What is Active Directory Certificate Services?
Microsoft Active Directory Certificate Services (AD CS) creates an on-premises public key infrastructure (PKI) that lets organizations issue, validate, and revoke certificates for internal use. The Iru Endpoint AD CS integration works with your existing Microsoft AD CS setup to request certificates from AD CS. You can then push these certificates to devices through configuration profiles, which enables certificate-based authentication so users can access corporate resources like enterprise Wi-Fi networks.Kandji versus Iru Endpoint AD CS
On Kandji, AD CS uses the legacy Connector (Auth0 sign-in). After you Upgrade to Iru, Iru Endpoint uses the updated Connector (Iru identity and registration approval). To move a Kandji AD CS deployment to Iru, see Migrating from Kandji to Iru with AD CS. If you already run the updated Connector on Iru Endpoint and need a newer build, see Updating the Iru AD CS Connector. The Iru Connector has stricter Windows Server, .NET, TPM, and firewall expectations than a legacy Kandji setup. See AD CS Connector Installation for the host checklist and installation steps, and Network requirements for allowlist differences by Connector generation.Certificate Request Flow
The diagram summarizes how certificate requests move between Iru Endpoint, the AD CS Connector on your network, Microsoft AD CS, and enrolled devices.
Send certificate request from Iru Endpoint
Generate key pair and submit signing request
Issue certificate from AD CS
Return encrypted certificate bundle to Iru Endpoint
AD CS setup path
Use the diagram as your rollout checklist. Start on the left with Network allowlists; complete the guidance in Network requirements and the AD CS Integration Network Requirements tables in Using Iru on Enterprise Networks, then follow the guides in order from left to right. Each article ends with Next Steps that point you to the following task.Using Iru on Enterprise Networks
in AD CS
in Iru Endpoint
on Windows Server
when required
deploy to devices
Network Requirements
Confirm the following before you install the Connector or finish the integration wizard.Network paths and firewall rules
Network paths and firewall rules
adcsconn destinations as documented there.Legacy Connector still on the network
Legacy Connector still on the network
Next Steps
After you finish this overview:Create the computer certificate template on your issuing CA
Connector Versions
Updated connector
The updated AD CS Connector is the Iru Endpoint package you download from Integrations > Active Directory Certificate Services. It uses Iru identity for sign-in and shows a registration URL after sign-in. Approve the Connector host in Approve AD CS connector registration. Product and security updates ship only for this package. Installers are 2.x versions.Legacy connector
The legacy AD CS Connector is the release for Kandji tenants. It uses Auth0-based sign-in. Iru Endpoint does not ship updates for it. After you upgrade the tenant to Iru, uninstall the legacy Connector from Windows Server and install the updated Connector from your Iru tenant.Updating the Iru AD CS Connector
Use this workflow when your tenant already runs on Iru Endpoint and you need a newer updated Connector build on Windows Server, or when you are refreshing the Connector on a host that has already registered with Iru identity.Download and install the latest build

Sign in and approve registration
Verify Connector status
Assign issuing CAs and remove a stale legacy row when needed
Optional: Move the Connector to a different Windows Server
Migrating from Kandji to Iru with AD CS
Complete the platform upgrade to Iru before you replace the AD CS Connector on Windows Server. The legacy Connector may still appear Connected in Iru Endpoint immediately after tenant migration until you uninstall the legacy Connector on the server and register the updated Connector.Upgrade the tenant to Iru
{{subdomain}}.iru.com). When the tenant upgrade is complete, return to Migrating from Kandji to Iru with AD CS and continue with the next step below to replace the AD CS Connector.Open the AD CS integration in Iru Endpoint
Uninstall the legacy Connector on Windows Server
Confirm the Connector shows Disconnected
Download the updated Connector
Install the updated Connector
Sign in and approve registration
{{subdomain}}.iru.com, the same hostname shown in the Iru Endpoint web app). Complete sign-in, open the registration URL, and approve the device in Approve AD CS connector registration when prompted. The Connector app should show Connected.Verify connection and Connector version
Assign issuing CAs and remove the legacy row