Jamf Connect Sync
Jamf Connect Sync (formerly NoMAD Pro) is a menu bar application that helps manage your Okta password. With Jamf Connect Sync, you can sign in to your Okta account and synchronize your Okta password with your local account. Jamf Connect can also do the following:
Retrieve Kerberos tickets, if a Kerberos realm is specified
Note: Computers must be connected to an on-premise Active Directory domain controller during Kerberos authentication.
Synchronize keychain items with Okta
Run scripts automatically or on a specified schedule
Add a file share menu
Jamf Connect Sync ensures all activities with user passwords are performed securely. Apple’s APIs are used when possible, which allows Jamf Connect Sync to use macOS built-in features. Administrators can customize Jamf Connect Sync's menu items and set the application preferences with a configuration profile, the Preference menu user interface (UI), or using the defaults command from the Terminal.
Note: Only the most common preferences are displayed in the Preferences menu UI. Additional preferences must be configured with configuration profiles or with the macOS defaults command.
Local Password Sync
Jamf Connect Sync checks the supplied Okta password after a successful authentication with the current local user password, if configured. If these passwords do not match, Jamf Connect Sync alerts the user and then prompts them to enter their current local password. Jamf Connect Sync then synchronizes the current Okta password with the local user's account, keychain, and FileVault password.
Local password sync can be enabled by the user in the Preferences menu, or it can be specified by an administrator with a configuration profile.
Note: Apple's Open Directory APIs are used to check for the local account password, and Apple's "SecKeychain" APIs are used to update the local keychain password.
Jamf Connect Sync can synchronize keychain items when the user changes their Okta password. Keychain items to be synced are specified in the KeychainItems preference key, and then updated via Apple’s "SecKeychain" APIs.
Jamf Connect Sync enforces the following security practices:
Passwords are never stored outside the user’s keychain or stored in memory longer than needed.
Jamf Connect Sync is compliant with Apple’s App Transport Security and will not load any network data that is not secured via HTTPS with valid certificates.
Jamf Connect Sync uses the following:
The Okta Authorization API to pass the user’s name and password over HTTPS
Multi-factor authentication (MFA), if enabled
For more information, see the Multi-Factor Authentication section.
The state token generated by the authentication process to create a redirect URL, which generates a session cookie in the user's preferred browser
If configured, Jamf Connect Sync stores the user's password in the default keychain after a successful authentication. This process uses Apple's standard "SecKeychain" APIs. User's can be blocked from using the keychain with a configuration profile.