About Jamf Connect Login

Jamf Connect Login

Jamf Connect Login (formerly NoMAD Login+) is an application that allows you to manage authentication with the macOS loginwindow process. In addition, Jamf Connect Login can be used for the following:

  • Enabling authentication with identity provider (IdPs) credentials

  • Allowing just-in-time user creation

  • Enabling FileVault

  • Customizing the log in experience

You can configure Jamf Connect Login with configuration profiles sent via MDM or installed locally on a computer.

The following IdPs are supported in Jamf Connect Login:

  • Google Identity

  • IBM Cloud Identity

  • Microsoft Azure AD

  • Okta

  • OneLogin

  • PingFederate

Note: Jamf Connect Login features may vary based on the IdP used in your environment.

Structure

The loginwindow on macOS runs through a sequential list of mechanisms. These mechanisms do the following:

  • Display a UI

  • Run scripts and other functions as root

  • Determine if a user can authenticate on a computer

On a standard installation of macOS 10.14, the loginwindow runs 16 built-in mechanisms when a user signs in on the computer. Jamf Connect Login replaces the macOS login UI, and then can add other mechanisms to support a variety of workflows.

For most workflows, Jamf Connect Login can be used to allow for user authentication with an identity provider (IdP), and then have local accounts created based on those credentials.

Note: Modifying the login process can have a negative impact on user experience. A working knowledge of macOS loginwindow mechanisms is essential to crafting workflows with Jamf Connect Login. Testing new workflows before implementing them in your production environment is recommended.

Security

Jamf Connect Login enforces the following security practices:

  • Passwords are never stored outside of the user’s keychain or kept in memory longer than needed.

  • Jamf Connect Login is compliant with Apple’s App Transport Security and will not load any network data that is not secured via HTTPS with valid certificates.

  • When interacting with Okta, Jamf Connect Login uses the Okta Authorization API to pass the user’s name and password over HTTPS.

  • All UI mechanisms in Jamf Connect Login are run as the Security Agent user, not as root, and never write any sensitive data to a disk.

  • Jamf Connect Login uses the built-in system commands to enable FileVault. In addition, all cryptography used by Jamf Connect Login uses the built-in system APIs. This includes the SSL connections.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.