Create a Mac Security ACME Policy

This policy enables the automated deployment and renewal of digital certificates on Mac computers using the Automatic Certificate Management Environment (ACME) protocol. By configuring this policy, organizations can enhance network security through robust identity verification, reduce administrative overhead via automated lifecycle management, and ensure a standardized certificate environment across all managed Mac computers.

Prerequisites

• This policy is supported on Mac computers running macOS 11 and later.
• Apple Mobile Device Management (MDM) must be configured for your organization and Mac computers must be enrolled in JumpCloud MDM. See Set up Apple MDM. 

Creating the Policy

To create the policy:

1. Log in to the JumpCloud Admin Portal.

2. Go to Device Management > Policy Management.
3. Click (+).
4. On the New Policy panel, select the Mac tab.
5. Search and select Security ACME from the list, then click configure.
6. (Optional) In the Policy Name field, enter a new name for the policy or keep the default. Policy names must be unique.
7. (Optional) In the Policy Notes field, enter details such as creation date of the policy, and information on testing and deployment of the policy.

Configuring the Policy

Under Settings section, use the following settings to automate how your Mac computers request, install, and renew security certificates from an ACME server:

• ACME Directory URL: Enter the secure address (HTTPS) of your ACME server. This is the main link the Mac uses to communicate and request certificates.
• Client Identifier: Provide a unique ID for the device. The server uses this to verify the device’s identity and prevent it from requesting multiple unnecessary certificates.
• Key Type and Key Size: Choose the type of security "lock" to create (RSA or Elliptic Curve).
  • Note: If you choose to secure the key to the device hardware, ensure you use the ECC (Prime Random) type with a size of 256 or 384.
• Hardware Bound Key: Enable this to ensure the private security key is generated inside the device’s Secure Enclave. This prevents the key from being exported or copied to another machine.
  Note: Requires a Mac with Apple silicon or T2 chip running macOS 14 or later and Key Type must be ECSECPrimeRandom with a Key Size of 256 or 384.
• Subject OID or Key and Value: The X.500 name of the certificate subject, represented as an array of OID/key and value pairs. For example: C=US, O=Apple Inc., CN=foo. Shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN) are supported.
• Subject Alternative Name - Email: Enter the RFC 822 (email address) string for the Subject Alternative Name. This is an additional identity for the certificate.
• Subject Alternative Name - DNS Name: Enter the DNS name for the Subject Alternative Name. This is an additional identity for the certificate.
• Subject Alternative Name - Uniform Resource Identifier (URI): Enter the Uniform Resource Identifier for the Subject Alternative Name. This is an additional identity for the certificate.
• Subject Alternative Name - NT Principal Name: Enter the NT principal name for the Subject Alternative Name. Uses OID 1.3.6.1.4.1.311.20.2.3.
• Key Usage: This is a bit field for key usage. Bit 0x01 indicates digital signature, and bit 0x04 indicates encryption. The ACME server may override or ignore this field.
• Extended Key Usage: This is an array of OIDs in dotted notation for extended key usage, like client authentication (1.3.6.1.5.5.7.3.2) or email protection (1.3.6.1.5.5.7.3.4). The ACME server may override this.
• Attest: Select this to have the device "prove" its integrity to the server. It sends a secure description of its hardware properties to help the server decide if it should trust the device.
• Allow All Apps Access: Select this if you want all applications on the Mac to be able to use the private key. By default, this is turned off for better security.
• Key Is Extractable: Choose whether the certificate’s private key can be exported from the device keychain later. For maximum security, it is recommended to keep this disabled.

Assigning and Applying the Policy

To apply and save the policy:

1. (Optional) Select the Device Groups tab. Select one or more device groups where you want to apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
2. (Optional) Select the Devices tab. Select one or more devices where you want to apply this policy.
3. Click Save. If prompted, click Save again. The policy configuration settings are applied automatically and do not require a system restart.