Jamf Connect Integration with Jamf Pro

Jamf Connect is an app that allows administrators to manage authentication by connecting a user's local macOS account to their organization's cloud identity (network account).

Jamf Connect includes two core components:
  • Login windowAn authorization plug-in that modifies the default macOS login process and login window UI.
  • Menu bar appAn application that helps users manage their network and local passwords.

The Jamf Connect integration in Jamf Pro allows you to automatically deploy the Jamf Connect package to computers in the scope of computer configuration profiles with Jamf Connect settings.

You can configure the following:

  • View all computer configuration profiles

    View all computer configuration profiles with Jamf Connect settings in a single location (Settings > Jamf Applications > Jamf Connect). Jamf Pro automatically detects and displays any configuration profile with settings written to a preference domain starting with com.jamf.connect.

  • Deploy Jamf Connect

    Deploy a specific version of Jamf Connect to computers in the scope of a configuration profile. This allows you to complete an initial deployment of Jamf Connect to target computers or to manage subsequent updates without enabling automatic updates.

  • Configure automatic updates

    Configure automatic updates for computers in the scope of a Jamf Connect configuration profile. You can configure Jamf Pro to automatically deploy minor updates (e.g., 1.0.0 to 1.1.0), maintenance updates (e.g., 1.0.0 to 1.0.1), or both.

  • Receive Notifications

    Receive notifications in Jamf Pro when a new Jamf Connect version is available.

Keep the following in mind when using this integration:

  • If a computer is in the scope of multiple configuration profiles, such as separate configuration profiles for the login window and menu bar app, Jamf Pro uses the most proactive update type for computers in scope of both profiles.

  • You cannot configure automatic updates to complete major updates (e.g., 1.19.3 to 2.0.0 or later). To complete a major upgrade for Jamf Connect, use a policy.

  • This feature cannot be used to downgrade the Jamf Connect version on computers.

Creating a Jamf Connect Configuration Profile Using Jamf Pro

Creating a Configuration Profile using Jamf Pro

You can use Jamf Pro to create a computer configuration profile that configures Jamf Connect settings with the Application & Custom Settings payload. This payload allows you to select Jamf Connect preferences, automatically generate a PLIST file, and configure the scope. Jamf Pro can use configuration profiles created in this way to automatically deploy and update Jamf Connect.

Depending on which components of Jamf Connect you plan to use, you must configure settings for the following Jamf application domains:

  • com.jamf.connect

    Includes all settings for the Jamf Connect menu bar app

  • com.jamf.connect.login

    Includes all settings for the Jamf Connect login window

Keep the following in mind when you configure Jamf Connect:

  • You can configure multiple Application & Custom Setting payloads in a single configuration profile. This allows you to configure multiple preference domains in a single configuration profile.

  • You can split your Jamf Connect settings into multiple configuration profiles written to the same preference domains. This allows you to easily add or remove a subset of Jamf Connect settings (e.g., enrollment-only settings).

Best Practice:

Configuring Enrollment-only Settings

Best practice workflows cover common scenarios; however, the following recommendations may not apply in your environment.

If you plan to configure Jamf Connect settings that should only be used during enrollment, you can create a separate configuration profile for these settings. Common settings include the following:

  • Acceptable use policy settings

  • Notify screen script

  • authchanger command-line arguments that enable the Notify screen

Create a configuration profile that includes the following Application & Custom Settings payloads:

  1. Configure the com.jamf.connect.login preference domain with enrollment-only settings.
  2. If your organization uses the Notify screen, configure the com.jamf.connect.authchanger preference domain to enable the Notify screen after Jamf Connect is installed.
Requirements

  • Integration with a cloud identity provider (IdP)

  • Familiarity with your IdP's minimum authentication settings

  1. In Jamf Pro, click Computers at the top of the sidebar.
  2. Click Configuration Profiles in the sidebar.
  3. Click New .
  4. Use the General payload to configure basic settings, including the level at which to apply the profile and the distribution method.

    Only payloads and settings that apply to the selected level are displayed for the profile. To distribute the profile during enrollment using a computer PreStage enrollment, ensure you create a computer-level configuration profile.

  5. Use the Application & Custom Settings payload to configure Jamf Applications.
  6. Click Add .
  7. Choose com.jamf.connect.login from the Jamf Application Domain pop-up menu.
  8. Choose a version of the preference domain you want to configure.

    The latest version is recommended.

  9. Select Jamf Connect Login.json from the Variant pop-up menu.
    The Jamf Connect preference domain settings display.
  10. Configure Jamf Connect settings.

    To determine which settings are required, see Authentication Settings.

    Best Practice:

    Jamf recommends deselecting any unused settings from the payload. This prevents Jamf Pro from including blank key-value pairs from the configuration profile.

  11. If you plan to use the Jamf Connect menu bar app in your organization, click Add to configure settings for the Jamf Connect menu bar app preference domain (com.jamf.connect).
  12. Click the Scope tab and configure the scope of the profile.
    Note:

    Ensure the scope of the profile contains the computers that are in the scope of the PreStage enrollment.

  13. Click Save .

Your configuration profiles are distributed to target computers when they check in with Jamf Pro.

If you configure deployment and update settings for the newly created profile, Jamf Pro installs or updates Jamf Connect on target computers.

Configuring Jamf Connect Deployment and Update Settings

Configuring Automatic Deployment and Update Settings

You can configure Jamf Pro to deploy Jamf Connect to existing computers and automatically update the version as new releases become available. To do so, you must assign deployment and update settings to an existing configuration profile in Jamf Pro that has Jamf Connect settings. Jamf Pro will install and update computers in the scope of the configuration profile accordingly.

This deployment method is recommended for the following scenarios:

  • Deploying Jamf Connect for the first time to computers that are already enrolled in Jamf Pro.

  • Managing automatic update settings for existing computers that already have Jamf Connect installed.

Requirements

  • Cloud Services Connection enabled

    For instructions, see Cloud Services Connection in the Jamf Pro Documentation

  • The following Jamf Pro user account privileges:

    CategoryPrivilege

    Jamf Pro Server Settings

    Jamf Connect (Read)

    Jamf Pro Server Objects

    Jamf Connect Deployments

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the Jamf Applications section, click Jamf Connect .
  3. Next to the configuration profile with the Jamf Connect settings you want to deploy, click Edit.
  4. Next to Automatically Deploy And Update Jamf Connect, clickYes.
  5. Choose a version of Jamf Connect to deploy from the Version pop-up menu.
    Note:

    If a computer in the scope of the configuration profile already has a previous version of Jamf Connect installed, Jamf Pro will update that computer to the chosen version.

  6. Choose one of the following options from the Update Type pop-up menu to manage future updates:
    • Manual

      Only deploy the chosen version to computers in scope and do not automatically deploy future updates.

    • MaintenanceAutomatically deploy maintenance (e.g., 1.0.1) updates to computers in scope.
    • Minor & MaintenanceAutomatically deploy minor and maintenance (e.g., 1.1.0 and 1.0.1) updates to computers in scope.
  7. Click Next .
    Jamf Pro displays a confirmation pop-up dialog summarizing the actions it will take based on the settings you have configured.
  8. Click Confirm.
Jamf Pro deploys the chosen version of Jamf Connect when computers in the scope of the configuration profile check in and updates them accordingly as new releases become available.

Viewing and Retrying Jamf Connect Deployments

You can view the status of Jamf Connect deployments to see if the Jamf Connect package was successfully installed. If you need to retry a deployment, you can resend the install commands for one or more computers.

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the Jamf Applications section, click Jamf Connect .
  3. Next to the configuration profile for which you want to view or retry deployment, click View.

    Computers in the scope of the profile are displayed, along with their deployed version and deployment command statuses.

  4. (Optional) To retry deployment for a computer, click Retry next to the deployment command status for that computer. To retry deployment for multiple computers, select the computers you want and then click Retry Selected in the top-right corner of the pane.