(Reference Federated Integrations – Jamf Connect Administrator’s Guide | Jamf) 3.1) Configure Jamf Connect Login Failing to do this will result in Jamf Connect failing to Authenticate even if everything lines up in Azure. Note: If you leverage ADFS in your environment, you will need to create a new application in ADFS that resembles the Azure Registered App and fill in the ID under ROPG Client ID and filling in the Hybird Identity portion of the Login tab.
#Jamf azure ad registration#
For this step, head over to Integrating with Microsoft Azure AD – Jamf Connect Documentation | Jamf to create the App Registration needed in Azure: To avoid re-inventing the wheel, I’m going to reference documentation and summarize where possible. 1) Integrating Jamf Connect with Azure AD Without further ado, let’s walk through the configuration and deployment together.
Well, with Azure we can create roles for the Jamf Enterprise Application to set local account permissions during account creation in Jamf Connect and obtain feature parity with Azure AD joined Windows devices. Now you’re probably asking “That sounds great, but how does this solve the problem of provisioning an admin user while the user only has Standard permissions?”. Here’s the best part… Jamf Connect can be deployed with any MDM solution including Intune and costs less than a cup of drive-thru coffee per device per month. Additionally, Jamf Connect Login will also overlay Apple’s lock screen with one that authenticates to the cloud and enables local account creation from those same credentials.
#Jamf azure ad password#
If you’re unfamiliar, Jamf Connect is the branded proprietary successor to the open-source project known as NoMaD which offers to synchronize your local password with your cloud IdP credentials. As the title suggests, this time I’m talking about Jamf Connect. I know more than anyone how cliche it is to answer every MacOS MDM questions with “just use Jamf Pro” so I won’t even mention it beyond this point (though the process is nearly identical for both platforms). Wait! Before you roll your eyes and unfollow me on Twitter, just hear me out. It’s not a requirement and Intune will happily manage the device regardless of the logged in user’s privileges, but how can we find the middle ground between a restrictive account posture and administrative accessibility like we can on Windows? With Jamf of course!
#Jamf azure ad mac#
But what about MacOS? At the time of this post, Microsoft simply expects Mac Users to be admins on their own devices and sidesteps the issue entirely. In Azure, Azure AD joined Windows devices (excluding hybrid AD join) will accept any identity as a local administrator simply by adding them to the Local Administrator role.
The hard to swallow truth is with cloud IdP solutions like Azure and Okta having a nearly ubiquitous presence in our post-lockdown global economy these archaic workarounds simply have no justification in modern management. Historically, unmanaged identities – especially with a shared password – were often a necessary evil without tools like LAPS and an omnipresent IdP to allow admins to elevate and resolve issues like local account permissions and domain trust relationships. To my dismay, despite copious warnings to not put such an experiment into production I regularly recieve emails thanking me for such a solution because Microsoft simply refuses to offer one and – to be clear – for good reason. Since starting this blog last year, my most popular post by far has been Using Intune to Create and Demote Local Admins on MacOS. Always approach information you find outside (or inside for that matter) official documentation with skepticism and follow the golden rule: Never test in production. As the name suggests, these accounts are based on experiences I’ve had in my own lab.
#Jamf azure ad how to#
Disclaimer: This blog is not intended to be advice on how to manage your environment.
0 kommentar(er)
