Integrating Jamf Connect Login with Azure

Jamf Connect Login provides support for Microsoft Azure AD (Active Directory) and can be used to replace the standard macOS loginwindow with Azure Loginwindow. With Azure Loginwindow, you can do the following:

  • Authenticate via a native app in Azure

  • Use multi-factor authentication (MFA) and support conditional access

  • Enable Azure AD and Azure DFS (Directory Federation Services)

  • Create a local account on a macOS computer

These capabilities and other customizations can be easily configured with configuration profiles pushed via MDM or installed locally on the computer.

Configuring the Azure loginwindow

Deploying Azure Loginwindow with Jamf Connect Login involves the following steps:

  1. Register Jamf Connect Login with Microsoft Azure

  2. Assign users and designate user roles

  3. Deploy Jamf Connect Login

Step 1: Register Jamf Connect Login with Microsoft Azure

You must integrate Jamf Connect Login with Azure by registering Jamf Connect Login as a native application.

  1. Log in to the Microsoft Azure Portal.

  2. Click the Azure Active Directory images/download/thumbnails/21759625/AzureAD_Icon.png tab in the left menu.

  3. Click App registrations, and then click New application registration.

  4. Complete the following in the Create pane:

    1. Enter "Jamf Connect Login" in the Name field.

    2. Select "Native" in the Application type pop-up menu.

    3. Enter "https://127.0.0.1/jamfconnect" in the Redirect URI field.

    images/download/attachments/21759625/AzureAD_NativeAppAuth.png

  5. Click Create.

Step 2: Assign Users and Designate Roles

Once Jamf Connect Login is registered as a native application with Azure, you can configure settings to assign users and designate roles.

Assign Users

You can assign users to the application if you want to limit access. By default, any user in your domain can authenticate to the application. You can also do the following:

  • Hide Jamf Connect Login from users, which limits a user's interaction with the application to the loginwindow on a computer.

  • Grant admin consent for your organization. This can be done in the "Permissions" section of the application settings.

For step-by-step instructions on how to create users and assign roles, see the following resources from Microsoft:

Designate Roles

You can create users as local admins on the macOS system by using roles defined in Azure. To create roles, you will need to edit the application manifest:

  1. Click the Azure Active Directory images/download/thumbnails/21759625/AzureAD_Icon.png tab in the left menu.

  2. Click App registrations, and then select Jamf Connect Login.

  3. Click Manifest.

  4. In the manifest, find "appRoles": [], and then add entries similar to the following to the bottom of the manifest:

"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Admin",
"id": "2423e48a-8bd2-413d-adb3-18dc2ba73f3f",
"isEnabled": true,
"description": "Members of the Admin group.",
"value": "Admin"
}
],

5. Click Save.

Once saved, you can explicitly add users to the application and define roles. By default, users with the admin role will be a local admin on a system unless the CreateAdmin preference key is enabled, making all users admins. The list of roles that allow a user to be an admin can also be enabled with a preference key. To add roles to a user's Azure token, you must require User Assignment in the application properties.

Note: If you are using Jamf Connect Login with automated MDM enrollment (formerly DEP), remove this application from any conditional access controls. The user will be signing into the system before conditional access can be instantiated.

Step 3: Deploy Jamf Connect Login

Jamf Connect Login is deployed with a package installer, similar to other packages installed on macOS.

For more information, see the Deploying Jamf Connect Knowledge Base article.

Customizing Azure loginwindow

You can create a PLIST file to customize Azure Loginwindow for your organization.

Note: If using Jamf Pro, you must sign this profile before uploading.

The following is an example:

<plist version="1.0">
<dict>
<key>PayloadEnabled</key>
<true/>
<key>PayloadDisplayName</key>
<string>Jamf Connect Login Azure Settings</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadDescription</key>
<string></string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadEnabled</key>
<true/>
<key>OIDCProvider</key>
<string>Azure</string>
<key>PayloadIdentifier</key>
<string>9578F08E-D5AC-4A1F-86D9-51DF57541295</string>
<key>PayloadDescription</key>
<string>Jamf Connect Login Azure Settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>OIDCROPGID</key>
<string>9fcc52c7-ee36-4889-8517-c5fed2c78083</string>
<key>PayloadType</key>
<string>com.jamf.connect.login</string>
<key>PayloadUUID</key>
<string>9578F08E-D5AC-4A1F-86D9-51DF57541295</string>
<key>OIDCNewPassword</key>
<false/>
<key>OIDCRedirectURI</key>
<string>https://127.0.0.1/jamfconnect</string>
<key>PayloadDisplayName</key>
<string>Jamf Connect Login Azure Settings</string>
<key>PayloadOrganization</key>
<string>Jamf Connect Login</string>
<key>OIDCClientID</key>
<string>9fcc52c7-ee36-4889-8517-c5fed2c78083</string>
</dict>
</array>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadOrganization</key>
<string>Jamf Connect</string>
<key>PayloadIdentifier</key>
<string>7B7E2B17-F245-45FA-A913-8469A73BA5D6</string>
<key>PayloadUUID</key>
<string>7B7E2B17-F245-45FA-A913-8469A73BA5D6</string>
</dict>
</plist>

Required Key-Value Pairs

Keys

Description

Example

OIDCProvider

Determines what OIDC provider to use

<key>OIDCProvider</key>

<string>Azure</string>

OIDCRedirectURI

Redirect URI used by the native application in Azure

<key>OIDCRedirectURI</key>

<string>https://127.0.0.1/jamfconnect</string>

OIDCClientID

The Application ID of the native application in Azure used to authenticate the user

<key>OIDCClientID</key>

<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

OIDCROPGID

The Application ID of the native application in Azure used for validating the user's password via an ROPG flow

<key>OIDCROPGID</key>

<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

Optional Key-Value Pairs

Key

Description

Example

OIDCNewPassword

 

If set to true, the user must create a new password on the computer

If set to false, the user must validate with their existing Azure password, which will also become the local password

<key>OIDCNewPassword</key>

<true/>

OIDCAdmin

Which roles become an admin at the loginwindow. Users assigned a specified role become an admin at loginwindow. You can also specify an array of strings to list multiple users

<key>OIDCAdmin</key>

<string>role</string>

 

or

 

<key>OIDCAdmin</key>

<array>

<string>role-one</string

<string>role-two</string>

<string>role-three</string>

<string>role-four</string>

</array>

OIDCAdminAttribute

The attribute in the user's SAML ID token used to determine if they are an admin user or not.

<key>OIDCAdminAttribute</key>

<string>insert-role</string>

EnableFDE

Determines if FileVault is enabled for the first user to sign in

<key>EnableFDE</key>

<true/>

EnableFDERecoveryKey

If set to true, Jamf Connect will store the FileVault recovery key to /var/db/NoMADFDE unless otherwise specified

<key>EnableFDERecoveryPath</key>

<true/>

EnableFDERecoveryKeyPath

A custom path for the Recovery Key

<key>EnableFDERecoveryPath</key>

<string>/usr/local/filevault</string>

CreateAdminUser

Makes the user an admin on creation at the loginwindow

<key>CreateAdminUser</key>

<false/>

LoginLogo

Path to a locally stored image file used for the logo during password validation or local password creation

<key>LoginLogo</key> <string>/usr/local/images/logo.png</string>

 

DenyLocal

Determines if users can bypass Azure authentication and use the Local Auth button at the loginwindow

<key>DenyLocal</key>

<false/>

DenyLocalExcluded

Specify which users can still locally authorize if DenyLocal is set to true

<key>DenyLocalExcluded>

<array>

<string>user-one</string>

<string>user-two</string>

<string>user-three</string>

<string>user-four</string>

RightsTmpCache

When using the AuthUI rule, determines if the token cache is set to /tmp/cachedata

<key>RightsTmpCache>

<false/>

Azure loginwindow Experience for Computers

End users will go through the following steps when interacting with the Azure Loginwindow:

  1. The user follows on-screen steps to complete Apple's Setup Assistant, and the computer is enrolled in MDM.

  2. Then, the user can do one of the following when the Azure OpenID Connect Login window appears:

    1. Enter their Azure account username and passphrase.
      Note: The user may be prompted to authenticate using the Microsoft Authenticator app on another device.

    2. Click Local Auth at the bottom of the window, if a local account was provisioned via MDM.

  3. If a local account was not provisioned, the use must create a local account by doing one of the following:

    • Create and verify a new local passphrase.

    • Enter an already existing Azure passphrase.

  4. The user then clicks Create Account. The computer completes the setup process and loads.

To verify the account is configured correctly, you can do the following on the user's computer:

  1. Open System Preferences, and then click User & Groups to verify the local account was created.

  2. Open Directory Utility.

    1. Click the Directory Editor tab.

    2. Enter the local account username in the search bar in the left pane.

    3. Ensure the "NetworkUser" field contains the user's azure username.

Disabling and Re-enabling Azure Loginwindow

You can disable then re-enable Jamf Connect Login with Azure Loginwindow by executing the following commands:

Disable: authchanger -reset

Re-enable: authchanger -reset -OIDC

Note: When disabled, the default macOS loginwindow will appear to users.

System Preferences authentication can also be disabled and re-enabled by executing similar commands:

Disable: authchanger -SysPrefsReset

Re-enable: authchanger -SysPrefs

Related Information

For additional information about Jamf Connect Login, see the following sections of this guide:

For additional information about Microsoft Azure, see the following Microsoft documentation: https://docs.microsoft.com/en-us/azure/

For information about integrating with OpenID Connect see the Integrating OpenID Connect with Jamf Connect Knowledge Base article.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.