Configuring Jamf Connect Login with Microsoft Azure AD

You can configure Jamf Connect by setting preference keys.

Preference keys allow for full manipulation of Jamf Connect’s features. You can set preferences with any of the following methods:

  • Use Jamf Connect Configuration to create and test a configuration profile.
    For more information, see Jamf Connect Configuration.

  • Use Jamf Pro's Application & Custom Setting payload.
    For more information, see the Configuring Jamf Connect Settings in Jamf Pro Knowledge Base article.

  • Manually create a configuration profile with a text editor.

  • Set preferences with the command line using the defaults write command.

Note: The defaults command will not show preferences set by an MDM solution.

Jamf Connect Login preference keys must be written in the following location:

/Library/Preferences/com.jamf.connect.login.plist

Jamf Connect Login does not create this PLIST file. You must create it manually.

If using Jamf Pro, you must sign the configuration profile before uploading. For more information, see the Deploying Custom Configuration Profiles with Jamf Pro Knowledge Base article.

Preference Keys

The following tables contain all the preference key-value pairs that can be set with Jamf Connect Login.

Note: Example key-values, where applicable, match the default Jamf Connect setting. Boolean key-values that are not configured default to false unless stated otherwise, and key-values that configure text show the default text in the app.

Minimum Settings

Keys

Description

Example

OIDCProvider

Identity Provider

Specifies Microsoft Azure AD as your IdP.

<key>OIDCProvider</key>

<string>Azure</string>

OIDCClientID

Client ID

The Application ID of the registered app in your IdP used to authenticate the user.

<key>OIDCClientID</key>

<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

Password Verification

If you are also using Jamf Connect Verify and want to ensure that local accounts are created using a user's network password, you must configure the following settings.

Key

Description

Example

OIDCROPGID

Client ID (Password Verification)

The Client ID of the registered app in your IdP used for authenticating the user's password via a resource owner password grant (ROPG) workflow. This value should should usually match the OIDCClientID preference key.

<key>OIDCROPGID</key>

<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

OIDCNewPassword

 

Create a Separate Local Password

If set to true, this key prompts users to create a new password for their new local account.

If set to false, this key prompts users to re-enter their network password, which also becomes the local account password. This ensures a user's network and local password are synced during user creation.

Note: This key is set to true by default. If set false, you must also set the OIDCROPGID preference key.

<key>OIDCNewPassword</key>

<true/>

ROPGSuccessCodes

Password Verification Success Codes

An array of strings that contain error codes from your IdP during an ROPG password verification, which should be interpreted as successful by Jamf Connect.

Notes:

  • (Azure Only) If using multifactor authentication (MFA) with Azure as a part of the Enrollment Customization feature in Jamf Pro, you may need to use this key to ensure Jamf Connect does not incorrectly interpret an MFA response as an error. For possible error codes that may need to be configured in your environment, see the following documentation from Microsoft: https://docs.microsoft.com/azure/active-directory/develop/reference-aadsts-error-codes

  • (OneLogin Only) If using MFA with OneLogin, you must set this key to "MFA".

<key>ROPGSuccessCodes</key>

<array>

<string>MFA</string>

</array>

Account Creation Settings

Key

Description

Example

CreateAdminUser

Create Admin Users

If set to true, all users are created as local admins when on the computer.

Note: This key only creates users as local admins and does not enforce local account status after user creation. If user roles are configured in your IdP and specified with the OIDCAdmin preference key, local user accounts may change during the next log in.

<key>CreateAdminUser</key>

<false/>

CreateVerifyPasswords

Create Jamf Connect Verify Keychain

Determines if Jamf Connect Login will create a keychain entry for Jamf Connect Verify. This key should only be used if Jamf Connect Verify is also installed on computers.

<key>CreateVerifyPasswords</key>

<true/>

DemobilizeUsers

Demobilize Accounts

Determines if any existing Active Directory mobile accounts are demobilized, which is the process of converting a mobile account into a local account. Demobilization also removes the network authentication authority from the account.

Once demobilized, you can unbind the Mac from Active Directory.

Important: If you unbind from Active Directory before demobilization, demobilization may fail if a user's Active Directory password and IdP password do not match and Jamf Connect Login is configured to sync the passwords during account creation. Make sure you demobilize accounts before unbinding from Active Directory and that the Active Directory domain is reachable during account creation with Jamf Connect. For instructions, see the Demobilizing and Unbinding Mobile Accounts with Jamf Connect and Jamf Pro Knowledge Base article.

<key>DemobilizeUsers</key>

<false/>

DenyLocal

Require Network Authentication

Determines if users can bypass network authentication and use the Local Auth button at the login window.

If set to true, the Local Auth button is not available, and user must authenticate to their network.

If set to false, the Local Auth button is available, and users can choose to authenticate locally.

<key>DenyLocal</key>

<false/>

DenyLocalExcluded

Users with local authentication privileges

Specifies which users can still locally authenticate if DenyLocal is set to true

<key>DenyLocalExcluded</key>

<array>

<string>user-one</string>

<string>user-two</string>

<string>user-three</string>

<string>user-four</string>

</array>

LicenseFile

License File

The contents of a .jamfconnectlicense file encoded in Base64 data format.

Note: Maintaining your license key in a separate configuration profile provided by your account manager is recommended.

<key>LicenseFile</key>

<data>encoded-license-content</data>

LocalFallback

Allow Local Fallback

This key is used with DenyLocal to force authentication to the IdP first, but then fallback to local authentication if a network connection is unavailable.

<key>LocalFallback</key>

<false/>

Migrate

Connect existing local accounts to a network account

Jamf Connect can allow existing local accounts to be connected to network accounts.

This setting is typically used when you want a user's existing local account to have the same username and password as the user’s network account.

When enabled, users must log in with their IdP, and then Jamf Connect will look for a matching local account.

  • If a user's network username and password match a local username and password, the account is considered connected. No additional steps are needed.

  • If a user's network username matches a local username but the passwords do not match, the user will be prompted to enter their current local password. Once successfully entered, Jamf Connect will change the local password to match the current network password.

  • If a user's network username does not match any local account, the user can choose from a list of existing local accounts or create a new account. The user must enter the password of a chosen existing local account, and then Jamf Connect will sync the password to the network password, and add the network username as an alias to the local account.

Notes:

  • To use this setting, the Require Network Authentication (DenyLocal) must be enabled.

  • For every successful network authentication of a user, the user’s record will be updated with the “NetworkSignIn” attribute. If a user only uses local authentication, this attribute will not be updated.

<key>Migrate</key>

<false/>

MigrateUsersHide

Local accounts prohibited from network account connection

A list of usernames of local accounts that are excluded from the migration process. These accounts will not appear in a drop down list of available local accounts during the migration process.

<key>MigrateUsersHide</key>

<array>

<string>admin</string>

<string>ladmin</string>

</array>

RightsTmpCache

Set Token Cache to /tmp/cachedata

When using the AuthUI rule, determines if the token cache is set to /tmp/cachedata

<key>RightsTmpCache</key>

<false/>

UIDTool

Use a Custom UID Tool

Specifies a path to a UID tool that allows you to set a local user account's UID to a custom value during account creation. This can be used to match a local user account's UID with a user's LDAP UID attribute. Your UID tool must be an executable script.

Your UID tool must accept account short names and respond with the UID you want for the user account.

<key>UIDTool</key>

<string>/Users/Shared/UIDTool</string>

Advanced OpenID Connect Settings

Key

Description

Example

OIDCAdmin

Admin Roles

Specifies which user groups become local admins during account creation. You can specify one user group as a string or multiple user groups in an array of strings.

Note: By default, Jamf Connect Login reads the "groups" attribute in a user's ID token to determine if they become a local admin. To use a different attribute to determine user creation, see the OIDCAdminAttribute preference key.

<key>OIDCAdmin</key>

<string>role</string>

 

or

 

<key>OIDCAdmin</key>

<array>

<string>role-one</string>

<string>role-two</string>

<string>role-three</string>

<string>role-four</string>

</array>

OIDCAdminAttribute

Admin Attribute

Specifies what attribute stored in an ID token is used to determine if a user is created as a standard or admin local user. By default, Jamf Connect Login will read the "groups" attribute for any values specified with the OIDCAdmin preference key.

<key>OIDCAdminAttribute</key>

<string>insert-attribute</string>

OIDCClientSecret

Client Secret

The client secret used by Jamf Connect Login and your IdP.

<key>OIDCClientSecret</key>

<string>insert-client-secret-here</string>

OIDCDefaultLocal

Use Local Authentication by Default

When set to true, Jamf Connect Login will use local authentication by default rather than cloud authentication, which ensures users can always log in without a network connection.

<key>OIDCDefaultLocal</key>

<false/>

OIDCIgnoreAdmin

Ignore Roles

When set to true, Jamf Connect Login will ignore any roles that exist in your IdP. This key ensures local user accounts maintain their current status as either an admin or standard account.

When set to false or unspecified, Jamf Connect Login will read the OIDCAdmin key for configured roles and will change a local user account status based on any roles in your IdP.

<key>OIDCIgnoreAdmin</key>

<false/>

OIDCRedirectURI

Redirect URI

The redirect URI used by your Jamf Connect app in your IdP.

"https://127.0.0.1/jamfconnect" is recommended by default, but any URI value may be used as long as the configured value in IdP matches the value in your Jamf Connect Login configuration profile.

<key>OIDCRedirectURI</key>

<string>https://127.0.0.1/jamfconnect</string>

OIDCTenant

Tenant ID

Specifies the Tenant ID for your organization that's used for authentication.

<key>OIDCTenant</key>

<string>c27d1b33-59b3-4ab2-a5c9-23jf0093</string>

OIDCDiscoveryURL

Discovery URL

Your IdP's OpenID metadata document that stores OpenID configuration information. This value appears in the following format: "https://domain.url.com/.well-known/openid-configuration"

Note: This key is required if the OIDCProvider key is set to "Custom".

<key>OIDCDiscoveryURL</key>

<string>https://identity-provider-example-address.com/.well-known/openid-configuration</string>

OIDCIgnoreCookies

Ignore Cookies

Ignores any cookies stored by the loginwindow

<key>OIDCIgnoreCookies</key>

<false/>

OIDCScopes

OpenID Connnect Scopes

Specifies custom scopes, which return additional claims in a user’s ID token during authorization. Standard scopes included openid, profile, and offline_access. This key should be configured as a string with space-separated values.

<key>OIDCScopes</key>

<string>openid profile</string>

OIDCShortName

Short Name

Specifies which attribute from a user's ID token to use as the account short name. The short name is added as an alias to the user's local account.

 

Note: If the attribute you want to use is not in the standard ID token sent by Okta, you can receive additional attributes in an ID token by specifying additional claims with the OIDCScopes preference key.

<key>OIDCShortname</key>

<string>given_name</string>

OIDCIDTokenPath

Formatted ID Token Path

Specifies the file path that can be used to store a user’s formatted ID token.

<key>OIDCIDTokenPath</key>

<string>/tmp/token</string>

OIDCIDTokenPathRaw

Raw ID Token Path

Specifies the file path that can be used to store a user’s raw ID token.

<key>OIDCIDTokenPathRaw</key>

<string>/tmp/token-raw</string>

Pluggable Authentication Module (PAM) Settings

Key

Description

Example

AuthUIOIDCProvider

Identity Provider (PAM)

Specifies the identity provider to use for authentication via the Pluggable Authentication Module (PAM)

<key>AuthUIOIDCProvider</key>

<string>insert-identity-provider</string>

AuthUIOIDCClientID

Client ID (PAM)

The client ID of the created Jamf Connect app in your identity provider used for authentication via PAM

<key>AuthUIOIDCClientID</key>

<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

AuthUIOIDCRedirectURI

Redirect URI (PAM)

The redirect URI used by the created Jamf Connect app in your identity provider

<key>AuthUIOIDCRedirectURI</key>

<string>https://127.0.0.1/jamfconnect</string>

AuthUIOIDCTenant

Tenant ID (PAM)

The tenant in your identity provider used for authentication via PAM

Note: If Okta is your IdP, this key is required.

<key>AuthUIOIDCTenant</key>

<string>dev-123456</string>

AuthUIOIDCClientSecret

Client Secret (PAM)

The client secret of your Jamf Connect app in your IdP. This value is only known by Jamf Connect and your IdP.

<key>AuthUIOIDCClientSecret</key>

<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

Messaging and Appearance Settings

Key

Description

Example

BackgroundImage

Background Image

Path to a locally stored image to use as a background for the login window

<key>BackgroundImage</key>

<string>/usr/local/shared/background.jpg</string>

BackgroundImageAlpha

Background Image Alpha Value

The alpha value of the vibrancy layer blur above the background image as an Int from 0-10, representing the alpha value in 10% increments (e.g., a value of 8 would configure the vibrancy layer blur to be 80% alpha)

Note: Target computers must be running macOS 10.13.x.

<key>BackgroundImageAlpha</key>

<integer>10</integer>

LoginLogo

Login Logo

Path to a locally stored image to use as a logo during password validation or local password creation

Notes:

  • A 250 x 250 pixel image is recommended.

  • Do not include a backslash "\" in your file path.

<key>LoginLogo</key>

<string>/usr/local/images/logo.png</string>

Help Settings

Key

Description

Example

AllowNetworkSelection

Allow Network Selection

When set to true, this preference key allows users to configure and confirm their network connection preferences from the login window. To access this feature when enabled, users can click Network Connection in the bottom-right corner of the login window.

Note: To ensure the security of computers, users cannot select an open Wi-Fi network at the login window.

<key>AllowNetworkSelection</key>

<false/>

HelpURL

Help URL

Specify a URL to display at the login window that directs user's to a resource for onboarding or enrollment help.

<key>HelpURL</key>

<string>yourcompany.help.com</string>

HelpURLLogo

Help Icon

Add a custom image to use as a clickable logo for the Help URL.

Note: The HelpURL key must be specified.

<key>HelpURLLogo</key>

<string>/usr/local/shared/helplogo.png</string>

LocalHelpFile

Backup Help File

A path to a local file that users can access by clicking the "Help" button in the Jamf Connect Login window. This file is only displayed if the computer cannot connect to the internet and access the URL specified with the HelpURL key.

Note: Supported file types include PDF and HTML.

<key>LocalHelpFile</key>

<string>/usr/local/shared/JamfConnectHelp.pdf</string>

FileVault Settings
If enabling FileVault on computers with Jamf Connect, see the Using FileVault with Jamf Connect Knowledge Base article.

If enabling FileVault on computers with Jamf Connect on macOS 10.15 or later, see the Enabling FileVault with Jamf Connect Login on macOS 10.15 or Later Knowledge Base article.

Key

Description

Example

EnableFDE

Enable FileVault

If set to true, FileVault will be enabled for the first user that logs in to a computer.

<key>EnableFDE</key>

<false/>

EnableFDERecoveryKey

Save FileVault Recovery Key

If set to true, Jamf Connect will store the FileVault recovery key to /var/db/NoMADFDE unless otherwise specified.

<key>EnableFDERecoveryKey</key>

<false/>

EnableFDERecoveryKeyPath

Set Recovery Key Filepath

Specifies a custom file path for the FileVault recovery key

<key>EnableFDERecoveryKeyPath</key>

<string>/usr/local/filevault</string>

LAPSUser

LAPS User

An existing local administrator account, of which Jamf Connect can change the password to the personal recovery key. This setting is only used by Jamf Connect to help enable FileVault on standard accounts on macOS 10.15 or later.

<key>LAPSUser</key>

<string>AdminUser</string>

EULA Settings

Note: The EULA mechanism must be enabled before configuring EULA preferences. To add the EULA mechanism to Jamf Connect Login, see End User License Agreement.

Key

Description

Example

EULAPath

Audit Filepath

Specifies the file path to a directory where user’s end acceptance of a EULA is stored as log files.

<key>EULAPath</key>

<string>/usr/local/shared/EULA.txt</string>

EULAText

EULA Text

Text used for the EULA

<key>EULAText</key>

<string>Insert EULA text here</string>

EULATitle

EULA Text

Title of the EULA text

<key>EULATitle</key>

<string>User Agreement</string>

EULASubTitle

EULA Subtitle

Subtitle of the EULA text

<key>EULASubTitle</key

<string>Terms and Conditions</string>

Script Settings

Note: The RunScript mechanism must be enabled before configuring script preferences. To add the RunScript mechanism to Jamf Connect Login, see Login Script.

Key

Description

Example

ScriptArgs

Script Arguments

The arguments used with a specified script run by the RunScript mechanism

Note: The ScriptPath key must bey specified.

<key>ScriptArgs</key>

<array>

<string>-v</string>

<string>-user</string>

</array>

ScriptPath

Script Path

Specifies the path to the script or other executable run by the RunScript mechanism. Only one script can be used with Jamf Connect Login at any time.

<key>ScriptPath</key>

<string>/usr/local/bin/login</string>

Hybrid Identity

These keys can be used to separate the authentication process completed via OpenID Connect from the password verification process completed by the Resource Owner Password Grant (ROPG), which is required to configure Jamf Connect with hybrid identity solutions.

For more information about configuring hybrid identities with Azure AD see the following Knowledge Base articles:

Key

Description

Example

ROPGProvider

Identity Provider (Hybrid ID)

Specifies where ROPG authentication will occur. Supported values are the following:

  • Custom

  • Azure_v2

Set this value to "Custom" if using Azure AD with AD FS.

Set this value to "Azure_v2" if you are using password hash synchronization or pass-through authentication, which allows Jamf Connect Login to use the Microsoft identity platform (v2.0) endpoints for authentication.

For more information about the Microsoft identity platform (v2.0), see the following documentation from Microsoft:
https://docs.microsoft.com/azure/active-directory/develop/azure-ad-endpoint-comparison

<key>ROPGProvider</key>

<string>Custom</string>

ROPGTenant

Tenant ID (Hybrid ID)

The tenant ID in your organization to use for ROPG authentication.

Note: This key is required if you set the ROPGProvider key to "Azure_v2".

<key>ROPGTenant</key>

<string>15e7196d-8bd5-4034-ae01-7bda4ad0c91e</string>

ROPGDiscoveryURL

Discovery URL (Hybrid ID)

Specifies your OpenID Connect discovery endpoint. If using AD FS, this value is your AD FS domain combined with the following: "/adfs/.well-known/openid-configuration"

Example: https://adfs.jamfconnect.com/adfs/.well-known/openid-configuration

Note: This key is required if you set the ROPGProvider key to "Custom".

<key>ROPGDiscoveryURL</key>

<string>https://adfs.jamfconnect.com/adfs/.well-known/openid-configuration</string>

ROPGRedirectURI

Redirect URI (Hybrid ID)

The redirect URI used by the created application in AD FS or Azure AD.

"https://127.0.0.1/jamfconnect" is recommended by default, but any valid URI value may be used as long as the configured value in Azure AD or AD FS matches the the value in your Jamf Connect Login configuration profile.

<key>ROPGRedirectURI</key>

<string>https://127.0.0.1/jamfconnect</string>

ROPGClientSecret

Client Secret (Hybrid ID)

The client secret of your Jamf Connect application. Consider the following scenarios when configuring client secrets:

  • If you are not using a client secret for ROPG authentication, set this value to "NONE".

  • If you are using the same client secret for both ROPG and the authorization grant with Azure AD, do not set this key. Jamf Connect Login will use the secret set with the OIDCClientSecret key for both authentication and password verification.

  • If using a different client secret for each authentication process, set both OIDCClientSecret and ROPGClientSecret to their respective values.

<key>ROPGClientSecret</key>

<string>your-client-secret</string>

Related Information

For related information about Jamf Connect Login, see the following sections of this guide:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.