Configuring Jamf Connect Login with Okta

You can configure Jamf Connect Login by setting preference keys.

Preference keys allow for full manipulation of Jamf Connect Login’s features. You can set preferences through multiple methods:

  • Use Jamf Connect Configuration to create a configuration profile.
    For more information, see Jamf Connect Configuration.

  • Manually create a configuration profile with a text editor.

  • Set preferences with the defaults write command.

Note: The defaults command will not show preferences set by an MDM solution.

Jamf Connect Login preference keys must be written in the following location:

/Library/Preferences/com.jamf.connect.login.plist

Jamf Connect Login does not create this PLIST file. You must create it manually.

If using Jamf Pro, you must sign the configuration profile before uploading. For more information, see the Deploying Custom Configuration Profiles with Jamf Pro Knowledge Base article.

Preference Keys

The following tables contain all the preference key-value pairs used with Jamf Connect Login for Okta.

Note: Boolean key-values that are not configured default to false.

Required Key-Value Pairs

Key

Description

Example

AuthServer

Specifies your Okta authentication domain

<key>AuthServer</key>

<string>yourcompany.okta.com</string>

Optional Key-Value Pairs

Account Creation Settings

Key

Description

Example

CreateAdminUser

If set to true, all new users become local administrators on the computer.

<key>CreateAdminUser</key>

<true/>

CreateSyncPasswords

Determines if a keychain entry is created for Jamf Connect Sync

<key>CreateSyncPasswords</key>

<true/>

DemobilizeUsers

Determines if mobile accounts should be demobilized

<key>DemobilizeUsers</key>

<false/>

DenyLocal

Determines if users can bypass network authentication and use local authentication at the login window.

If set to true, users must log in with Okta and have a network connection.

If set to false, users can log in without Okta or a network connection.

Note: If set to true, setting the LocalFallback key to true is recommend to ensure users are not locked out of computers, if network connectivity issues occur.

<key>DenyLocal</key>

<false/>

DenyLocalExcluded

Specifies which local users can still use local authentication if the DenyLocal key is also to true.

<key>DenyLocalExcluded</key>

<array>

<string>admin</string>

<string>ladmin</string>

</array>

LicenseFile

The contents of a .jamfconnectlicense file encoded in Base64 data format

Note: Maintaining your license key in a separate configuration profile provided by your account manager is recommended.

<key>LicenseFile</key>

<data>encoded-license-content</data>

LocalFallback

Used with DenyLocal to force authentication to Okta first, but then fallback to local auth if Okta is unavailable.

<key>LocalFallback</key>

<true/>

Migrate

Allows local accounts to be migrated to Okta-based accounts.

This is typically used when the user account was already created on the system, but you want the accounts to have the same username and password as the user’s Okta identity.

Jamf Connect Login does this by forcing the user to sign in via Okta, and then attempts to match the user with an existing local account. Consider the following user migration scenarios:

  • If a user's Okta username and password match a local username and password, the account is considered migrated. No additional steps are needed.

  • If a user's Okta username matches a local username but the passwords do not match, the user will be prompted to enter their current local password. Once successfully entered, Jamf Connect Login will use the current local password and the current Okta password to sync the account to the current Okta password.

  • If a user's Okta username does not match any local account, the user will be given the option to create or migrate a local account. To migrate an account, the user must provide the existing local password. At this point Jamf Connect Login will synchronize the password to the Okta password, and then add the Okta username as an alias to the local account. This way the user can sign in to the system as their Okta username.

Additionally, Okta can migrate users from local accounts to accounts associated with an Okta identity. With the Migrate and DenyLocal preference keys, all subsequent sign-ins will be authenticated to Okta, and then the system verifies if the user record has an “OktaUser” attribute. If this attribute cannot be verified, the user will be asked to select a local account to associate with the user’s Okta account. If the local account shortname does not match the Okta shortname, the Okta name will be added as an alias to the account so the user will be able to use either one. This also keeps the home folder path and other elements of the user record the same.

Note: For every successful Okta authentication of a user, the user’s record will be updated with the “NetworkSignIn” attribute. If the user was only authenticated locally, this attribute will not be updated.

<key>Migrate</key>

<false/>

MigrateUsersHide

Specifies which local accounts are excluded from the migration pull-down menu

<key>MigrateUsersHide</key>

<array>

<string>admin</string>

<string>ladmin</string>

</array>

UIDTool

Specifies a path to a UID tool that allows you to set a local user account's UID to a custom value during account creation. This can be used to match a local user account's UID with a user's LDAP UID attribute. Your UID tool must be an executable script.

<key>UIDTool</key>

<string>/Users/Shared/UIDTool</string>

OpenID Connect Settings

OpenID Connect settings can be used with Okta for the following reasons:

  • To configure role preferences, such as determining if an administrator or standard local account, is created.

  • To use the OpenID Connect authentication protocol rather than Okta's authentication API (not recommended).

Both options require a Jamf Connect app integration, which you can create in your Okta admin console. For more information, see the Integrating with Okta page in this guide.

Key

Description

Example

OIDCAuthServer

Specifies a custom authorization server in your Okta tenant, which can be used to send custom scopes and claims in a user’s ID token during local account creation.

For more information about creating a custom authorization server, see the following resource from Okta: https://developer.okta.com/docs/guides/customize-authz-server/overview/

<key>OIDCAuthServer</key>

<string>yourcompany.okta.com</string>

OIDCAccessClientID

OIDC application that determines which users can access the computer

Note: All users, including administrators, must be added to this app in your Okta admin console to ensure access to Jamf Connect Login.

<key>OIDCAccessClientID</key>

<string>0oad0gmia54gn3y8923h1</string>

OIDCAdminClientID

OIDC application that determines which users are created with local administrator accounts.

Note: Only administrators should be added to this app in your Okta admin console.

<key>OIDCAdminClientID</key>

<string>0oa0gwese54gn3y9O0h4</string>

OIDCIgnoreCookies

Ignores any cookies stored by the loginwindow

<key>OIDCIgnoreCookies</key>

<true/>

OIDCSecondaryLoginClientID

OIDC application that determines who can create local user accounts after an initial user has been created.

<key>OIDCSecondaryLoginClientID</key>

<string>0oa0grdsrhdsre54gn3y9O0h4</string>

OIDCRedirectURI

The redirect URI used by your Jamf Connect app in Okta.

"jamfconnect://127.0.0.1/jamfconnect" is recommended by default, but any valid URI value may be used as long as the configured value in Okta matches the value in your Jamf Connect Login configuration profile.

If you are using OpenID Connect authentication rather than Okta's authentication API, use "https://127.0.0.1/jamfconnect" or a similarly formatted URI.

Notes: Use a private URL scheme to ensure the redirect URI does not conflict with other addresses.

<key>OIDCRedirectURI</key>

<string>jamfconnect://127.0.0.1/jamfconnect</string>

OIDCTenant

Specifies the Tenant ID for your organization that is used for authentication.

This key is required if you choose to use OpenID Connect authentication rather than Okta's authentication API. For an example PLIST file that configures Okta to use OpenID Connect authentication, see Example Configuration Profiles.

<key>OIDCTenant</key>

<string>your-company-tenant</string>

Pluggable Authentication Module (PAM)

Key

Description

Example

AuthUIOIDCProvider

Specifies your Identity Provider (IdP) for use with PAM.

<key>AuthUIOIDCProvider</key>

<string>insert-identity-provider</string>

AuthUIOIDCClientID

The Client ID of the created app in your IdP used to authenticate the users.

<key>AuthUIOIDCClientID</key>

<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

AuthUIOIDCRedirectURI

The Redirect URI used by the created app in your IdP

<key>AuthUIOIDCRedirectURI</key>

<string>https://127.0.0.1/jamfconnect</string>

AuthUIOIDCTenant

Specifies which tenant in your IdP to use with PAM.

Note: If Okta is your IdP, this key is required.

<key>AuthUIOIDCTenant</key>

<string>dev-123456</string>

AuthUIOIDCClientSecret

The client secret of your Jamf Connect app in your IdP. This value is only known by Jamf Connect and your IdP.

<key>AuthUIOIDCClientSecret</key>

<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

FileVault Settings
If enabling FileVault on computers with Jamf Connect, see the Using FileVault with Jamf Connect Knowledge Base article.

Key

Description

Example

EnableFDE

If set to true, FileVault will be enabled for the first user that logs in to a computer.

<key>EnableFDE</key>

<false/>

EnableFDERecoveryKey

If set to true, Jamf Connect will store the FileVault recovery key to /var/db/NoMADFDE unless otherwise specified.

<key>EnableFDERecoveryKey</key>

<false/>

EnableFDERecoveryKeyPath

Specifies a custom file path for the FileVault recovery key

<key>EnableFDERecoveryKeyPath</key>

<string>/usr/local/filevault</string>

EULA Settings

Note: The EULA mechanism must be enabled before configuring EULA preferences. To add the EULA mechanism to Jamf Connect Login, see End User License Agreement.

Key

Description

Example

EULAPath

Specifies a file where the end user's license agreement record (EULA) is stored.

<key>EULAPath</key>

<string>/usr/local/shared/EULA.txt</string>

EULAText

Text used for the EULA

<key>EULAText</key>

<string>Insert EULA text here</string>

EULATitle

Title of the EULA text

<key>EULATitle</key>

<string>User Agreement</string>

EULASubTitle

Subtitle of the EULA text

<key>EULASubTitle</key

<string>Terms and Conditions</string>


Messaging and Appearance Settings

Key

Description

Example

BackgroundImage

Path to a locally stored image to use as a background for the login window

<key>BackgroundImage</key>

<string>/usr/local/shared/background.jpg</string>

LoginLogo

Path to a locally stored image to use as a logo during password validation or local password creation

Note: A 250 x 250 pixel image is recommended.

<key>LoginLogo</key>

<string>/usr/local/shared/logo.png</string>

LoginScreen

Determines if Jamf Connect Login displays a macOS style login screen instead of a window.

 

<key>LoginScreen</key>

<true/>

MessageOTPEntry

Text displayed when a user must enter a one time password (OTP) as a multi-factor authentication (MFA) method.

<key>MessageOTPEntry</key>

<string>Enter your verification code.</string>

Help Settings

Key

Description

Example

AllowNetwork Selection

When set to true, this preference key allows users to configure and confirm their network connection preferences from the login window. To access this feature when enabled, users can click Network Connection in the bottom-right corner of the login window.

Note: To ensure the security of computers, users cannot select an open Wi-Fi network at the login window.

<key>AllowNetworkSelection</key>

<true/>

HelpURL

Specify a URL to display at the login window that directs user's to a resource for onboarding or enrollment help.

<key>HelpURL</key>

<string>yourcompany.help.com</string>

HelpURLLogo

Add a custom image to use as a clickable logo for the Help URL.

Note: The HelpURL key must be specified.

<key>HelpURLLogo</key>

<string>/usr/local/shared/helplogo.png</string>

LocalHelpFile

A path to a local file that users can access by clicking the "Help" button in the Jamf Connect Login window. This file is only displayed if the computer cannot connect to the internet and access the URL specified with the HelpURL key.

Note: Supported file types include PDF and HTML.

<key>LocalHelpFile</key>

<string>/usr/local/shared/JamfConnectHelp.pdf</string>

Script Settings

Note: The RunScript mechanism must be enabled before configuring script preferences. To add the RunScript mechanism to Jamf Connect Login, see Login Script.

Key

Description

Example

ScriptArgs

The arguments used with a specified script run by the RunScript mechanism

Note: The ScriptPath key must bey specified.

<key>ScriptArgs</key>

<array>

<string>-v</string>

<string>-user</string>

</array>

ScriptPath

Specifies the path to the script or other executable run by the RunScript mechanism. Only one script can be used with Jamf Connect Login at any time.

<key>ScriptPath</key>

<string>/usr/local/bin/login</string>

Related Information

For additional information about Jamf Connect Login, see the following sections of this guide:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.