Configuring Jamf Connect Login with Microsoft Azure AD

You can configure Jamf Connect Login by setting preference keys.

Preference keys allow for full manipulation of Jamf Connect Login’s features. You can set preferences through multiple methods:

  • Use Jamf Connect Configuration to create a configuration profile.
    For more information, see Jamf Connect Configuration.

  • Manually create a configuration profile with a text editor.

  • Set preferences with the defaults write command.

Note: The defaults command will not show preferences set by an MDM solution.

Jamf Connect Login preference keys must be written in the following location:

/Library/Preferences/com.jamf.connect.login.plist

Jamf Connect Login does not create this .plist file. You must create it manually.

If using Jamf Pro, you must sign the configuration profile before uploading. For more information, see the Deploying Custom Configuration Profiles with Jamf Pro Knowledge Base article.

The following is an example of a .plist file that can be used to configure Jamf Connect Login: 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>OIDCProvider</key>
        <string>Azure</string>
        <key>OIDCROPGID</key>
        <string>3bdd52c7-ee36-4689-8517-c5fed2c98s5</string>
        <key>OIDCClientID</key>
        <string>3bdd52c7-ee36-4689-8517-c5fed2c98s5</string>
     </dict>   
</plist>

Preference Keys

The following tables contain all the preference key-value pairs that can be set with Jamf Connect Login.

Note: Boolean key-values that are not configured default to false unless stated otherwise.

Required Key-Value Pairs

Keys

Description

Example

OIDCProvider

Specifies Microsoft Azure AD as your IdP.

<key>OIDCProvider</key>

<string>Azure</string>

OIDCClientID

The Application ID of the registered app in your IdP used to authenticate the user.

<key>OIDCClientID</key>

<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

OIDCROPGID

The Application ID of the registered app in you IdP used for authenticating the user's password via a resource owner password grant (ROPG) workflow. This value should should usually match the OIDCClientID preference key.

<key>OIDCROPGID</key>

<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

Optional Key-Value Pairs

Optional Key-Value Pairs can be set to further customize the Jamf Connect Login user experience and account creation process.

Account Creation Settings

Key

Description

Example

CreateAdminUser

If set to true, all users become local admins when created on the computer.

<key>CreateAdminUser</key>

<false/>

CreateVerifyPasswords

Determines if a keychain entry is created for Jamf Connect Verify.

<key>CreateVerifyPasswords</key>

<true/>

DemobilizeUsers

Determines if any existing Active Directory mobile accounts are "demobilized", which is the process of converting a mobile account into a local account.

<key>DemobilizeUsers</key>

<false/>

DenyLocal

Determines if users can bypass network authentication and use the Local Auth button at the loginwindow.

If set to true, the Local Auth button is not available, and user must authenticate to their network.

If set to false, the Local Auth button is available, and users can choose to authenticate locally.

<key>DenyLocal</key>

<false/>

DenyLocalExcluded

Specifies which users can still locally authenticate if DenyLocal is set to true

<key>DenyLocalExcluded</key>

<array>

<string>user-one</string>

<string>user-two</string>

<string>user-three</string>

<string>user-four</string>

</array>

LicenseFile

The contents of a .jamfconnectlicense file encoded in Base64 data format.

Note: Maintaining your license key in a separate configuration profile provided by your account manager is recommended.

<key>LicenseFile</key>

<data>encoded-license-content</data>

LocalFallback

Used with DenyLocal to force authentication to the IdP first, but then fallback to local authentication if the IdP is unavailable.

<key>LocalFallback</key>

<true/>

Migrate

Allows local accounts to be migrated to network accounts.

This is typically used when the user account was already created on the system, but you want the accounts to have the same username and password as the user’s cloud identity.

Jamf Connect Login does this by forcing the user to sign in with their IdP, and then attempts to match the user with an existing local account. Consider the following user migration scenarios:

  • If a user's network username and password match a local username and password, the account is considered migrated. No additional steps are needed.

  • If a user's network username matches a local username but the passwords do not match, the user will be prompted to enter their current local password. Once successfully entered, Jamf Connect Login will use the current local password and the current network password to sync the account to the current network password.

  • If a user's network username does not match any local account, the user will be given the option to create or migrate a local account. To migrate an account, the user must provide the existing local password. At this point Jamf Connect Login will synchronize the password to the network password, and then add the network username as an alias to the local account. This way the user can sign in to the system as their network username.

Additionally, IdPs can migrate users from local accounts to accounts associated with network identity. With the Migrate and DenyLocal preference keys, all subsequent sign-ins will be authenticated to your IdP, and then the system verifies if the user record has an IdPUser attribute. If this attribute cannot be verified, the user will be asked to select a local account to associate with the user’s network account. If the local account shortname does not match the network shortname, the network name will be added as an alias to the account so the user will be able to use either one. This also keeps the home folder path and other elements of the user record the same.

Note: For every successful network authentication of a user, the user’s record will be updated with the “NetworkSignIn” attribute. If the user was only authenticated locally, this attribute will not be updated.

<key>Migrate</key>

<false/>

MigrateUsersHide

Specifies which local accounts are excluded from the migration pull-down menu

<key>MigrateUsersHide</key>

<array>

<string>admin</string>

<string>ladmin</string>

</array>

RightsTmpCache

When using the AuthUI rule, determines if the token cache is set to /tmp/cachedata

<key>RightsTmpCache</key>

<false/>

UIDTool

Specifies a path to a UID tool that allows you to set a local user account's UID to a custom value during account creation. This can be used to match a local user account's UID with a user's LDAP UID attribute. Your UID tool must be an executable script.

<key>UIDTool</key>

<string>/Users/Shared/UIDTool</string>

OpenID Connect Settings

Key

Description

Example

OIDCNewPassword

 

If set to true, this key prompts users to create a new password for their new local account.

If set to false, this key prompts users to re-enter their network password, which also becomes the local account password. This ensures a user's network and local password are synced during user creation.

Note: This key is set to true by default.

<key>OIDCNewPassword</key>

<true/>

OIDCAdmin

Specifies which user groups become local admins during account creation. You can specify one user group as a string or multiple user groups in an array of strings.

Note: By default, Jamf Connect Login reads the "groups" attribute in a user's ID token to determine if they become a local admin. To use a different attribute to determine user creation, see the OIDCAdminAtttribute preference key.

<key>OIDCAdmin</key>

<string>role</string>

 

or

 

<key>OIDCAdmin</key>

<array>

<string>role-one</string

<string>role-two</string>

<string>role-three</string>

<string>role-four</string>

</array>

OIDCAdminAttribute

Specifies what attribute stored in an ID token is used to determine if a user is created as a standard or admin local user. By default, Jamf Connect Login will read the "groups" attribute for any values specified with the OIDCAdmin preference key.

Note: For Azure, you must use the "roles" attribute to determine local user creation.

<key>OIDCAdminAttribute</key>

<string>insert-attribute</string>

OIDCClientSecret

The client secret only known by Jamf Connect Login and your IdP.

<key>OIDCClientSecret</key>

<string>insert-client-secret-here</string>

OIDCIgnoreAdmin

When set to true, Jamf Connect Login will ignore any roles that exist in your IdP. This key ensures local user accounts maintain their current status as either an admin or standard account.

When set to false or unspecified, Jamf Connect Login will read the OIDCAdmin key for configured roles and will change a local user account status based on any roles in your IdP.

<key>OIDCIgnoreAdmin</key>

<true/>

OIDCRedirectURI

The redirect URI used by your Jamf Connect registered app in Azure AD.

"https://127.0.0.1/jamfconnect" is recommended by default, but any URI value may be used as long as the configured value in Azure AD matches the value in your Jamf Connect Login configuration profile.

<key>OIDCRedirectURI</key>

<string>https://127.0.0.1/jamfconnect</string>

OIDCTenant

Specifies the Tenant ID for your organization that's used for authentication.

<key>OIDCTenant</key>

<string>c27d1b33-59b3-4ab2-a5c9-23jf0093</string>

OIDCDiscoveryURL

The Discovery URL is used to store OIDC configuration settings for custom IdPs.

Note: This key is required if the OIDCProvider key is set to "Custom".

<key>OIDCDiscoveryURL</key>

<string>https://identity-provider-example-address.com/.well-known/openid-configuration</string>

OIDCIgnoreCookies

Ignores any cookies stored by the loginwindow

<key>OIDCIgnoreCookies</key>

<true/>

Pluggable Authentication Module (PAM)

Key

Description

Example

AuthUIOIDCProvider

Specifies your Identity Provider (IdP) for use with PAM.

<key>AuthUIOIDCProvider<key>

<string>insert-identity-provider</string>

AuthUIOIDCClientID

The Client ID of the created app in your IdP used to authenticate the users.

<key>AuthUIOIDCClientID</key>

<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

AuthUIOIDCRedirectURI

The Redirect URI used by the created app in your IdP

<key>AuthUIOIDCRedirectURI</key>

<string>https://127.0.0.1/jamfconnect</string>

AuthUIOIDCTenant

Specifies which tenant in your IdP to use with PAM.

Note: If Okta is your IdP, this key is required.

<key>AuthUIOIDCTenant</key>

<string>dev-123456</string>

AuthUIOIDCClientSecret

The client secret of your Jamf Connect app in your IdP. This value is only known by Jamf Connect and your IdP.

<key>AuthUIOIDCClientSecret</key>

<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

Messaging and Appearance Settings

Key

Description

Example

BackgroundImage

Path to a locally stored image to use as a background for the login window

<key>BackgroundImage</key>

<string>/usr/local/shared/background.jpg</string>

LoginLogo

Path to a locally stored image to use as a logo during password validation or local password creation

Note: A 250 x 250 pixel image is recommended.

<key>LoginLogo</key>

<string>/usr/local/images/logo.png</string>

Help Settings

Key

Description

Example

AllowNetwork Selection

When set to true, this preference key allows users to configure and confirm their network connection preferences from the login window. To access this feature when enabled, users can click Network Connection in the bottom-right corner of the login window.

Note: To ensure the security of computers, users cannot select an open Wi-Fi network at the login window.

<key>AllowNetworkSelection</key>

<true/>

HelpURL

Specify a URL to display at the login window that directs user's to a resource for onboarding or enrollment help.

<key>HelpURL</key>

<string>yourcompany.help.com</string>

HelpURLLogo

Add a custom image to use as a clickable logo for the Help URL.

Note: The HelpURL key must be specified.

<key>HelpURLLogo</key>

<string>/usr/local/shared/helplogo.png</string>

LocalHelpFile

A path to a local file that users can access by clicking the "Help" button in the Jamf Connect Login window. This file is only displayed if the computer cannot connect to the internet and access the URL specified with the HelpURL key.

Note: Supported file types include PDF and HTML.

<key>LocalHelpFile</key>

<string>/usr/local/shared/JamfConnectHelp.pdf</string>

FileVault Settings
If enabling FileVault on computers with Jamf Connect, see the Using FileVault with Jamf Connect Knowledge Base article.

Key

Description

Example

EnableFDE

Determines if Jamf Connect Login enables FileVault for the first user that logs in

<key>EnableFDE</key>

<true/>

EnableFDERecoveryKey

If set to true, Jamf Connect will store the FileVault recovery key to /var/db/NoMADFDE unless otherwise specified

<key>EnableFDERecoveryPath</key>

<true/>

EnableFDERecoveryKeyPath

Specifies a custom path for the Recovery Key

<key>EnableFDERecoveryPath</key>

<string>/usr/local/filevault</string>

EULA Settings

Note: The EULA mechanism must be enabled before configuring EULA preferences. To add the EULA mechanism to Jamf Connect Login, see Adding the EULA Mechanism.

Key

Description

Example

EULAPath

Specifies a file where the end user's license agreement record (EULA) is stored.

<key>EULAPath</key>

<string>/usr/local/shared/EULA.txt</string>

EULAText

Text used for the EULA

<key>EULAText</key>

<string>Insert EULA text here</string>

EULATitle

Title of the EULA text

<key>EULATitle</key>

<string>User Agreement</string>

EULASubTitle

Subtitle of the EULA text

<key>EULASubTitle</key

<string>Terms and Conditions</string>

Script Settings

Note: The RunScript mechanism must be enabled before configuring script preferences. To add the RunScript mechanism to Jamf Connect Login, see Adding the RunScript Mechanism.

Key

Description

Example

ScriptArgs

The arguments used with a specified script run by the RunScript mechanism

Note: The ScriptPath key must bey specified.

<key>ScriptArgs</key>

<array>

<string>-v</string>

<string>-user</string>

</array>

ScriptPath

Specifies the path to the script or other executable run by the RunScript mechanism. Only one script can be used with Jamf Connect Login at any time.

<key>ScriptPath</key>

<string>/usr/local/bin/login</string>

Hybrid Identity

These keys can be used to separate the authentication process completed via OpenID Connect from the password verification process completed by the Resource Owner Password Grant (ROPG), which is required to configure Jamf Connect with hybrid identity solutions.

For more information about configuring hybrid identities with Azure AD see the following Knowledge Base articles:

Key

Description

Example

ROPGProvider

Specifies where ROPG authentication will occur. Supported values are the following:

  • Custom

  • Azure_v2

Set this value to "Custom" if using Azure AD with AD FS.

Set this value to "Azure_v2" if you are using password hash synchronization or pass-through authentication, which allows Jamf Connect Login to use the Microsoft identity platform (v2.0) endpoints for authentication.

For more information about the Microsoft identity platform (v2.0), see the following documentation from Microsoft:
https://docs.microsoft.com/azure/active-directory/develop/azure-ad-endpoint-comparison

<key>ROPGProvider</key>

<string>Custom</string>

ROPGTenant

The tenant ID in your organization to use for ROPG authentication.

Note: This key is required if you set the ROPGProvider key to "Azure_v2".

<key>ROPGTenant</key>

<string>15e7196d-8bd5-4034-ae01-7bda4ad0c91e</string>

ROPGDiscoveryURL

Specifies your OpenID Connect discovery endpoint. If using AD FS, this value is your AD FS domain combined with the following: "/adfs/.well-known/openid-configuration"

Example: https://adfs.jamfconnect.com/adfs/.well-known/openid-configuration

Note: This key is required if you set the ROPGProvider key to "Custom".

<key>ROPGDiscoveryURL</key>

<string>https://adfs.jamfconnect.com/adfs/.well-known/openid-configuration</string>

ROPGRedirectURI

The redirect URI used by the created application in AD FS or Azure AD.

"https://127.0.0.1/jamfconnect" is recommended by default, but any valid URI value may be used as long as the configured value in Azure AD or AD FS matches the the value in your Jamf Connect Login configuration profile.

<key>ROPGRedirectURI</key>

<string>https://127.0.0.1/jamfconnect</string>

ROPGClientSecret

The client secret of your Jamf Connect application. Consider the following scenarios when configuring client secrets:

  • If you are not using a client secret for ROPG authentication, set this value to "NONE".

  • If you are using the same client secret for both ROPG and the authorization grant with Azure AD, do not set this key. Jamf Connect Login will use the secret set with the OIDCClientSecret key for both authentication and password verification.

  • If using a different client secret for each authentication process, set both OIDCClientSecret and ROPGClientSecret to their respective values.

<key>ROPGClientSecret</key>

<string>your-client-secret</string> 

ROPGSuccessCodes

An array of strings that contain error codes from Azure during an ROPG password verification, which should be interpreted as successful by Jamf Connect.

If using multifactor authentication (MFA) with Azure as a part of the Enrollment Customization feature in Jamf Pro, you may need to use this key to ensure Jamf Connect does not incorrectly interpret an MFA response as an error.

For possible error codes that may need to be configured in your environment, see the following documentation from Microsoft: https://docs.microsoft.com/azure/active-directory/develop/reference-aadsts-error-codes

<key>ROPGSuccessCodes</key>

<array>

<string>AADSTS50012</string>

<string>AADSTS50131</string>

</array>


Related Information

For related information about Jamf Connect Login, see the following sections of this guide:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.