Contact Us
Help Center Home > Create an iOS/iPadOS Security ACME Policy

Create an iOS/iPadOS Security ACME Policy

This policy configures Automated Certificate Management Environment (ACME) settings on managed iOS and iPadOS devices to automatically request, obtain, and renew client certificates from a trusted ACME server. Standardizing ACME certificate management through this policy improves security by enforcing strong certificate-based authentication, enhances productivity by removing manual certificate deployment, and supports consistent configuration across the organization’s iOS/iPadOS devices.

Prerequisites:

  • iOS and iPadOS devices must be enrolled in Apple MDM with the following enrollment type:
    • Automated Device Enrollment (ADE) - These devices are owned and enrolled by the corporation through ADE.
    • Device Enrollment - These devices are owned by the corporation, and enrolled by the admin or by the user.
    • User Enrollment - These are personal devices used for work where the user enrolls the device to securely access corporate data while maintaining personal privacy.
      For more information, see Choose an MDM Enrollment Method to learn more.
  • Target devices must be running iOS/iPadOS 16 or later.

Creating the Policy

To create the policy:

  1. Log in to the JumpCloud Admin Portal.

Important:

If your data is stored outside of the US, check which login URL you should be using depending on your region, see JumpCloud Data Centers to learn more.

  1. Go to Device Management > Policy Management and click (+).
  2. On the New Policy panel, select the iOS tab.
  3. Search and select Security ACME from the list, then click configure.
  4. (Optional) In the Policy Name field, enter a new name for the policy or keep the default. Policy names must be unique.
  5. (Optional) In the Policy Notes field, enter details such as creation date of the policy, and information on testing and deployment of the policy.
  6. Configure the following policy settings:
    • ACME Directory URL (Required) - Enter the full HTTPS URL of your organization’s ACME directory endpoint (for example, https://acme.example.com/directory), as provided by your certificate authority or internal ACME service.
    • Client Identifier (Required) - Provide a unique string to identify the specific device and serve as an anti-replay code to prevent redundant certificate issuance. While this identifier signals to the ACME server that the device possesses a valid client identifier from your enterprise infrastructure, treat it as a secondary trust indicator because of the risk of interception.
    • Key Size (Required) - Enter the key size in bits. This is a required field.
    • Key Type (Required) - Enter the type of key pair to generate. This is a required field.
    • Hardware Bound Key (Required) - Select this key to bind the private key to the device via the Secure Enclave, which prevents key exportation; this requires KeyType to be ECSECPrimeRandom and KeySize to be 256 or 384.
    • Subject (Required) - Define the requested certificate subject as an array of OID-value pairs (for example, [ [ ["C", "US"] ], [ ["CN", "foo"] ] ]), using either dotted-number OIDs or standard shortcuts like C, L, ST, O, OU, and CN. Note that while the device sends this X.500 name to the ACME server, the server maintains the authority to override or ignore these fields in the final issued certificate.
    • RFC 822 Name - Enter the RFC 822 (email address) string for the Subject Alt Name.
    • DNS Name - Enter the DNS name for the Subject Alt Name.
    • URI - Enter the Uniform Resource Identifier for the Subject Alt Name.
    • NT Principal Name - Enter the NT principal name for the Subject Alt Name. Use another name OID set to `1.3.6.1.4.1.311.20.2.3`.
    • Key Usage - Enter a bit value for key usage. Bit 1 (0x01) indicates digital signature, and bit 4 (0x04) indicates encryption. The ACME server may override this setting.
    • Extended Key Usage - Add one or more Object Identifiers (OIDs) in dotted notation for extended key usage (e.g., '1.3.6.1.5.5.7.3.2' for client authentication). The ACME server may override this.
    • Attest Certificate - Select this field to provide device and key attestations that the ACME server can use as strong evidence of hardware binding and device integrity when calculating a trust score; this requires HardwareBound to also be set to true.
    • Allow Key to be Extractable - Select this field to true to tag the private key of the identity obtained through ACME as "non-extractable" in the keychain.
    • Allow All Apps Access - Select this field to true to allow all applications access to the private key.

Assigning and Applying the Policy

  1. (Optional) Select the Device Groups tab. Select one or more device groups where you want to apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
  2. (Optional) Select the Devices tab. Select one or more devices where you want to apply this policy.
  3. Click Save. If prompted, click Save again. The policy configuration settings are applied automatically and do not require a system restart.
Back to Top

Notebook IconLearn More

Apple MDM

Choose an MDM Enrollment Method

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case