Jamf-AdcsConnector-Revocation

Certificate revocation is a security requirement to prevent unauthorized devices from accessing a network. Currently, the ability to perform certificate revocation is not possible with existing Jamf external CA integration, however, this can be accomplished using the following approach:

Create a non-compliance group in Jamf Pro (certificates to revoke)
Create a service account in Jamf with read-only API access
Create a scheduled task on Jamf AD CS Connector

Prerequisites

Jamf Pro, configured and working
Jamf AD CS Connector, configured and working
Microsoft CA (ADCS), configured and working

Install

1. Creating non-compliance group in Jamf

Login to your Jamf console and create a new group. This can be a Smart Group with specific compliance criteria like OS version, or a Static Group that will be manually managed. After creating your group, check the Jamf URL to determine the group unique ID. In the example below, the group ID is 830.

https://yourJamf.example.com/staticComputerGroups.html?id=830&o=r

2. Creating read-only API service account in Jamf

The simplest approach is to grant Access Level: Full Access and Privileged Set: Auditor. Ideally, you would restrict this to your specific environment (e.g. Computers, Mobile Devices, Smart Computer Groups, Smart Mobile Device Groups, Static Computer Groups, Static Mobile Device Groups)

3. Creating scheduled task on Jamf AD CS Connector

Granting permissions on Microsoft CA

To perform certificate revocation, you need to grant "Issue and Manage Certificates" permissions to either (1) the Jamf AD CS Connector computer object or (2) a dedicated service account. In the next step, we will configure the Scheduled Task on the Jamf AD CS Connector server accordingly.

Login to your Microsoft CA server
Launch Certification Authority (certsrv.msc)
Right-click the CA, select Properties, select the Security tab
Grant Issue and Manage Certificates to the appropriate computer or user object

Microsoft CA Permissions

Installing PowerShell PKI module on Jamf AD CS Connector

Windows Server 2016 has native support for installing from PowerShell Gallery. Otherwise, you can follow instructions here to install manually.

Install-Module -Name PSPKI

Creating Scheduled Task on Jamf AD CS Connector

You can create the scheduled task manually, otherwise this is an easy way of import it.

Login to your Jamf AD CS Connector server
Create a folder for storing the script and logs (by default, D:\Jamf-AdcsConnector-Revocation)
Copy Jamf-AdcsConnector-Revocation.ps1 and Jamf-AdcsConnector-Revocation.xml to the folder
Open Task Scheduler, right-click Task Scheduler Library, choose Import
Import the Jamf-AdcsConnector-Revocation.xml Scheduled Task XML
Update the Scheduled Task User or Group (by default, it is using the Jamf AD CS Connector computer object "SYSTEM" account)
Update the Scheduled Task Triggers (by default, it runs hourly, starting on 2020-01-01)
Update the Scheduled Task Actions (by default, script is D:\Jamf-AdcsConnector-Revocation\Jamf-AdcsConnector-Revocation.ps1)

Jamf AD CS Connector General tab Jamf AD CS Connector Actions tab

Logging

The scheduled task will log in two places:

Event Viewer: Application\Jamf-AdcsConnector-Revocation
Log file: Jamf-AdcsConnector-Revocation.log (by default, current path of Jamf-AdcsConnector-Revocation.ps1 script)

Event Viewer

Jamf AD CS Connector EventLog

Success Events

8000: Success - importing PSPKI module
8001: Success - querying Jamf group
8002: Success - querying Jamf computer
8003: Success - revoking certificate (or verifying it is already revoked)

Error Events

9000: Failure - importing PSPKI module
9001: Failure - querying Jamf group
9002: Failure - querying Jamf computer
9003: Failure - revoking certificate

Log file