smallstep · tashian · Feb 3, 2025 · Jan 28, 2025 · Jan 31, 2025 · Jan 31, 2025
@@ -102,7 +102,8 @@ the `--password-file` flag accepts
       "x509": {
         "allow": {
           "dns": ["*.local"]
-        }
+        },
+        "allowWildcardNames": false
       },
       "ssh": {
         "user": {
@@ -252,6 +253,8 @@ the `--password-file` flag accepts
 
   - **template**: default ASN1DN values for new certificates. See [Templates](./templates.mdx).
 
+  - **policy**: authority-wide policy for certificate identifiers. See [Policies](./policies.mdx).
+
   - **disableIssuedAtCheck**: ☠️  disable a check verifying that provisioning tokens must be issued after the CA has booted. This claim is one prevention against token reuse. The default value is false. Do not change this unless you know what you are doing.
 
   - **claims**: default validation for requested attributes in the certificate request. Can be overridden by similar claims objects defined by individual provisioners.

@@ -83,7 +83,20 @@ A rule for `*.éxàmplê.com` will internally be represented using its internati
 This rule will match `www.éxàmplê.com` as well as its internationalized representation `www.xn–xmpl-0na6cm.com` (and other subdomains).
 
 By default it is not possible to request a certificate with a literal wildcard character in the domain, like `*.example.com`.
-It is possible to configure the policy to allow this.
+It is possible to configure the policy to allow this:
+
+```
+"policy": {
+    "x509": {
+        "allow": {
+            "dns": ["*.example.com"]
+        }
+        "allowWildcardNames": true
+    }
+}
+
+```
+
 
 #### Examples
 
@@ -287,7 +300,6 @@ An example is shown below:
             "dns": ["forbidden.local"],
             "ip": ["192.168.0.1"]
         },
-        "allowWildcardNames": false,
     },
     "ssh": {
         "user": {

@@ -8,14 +8,32 @@ Smallstep can integrate with Jamf Pro to synchronize your device inventory, and
 
 This document also contains [uninstall instructions](#uninstall-smallstep-agent-with-jamf-pro).
 
-# Prerequisites
+# Requirements & Limitations
 
 You will need:
 
 - A [Smallstep team](https://smallstep.com/signup) with Pro features enabled
 - A [Jamf Pro](https://www.jamf.com/products/jamf-pro/) tenant
 - A [package distribution point](https://learn.jamf.com/en-US/bundle/jamf-pro-install-guide-linux-current/page/About_Distribution_Points.html) configured in Jamf Pro
 
+Client requirements:
+
+- The agent will need to reach the following domains:
+  ```
+  smallstep.com
+  api.smallstep.com
+  gateway.smallstep.com
+  control.infra.smallstep.com
+  *.[team-name].ca.smallstep.com
+  auth.smallstep.com
+  att.smallstep.com
+  ```
+
+Limitations:
+
+- For VPN configurations, only IPSec VPNs are currently supported.
+- “Always-on VPN” or device-wide VPNs are not yet supported in Smallstep-managed configurations.
+
 # Step-by-step instructions
 
 ### Create an API Client in Jamf Pro

@@ -8,6 +8,8 @@ description: This tutorial describes how to configure Smallstep with VPN servers
 This tutorial describes how to configure your VPN server for certificate-based authentication with Smallstep.
 The Smallstep app can then configure and issue certificates to your clients.
 
+Smallstep's agent software is currently only able to manage IPSec VPN connections.
+
 # Overview of Setup Steps
 
 While the details will differ between VPNs, the process of configuring a VPN server