Integrating with Cloud Identity Providers

Integrating with Cloud Identity Providers, which is similar to integrating with an LDAP directory service, allows you to do the following:

  • Look up and populate user information from the secure LDAP service for inventory purposes.

  • Add Jamf Pro user accounts or groups from the secure LDAP service.

  • Require users to log in to Self Service or the enrollment portal using their LDAP directory accounts.

  • Require users to log in during mobile device setup using their LDAP directory accounts.

  • Base the scope of remote management tasks on users or groups from the secure LDAP service.

To integrate Jamf Pro with a Cloud Identity Provider you need to provide detailed information about the identity provider and upload a keystore or certificate file.

Jamf Pro allows you to integrate with Google's secure LDAP service that is a part of G Suite Enterprise and Cloud Identity Premium. The service can be used with Jamf Pro for user authentication and group syncing.

Note: Users assigned to Cloud Identity Free or G Suite Basic/Business licenses are not allowed to authenticate in Jamf Pro. When such a user tries to authenticate, the INSUFFICIENT_ACCESS_RIGHTS (50) error code is displayed in Jamf Pro logs. For information on Secure LDAP service error codes, see the following documentation from Google:

Cloud Identity Free or G Suite Basic/Business assigned users display in user lookup results and you can add them as Jamf Pro LDAP accounts.

Secure Google LDAP service requires a different configuration than standard LDAP servers. For instructions about how to add Jamf Pro as an LDAP client to the secure LDAP service, configure access permissions, and download the generated certificate, see the following documentation from Google:

After you have added Jamf Pro as an LDAP client, you need to generate the .p12 keystore file. For more information, see the Generating the PKCS12 Keystore File When Integrating Google Cloud Identity Provider with Jamf Pro Knowledge Base article.

Adding a Google Identity Provider Instance

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/79179198/Settings_Icon.png .

  3. Click System Settings.

  4. Click Cloud Identity Providers images/download/thumbnails/79179198/icon-CloudIdentityProviders.png .

  5. Click New images/download/thumbnails/79179198/Icon_New_Button.png .

  6. Configure the settings on the pane. The display name for the configuration must be unique.

  7. Click Save.

The LDAP server connection configuration is enabled by default. To disable the configuration, use the switch. Disabling the configuration prevents Jamf Pro from querying data from this secure LDAP server. This means you can add a different instance without deleting the current configuration.

Saving an LDAP server connection triggers automatic verification of the hostname, port, and domain. The verification process must succeed before the connection is ready to use.

Important: In large environments, the verification process for valid configurations may fail. Ensure the values in the form are correct and try saving the configuration again.

Attribute mappings for the configured Google's secure LDAP service instance are automatically configured by Jamf Pro. You can view the default configuration and modify the mappings using Jamf Pro API. For more information, see the Configuring Cloud Identity Provider Attribute Mappings Using Jamf Pro API Knowledge Base article.

When troubleshooting the failed Google's secure LDAP service connection, navigate to Reports in your Google Admin console, and check the LDAP audit log.

Related Information

For related information, see the following sections in this guide:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.