Integrating with Okta


Jamf Connect authenticates Okta users directly to your domain using Okta's authentication API. No changes are required to enable cloud authentication within the Okta admin dashboard.

Integrating Okta with Jamf Connect involves the following steps:

  1. Enable Okta authentication.

  2. (Optional) Integrate Jamf Connect with OpenID Connect (OIDC).

  3. Configure and deploy Jamf Connect.

Step 1: Enabling Okta Authentication

Although no changes are required to enable functionality within the Okta admin dashboard, you must modify Jamf Connect Login to use Okta's Authentication API rather than OpenID Connect authentication.

Do one of the following to enable Okta authentication:

  • Change the Jamf Connect Login package name to include "okta". This will automatically run the authchanger to enable Okta authentication.

  • Manually execute the following command with the authchanger:

    /usr/local/bin/authchanger -reset -Okta 

For more information about executing commands with the authchanger, see authchanger.

(Optional) Step 2: Create OpenID Connect App Integrations

If you want to leverage configurable role preferences, such as determining if an administrator or standard local account is created, you must create OpenID Connect app integrations for Jamf Connect in your Okta admin console. App integrations are used as an additional layer to define roles during local account creation and do not replace the authentication process completed by Okta's API.

Note: You should only use OpenID Connect with Okta to configure local account roles. Configuring OpenID Connect authentication with Okta is not recommended.

Creating an Application Integration

  1. Log in to the Okta Admin Console.

  2. Click Applications.

  3. Click Add Application, and then click Create New App.

  4. Do the following in the Create a New Application Integration window:

    1. Select "Native App" from the Platform pop-up menu.

    2. Select OpenID Connect.

    3. Click Create.

  5. Do the following on the Create OpenID Connect Integration page:

    1. Enter a name for your app, such as "Jamf Connect", in the Application name field.

    2. (Optional) Upload an application logo.

    3. Enter a valid URI, such as "jamfconnect://", in the Login redirect URIs field.

    4. Click Save.

Modifying Grant Types

  1. Select your newly created Jamf Connect app.

  2. Do the following in the General pane:

    1. Select Implicit (Hybrid) under Allowed Grant Type

    2. Select Allow ID Token with implicit grant type and Allow Access Token with implicit grant type.

    3. Click Save.

If you want to determine if users are created as standard or admin users during local account creation with Jamf Connect Login, repeat this process to yield two app integrations for Jamf Connect: one for standard users and the other for admin users.

Assigning Users and Groups

You must assign users and groups to your Jamf Connect app.

For instructions, see the following documentation from Okta:

Note: If you created two app integrations for Jamf Connect, assign all standard users to one app, and all admin users to both apps. These apps will be specified with OIDCAccessClientID and OIDCAdminClientID preference keys in your Jamf Connect Login configuration profile.

Enabling Multi-Factor Authentication

If you want to enable multi-factor authentication (MFA) for users, you must enable MFA at the organization level rather than the app level. To enable MFA, navigate to Security > Authentication > Sign On in the Okta Admin Dashboard, and then create a new Sign On policy.

Disclaimer: Jamf Connect Login may allow users with the same username and password to log in to the incorrect local account. To ensure users can only log in to their account, a multifactor authentication (MFA) method is recommended. Jamf does not accept any responsibility or liability for any damages or security exploitations due to identically provisioned account credentials.

Note: Enabling MFA at the app level is not recommended and may cause errors in Jamf Connect.

For more information about Okta MFA, see the following Okta documentation:

Step 3: Configuring and Deploying Jamf Connect

Jamf Connect is deployed with a package installer, similar to other apps installed on macOS.

For more information on configuring and deploying Jamf Connect, see the following sections of this guide:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.