Deploying Jamf Connect Login

Installation

You can install Jamf Connect Login with the signed package installer provided by Jamf. This package is signed by a valid Apple Developer identity and will install Jamf Connect Login in the following location:

/Library/Security/SecurityAgentPlugins

The package also installs the authchanger and Pluggable Authentication Module (PAM) binary tools in the following locations:

/Library/Security/SecurityAgentPlugins/JamfConnectLogin.bundle/Contents/MacOS/authchanger

/usr/local/lib/pam/pam_saml.so.2

The authchanger tool runs at the end of the installation, which updates the authorization database and enables Jamf Connect Login.

For more information about the authchanger and PAM, see Authentication Tools.

You can use the package installer with multiple macOS management tools that allow package deployment. After installation, users can view the loginwindow interface. Restarting the computer is not required.

Note: If you would like to use a non-standard authorization rule set, you can rebuild the package without the authchanger binary and supply your own method for updating the authorization database.

Deployment

You can deploy Jamf Connect Login to target computers in your environment using your preferred MDM solution.

Complete one of the following workflows depending on the IdP you use:

Note: These workflows assume you have met the general requirements for Jamf Connect. For more information, see General Requirements and IdP Compatibility.

Okta

Google ID, IBM Cloud Identity, Microsoft Azure AD, OneLogin, and PingFederate

  1. Open the Jamf Connect DMG.

  2. Open an example PLIST file with a text editor. Examples can be found in the product documentation.

  3. Specify your Okta authentication server using the AuthServer preference key.

  4. (Optional) Add and edit additional preference keys to further customize the experience for your users.
    For more information, see the Configuring Jamf Connect Login with Okta page in this guide.

  5. Upload your Jamf Connect Login PLIST file to your MDM solution. If using Jamf Pro, use the "Custom Settings" payload. For more information about custom configuration profiles, see the Deploying Custom Configuration Profiles using Jamf Pro Knowledge Base article.

  6. Upload the provided license key configuration profile to your MDM solution.

  7. Scope the uploaded profile from step 6 to the same computers targeted in step 5.

  8. Enable Okta authentication by renaming the Jamf Connect Login installer package to include "Okta" in its name.

  9. Upload the PKG files for Jamf Connect to your preferred MDM solution.

  10. Create a policy to deploy packages from step 9 and scope the policy to targeted computers.

  1. Open the Jamf Connect DMG.

  2. Open an example PLIST file with a text editor. Examples can be found in the product documentation.

  3. Specify your OpenID Connect (OIDC) endpoint by specifying the following preference keys:

    • OIDCProvider

    • OIDCRedirectURI

    • OIDCClientID

    • OIDCROPGID

      Note: If using Google ID, you must also set the OIDCNewPassword preference key to true.

  4. (Optional) Add and edit additional preference keys to further customize the experience for your users. For more information, see the Configuring Jamf Connect Login section in this guide.

  5. Upload your Jamf Connect Login PLIST file to your MDM solution. If using Jamf Pro, us the "Custom Settings" payload. For more information about custom configuration profiles, see the Deploying Custom Configuration Profiles using Jamf Pro Knowledge Base article.

  6. Upload the provided license key configuration profile to your MDM solution.

  7. Scope the uploaded profile from step 4 to the same computers targeted in step 3.

  8. Upload the PKG files for Jamf Connect to your preferred MDM solution.

  9. Create a policy to deploy packages from step 6 and scope the policy to targeted computers.

Default Jamf Connect Login Mechanism

The XML below is the default loginwindow mechanism that the authchanger tool installs. All mechanisms installed with Jamf Connect Login are prefixed with "JamfConnectLogin".

Note: You can list the mechanisms in any order to accommodate your workflow.

<key>mechanisms</key>
<array>
<string>builtin:policy-banner</string>
<string>JamfConnectLogin:CheckAzure</string>
<string>JamfConnectLogin:CheckOIDC</string>
<string>JamfConnectLogin:PowerControl,privileged</string>
<string>JamfConnectLogin:CreateUser,privileged</string>
<string>JamfConnectLogin:DeMobilize,privileged</string>
<string>builtin:login-begin</string>
<string>builtin:reset-password,privileged</string>
<string>builtin:forward-login,privileged</string>
<string>builtin:auto-login,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>PKINITMechanism:auth,privileged</string>
<string>builtin:login-success</string>
<string>loginwindow:success</string>
<string>loginwindow:FDESupport,privileged</string>
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
<string>CryptoTokenKit:login</string>
<string>loginwindow:done</string>
<string>JamfConnectLogin:EnableFDE,privileged</string>
<string>JamfConnectLogin:SierraFixes,privileged</string>
</array>

The only built-in macOS mechanism removed is loginwindow:login, which displays the standard macOS login window.

Logging

You can view logs from Jamf Connect Login with the Console application or using the log command in Terminal. When capturing logs, you can filter on all logs from the Security Agent process, which runs all of the Jamf Connect Login mechanisms. Alternatively, you can filter the com.jamf.connect.login subsystem. The most recent login on the computer is stored in the following location: /private/tmp/jamf_login.log

To debug the logging process, use secure shell (SSH) to access the computer and execute following command:

log stream --predicate 'subsystem == "com.jamf.connect.login"' --debug

Note: Remote Login must be enabled on the computer to use SSH.

To stop logging, press control-C.

You can also execute the log show command to view logs after the user login process completes:

log show --predicate 'subsystem == "com.jamf.connect"' --debug

For more information see the Collecting Logs in Jamf Connect Login Knowledge Base article.

Related Information

For related information about authchanger, see authchanger.

For related information about customizing the Jamf Connect Login package, see the Customizing the Jamf Connect Login Package with Composer Knowledge Base article.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.