Integrating with Microsoft Azure AD

Jamf Connect provides support for Microsoft Azure AD. Integrating Microsoft Azure AD with Jamf Connect involves the following steps:

  1. Register Jamf Connect Login with Microsoft Azure

  2. Assign users and designate user roles

  3. Configure and deploy Jamf Connect Login

Step 1: Registering Jamf Connect Login with Azure

You must integrate Jamf Connect with Azure by registering Jamf Connect as a web app. Complete the following steps to create a new app registration:

Creating a New App Registration

  1. Log in to the Microsoft Azure Portal.

  2. Click the Azure Active Directory in the left sidebar.

  3. Click App registrations, and then click new registration.

  4. Do the following on the Create pane:

    1. Enter "Jamf Connect" in the Name field.

    2. Select Accounts in this organizational directly only under "Supported account types".

    3. Choose "Public (mobile & desktop)" from the Redirect URL pop-up menu, and then enter "https://127.0.0.1/jamfconnect" in the Redirect URI field.

  5. Click Register.

Granting Admin Consent for API Calls

  1. Click on your Jamf Connect app registration.

  2. Under "Manage" in the sidebar, click API permissions.

  3. Under "Grant Consent", click Grant admin consent for your company.

Modifying Authentication Settings

  1. Click your Jamf Connect app registration.

  2. Under "Manage" in the sidebar, click Authentication.

  3. Under "Implicit grant", select ID tokens.

  4. Under "Default client type", switch the Treat application as a public client setting to Yes.

Step 2: Assigning Users and Designating Roles

Once Jamf Connect Login is registered as a native app with Azure, you can configure settings to assign users and designate roles.

Assigning Users

You can assign users to the application if you want to limit access. By default, any user in any domain can authenticate to the application. You can also do the following:

  • Hide Jamf Connect Login from users. This limits a user's interaction with the application to the loginwindow of a computer.

  • Grant admin consent for your organization. This can be done in the "Permissions" section of the application settings.

For step-by-step instructions on how to create users and assign roles, see the following resources from Microsoft:

Designating Roles

You can create users as local admins on the macOS system by using roles defined in Azure. To create roles, you will need to edit the application manifest.

  1. Click the Azure Active Directory in the left sidebar.

  2. Click App registrations, and then select Jamf Connect Login.

  3. Click Manifest.

  4. In the manifest, find "appRoles": [], and then add the desired entries to the manifest. The examples below will create "admin" and "standard" roles.

    Note: You must generate a universally unique identifier (UUID) for each role. Execute the following command using Terminal to generate a UUID:
    uuidgen | tr "[:upper:]" "[:lower:]"

    "appRoles": [

    {

    "allowedMemberTypes": [

    "User"

    ],

    "displayName": "Admin",

    "id": "fdff90b7-df09-4c19-8ab0-158cc9dc62e4",

    "isEnabled": true,

    "description": "Members of the Admin group.",

    "value": "Admin"

    },

    {

    "allowedMemberTypes": [

    "User"

    ],

    "displayName": "Standard",

    "id": "36610848-21ee-4cc0-afee-eaad59d442ea",

    "isEnabled": true,

    "description": "Members of the Standard group.",

    "value": "Standard"

    }

    ],

5. Click Save.

Once saved, you can explicitly add users to the application and define roles. By default, users with the admin role will be a local admin on a system unless the CreateAdmin preference key is enabled, making all users admins. The list of roles that allow a user to be an admin can also be enabled with a preference key. To add roles to a user's Azure token, you must require User Assignment in the application properties.

Note: If you are using Jamf Connect Login with automated MDM enrollment (formerly DEP), remove this application from any conditional access controls. The user will be signing in to the system before conditional access can be instantiated.

Step 3: Configuring and Deploying Jamf Connect

Jamf Connect is deployed with a package installer, similar to other apps installed on macOS.

For more information on configuring and deploying Jamf Connect, see the following sections of this guide:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.