Configuring Jamf Connect Login with OneLogin
You can configure Jamf Connect Login by setting preference keys.
Preference keys allow for full manipulation of Jamf Connect Login’s features. You can set preferences through multiple methods:
-
Create a new configuration profile in your MDM solution
-
Install a configuration profile locally
-
Set manually with the defaults write command
Note: The defaults write command will not show preferences set by an MDM solution.
Jamf Connect Login preference keys must be written in the following location:
/Library/Preferences/com.jamf.connect.login.plist
Jamf Connect Login does not create this .plist file. You must create it manually.
If using Jamf Pro, you must sign the configuration profile before uploading. For more information, see the Deploying Custom Configuration Profiles with Jamf Pro Knowledge Base article.
The following is an example of a .plist file that can be used to configure Jamf Connect Login:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OIDCProvider</key>
<string>OneLogin</string>
<key>OIDCNewPassword</key>
<true/>
<key>OIDCRedirectURI</key>
<string>https://127.0.0.1/jamfconnect</string>
<key>OIDCClientID</key>
<string>9fcc52c7-ee36-4889-8517-c5fed2c78083</string>
</dict>
</plist>
Preference Keys
The following tables contain all the preference key-value pairs that can be set with Jamf Connect Login.
Note: Boolean key-values that are not configured default to false unless stated otherwise.
Required Key-Value Pairs
|
Keys |
Description |
Example |
|
OIDCProvider |
Specifies OneLogin as your IdP |
<key>OIDCProvider</key> <string>OneLogin</string> |
|
OIDCRedirectURI |
The Redirect URI used by the integrated app (Jamf Connect Login) in OneLogin. |
<key>OIDCRedirectURI</key> <string>https://127.0.0.1/jamfconnect</string> |
|
OIDCClientID |
The Client ID of the Jamf Connect Login app integrated with your IdP used to authenticate the user. |
<key>OIDCClientID</key> <string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string> |
|
OIDCNewPassword |
This key prompts users to create a new password for their new local account. If users want their local account password to match their OneLogin account, they can re-enter their OneLogin password. Note: This key is set to true by default. |
<key>OIDCNewPassword</key> <true/> |
Optional Key-Value Pairs
Optional Key-Value Pairs can be set to further customize the Jamf Connect Login user experience and account creation process.
Account Creation Settings
|
Key |
Description |
Example |
|
CreateAdminUser |
If set to true, all users become local admins when created on the computer. |
<key>CreateAdminUser</key> <false/> |
|
DemobilizeUsers |
Determines if any existing Active Directory mobile accounts are "demobilized", which is the process of converting a mobile account into a local account. |
<key>DemobilizeUsers</key> <false/> |
|
DenyLocal |
Determines if users can bypass network authentication and use the Local Auth button at the loginwindow. If set to true, the Local Auth button is not available, and user must authenticate to their network. If set to false, the Local Auth button is available, and users can choose to authenticate locally. |
<key>DenyLocal</key> <false/> |
|
DenyLocalExcluded |
Specifies which users can still locally authorize if DenyLocal is set to true |
<key>DenyLocalExcluded</key> <array> <string>user-one</string> <string>user-two</string> <string>user-three</string> <string>user-four</string> </array> |
|
LicenseFile |
The contents of a .jamfconnectlicense file encoded in Base64 data format. Note: Maintaining your license key in a separate configuration profile provided by your account manager is recommended. |
<key>LicenseFile</key> <data>encoded-license-content</data> |
|
Migrate |
Allows local accounts to be migrated to network accounts. This is typically used when the user account was already created on the system, but you want the accounts to have the same username and password as the user’s cloud identity. Jamf Connect Login does this by forcing the user to sign in with their IdP, and then attempts to match the user with an existing local account. Consider the following user migration scenarios:
Additionally, IdPs can migrate users from local accounts to accounts associated with network identity. With the Migrate and DenyLocal preference keys, all subsequent sign-ins will be authenticated to your IdP, and then the system verifies if the user record has an IdPUser attribute. If this attribute cannot be verified, the user will be asked to select a local account to associate with the user’s network account. If the local account shortname does not match the network shortname, the network name will be added as an alias to the account so the user will be able to use either one. This also keeps the home folder path and other elements of the user record the same. Note: For every successful network authentication of a user, the user’s record will be updated with the “NetworkSignIn” attribute. If the user was only authenticated locally, this attribute will not be updated. |
<key>Migrate</key> <false/> |
|
MigrateUsersHide |
Specifies which local accounts are excluded from the migration pull-down menu |
<key>MigrateUsersHide</key> <array> <string>admin</string> <string>ladmin</string> </array> |
|
RightsTmpCache |
When using the AuthUI rule, determines if the token cache is set to /tmp/cachedata |
<key>RightsTmpCache</key> <false/> |
|
UIDTool |
Specifies a path to a UID tool that allows you to set a local user account's UID to a custom value during account creation. This can be used to match a local user account's UID with a user's LDAP UID attribute. Your UID tool must be an executable script. |
<key>UIDTool</key> <string>/Users/Shared/UIDTool</string> |
OpenID Connect Settings
|
Key |
Description |
Example |
|
OIDCAdmin |
Specifies which user groups become local admins during account creation. You can specify one user group as a string or multiple user groups in an array of strings. Note: By default, Jamf Connect Login reads the "groups" attribute in a user's ID token to determine if they become a local admin. To use a different attribute to determine user creation, see the OIDCAdminAtttribute preference key. |
<key>OIDCAdmin</key> <string>role</string>
or
<key>OIDCAdmin</key> <array> <string>role-one</string <string>role-two</string> <string>role-three</string> <string>role-four</string> </array> |
|
OIDCAdminAttribute |
Specifies what attribute stored in an ID token is used to determine if a user is created as a standard or admin local user. By default, Jamf Connect Login will read the "groups" attribute for any values specified with the OIDCAdmin preference key. |
<key>OIDCAdminAttribute</key> <string>insert-attribute</string> |
|
OIDCClientSecret |
The client secret used by Jamf Connect Login and your IdP. |
<key>OIDCClientSecret</key> <string>insert-client-secret-here</string> |
|
OIDCTenant |
Specifies the Tenant ID for your organization that's used for authentication. |
<key>OIDCTenant</key> <string>c27d1b33-59b3-4ab2-a5c9-23jf0093</string> |
|
OIDCDiscoveryURL |
The Discovery URL is used to store OIDC configuration settings for custom IdPs. Note: This key is required if the OIDCProvider key is set to "Custom". |
<key>OIDCDiscoveryURL</key> <string>https://identity-provider-example-address.com/.well-known/openid-configuration</string> |
|
OIDCIgnoreCookies |
Ignores any cookies stored by the loginwindow |
<key>OIDCIgnoreCookies</key> <true/> |
Pluggable Authentication Module (PAM)
|
Key |
Description |
Example |
|
AuthUIOIDCProvider |
Specifies your Identity Provider (IdP) for use with PAM. |
<key>AuthUIOIDCProvider<key> <string>insert-identity-provider</string> |
|
AuthUIOIDCClientID |
The Client ID of the created app in your IdP used to authenticate the users. |
<key>AuthUIOIDCClientID</key> <string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string> |
|
AuthUIOIDCRedirectURI |
The Redirect URI used by the created app in your IdP |
<key>AuthUIOIDCRedirectURI</key> <string>https://127.0.0.1/jamfconnect</string> |
Messaging and Appearance Settings
|
Key |
Description |
Example |
|
BackgroundImage |
Path to an image to use for the background of the login screen |
<key>BackgroundImage</key> <string>/usr/local/shared/background.jpg</string> |
|
LoginLogo |
Path to a locally stored image file used for the logo during password validation or local password creation Note: A 250 x 250 pixel image is recommended. |
<key>LoginLogo</key> <string>/usr/local/images/logo.png</string> |
Help Settings
|
Key |
Description |
Example |
|
HelpURL |
URL to show at the login window to allow for onboarding or enrollment |
<key>HelpURL</key> <string>yourcompany.help.com</string> |
|
HelpURLLogo |
Path to an image used as a clickable logo for the Help URL at the login window Note: The HelpURL key must be specified. |
<key>HelpURLLogo</key> <string>/usr/local/shared/helplogo.png</string> |
|
LocalHelpFile |
A path to a local file that users can access by clicking the "Help" button in the Jamf Connect Login window. This file is only displayed if the computer cannot connect to the internet and access the URL specified with the HelpURL key. Note: Supported file types include PDF and HTML. |
<key>LocalHelpFile</key> <string>/usr/local/shared/JamfConnectHelp.pdf</string> |
FileVault Settings
|
Key |
Description |
Example |
|
EnableFDE |
Determines if FileVault is enabled for the first user that logs in |
<key>EnableFDE</key> <true/> |
|
EnableFDERecoveryKey |
If set to true, Jamf Connect will store the FileVault recovery key to /var/db/NoMADFDE unless otherwise specified |
<key>EnableFDERecoveryPath</key> <true/> |
|
EnableFDERecoveryKeyPath |
Specifies a custom path for the Recovery Key |
<key>EnableFDERecoveryPath</key> <string>/usr/local/filevault</string> |
EULA Settings
Note: The EULA mechanism must be enabled before configuring EULA preferences. To add the EULA mechanism to Jamf Connect Login, see Adding the EULA Mechanism.
|
Key |
Description |
Example |
|
EULAPath |
Specifies a file where the end user's license agreement record (EULA) is stored. |
<key>EULAPath</key> <string>/usr/local/shared/EULA.txt</string> |
|
EULAText |
Text used for the EULA |
<key>EULAText</key> <string>Insert EULA text here</string> |
|
EULATitle |
Title of the EULA text |
<key>EULATitle</key> <string>User Agreement</string> |
|
EULASubTitle |
Subtitle of the EULA text |
<key>EULASubTitle</key <string>Terms and Conditions</string> |
Script Settings
Note: The RunScript mechanism must be enabled before configuring script preferences. To add the RunScript mechanism to Jamf Connect Login, see Adding the RunScript Mechanism.
|
Key |
Description |
Example |
|
ScriptArgs |
The arguments used with a specified script run by the RunScript mechanism Note: The ScriptPath key must bey specified. |
<key>ScriptArgs</key> <array> <string>-v</string> <string>-user</string> </array> |
|
ScriptPath |
Specifies the path to the script or other executable run by the RunScript mechanism. Only one script can be used with Jamf Connect Login at any time. |
<key>ScriptPath</key> <string>/usr/local/bin/login</string> |
Related Information
For related information about Jamf Connect Login, see the following sections of this guide:
-
Learn how to integrate Jamf Connect Login with OneLogin.
-
loginwindow Application
Learn about the macOS loginwindow application and how it works with Jamf Connect. -
Jamf Connect Login User Experience
Learn about the general user experience when using Jamf Connect Login.