The Kandji Team

AD CS Integration

AUTHOR: The Kandji Team

 ㅤ   Kandji's new Active Directory Certificate Services (AD CS) integration allows Kandji to securely communicate with Microsoft AD CS, so you can deploy AD CS certificates to the Apple devices you manage.

AD CS modal_edit.jpg

The key to this integration is the new AD CS Connector, a Windows-native app that leverages the Microsoft .NET framework and runs directly on an on-premises Windows server. That app uses the WebSocket protocol to establish a persistent real-time secure connection with Kandji; there’s no need to open and maintain specific ports on your network firewall. Additionally, there's no need to configure or maintain any additional web server components, just a Windows server that can communicate with the on-prem server running your AD CS services.

AD CS_2.png

When Kandji needs to issue a certificate to a device enrolled in your Kandji instance, it uses that WebSocket connection to send a certificate request to the AD CS Connector (1). The connector then sends a certificate-signing request to Microsoft AD CS (2). AD CS returns that request back to the AD CS Connector (3), which sends an encrypted credential and certificate payload back to Kandji (4). Finally, Kandji securely sends a configuration profile payload with the certificate to the client device (5). For more details on how the integration works and how to set it up in your environments, see our support article.