, Check Point, Cisco, F5, Juniper, Palo Alto Networks, SonicWALL, and Zscaler.

Contact us