Password and certificate management are central to Jamf Connect's functionality. Jamf Connect uses standards-based technologies to connect to Active Directory (AD) or single sign-on (SSO). These interactions are completed with Kerberos, LDAP, and secure URL session connections with your cloud identity provider (IdP). Jamf Connect uses the versions of these tools included with macOS.
To provide a better understanding of these interactions and ensure your information is secure, review the following security measures in Jamf Connect.
When a user logs in with Jamf Connect, their password is entered in a secure text field and never written to a disk outside the macOS keychain.
When Kerberos is used, the password is used with the gss_aapl_initial_cred() API call, which authenticates the user and obtains a ticket granting ticket (TGT). When changing passwords, the same process is followed using the gss_aapl_change_password() API call. Both API calls leverage Apple's implementation of Heimdal Kerberos.
Note: All Kerberos actions are performed with Apple's APIs. The password is never cached with a "kinit" or other Kerberos command line interface (CLI) tools.
When integrated with Okta as an IdP, Jamf Connect uses the Okta Authentication API.
When integrated with other IdP providers, such as Microsoft Azure AD, Jamf Connect uses the OpenID Connect (OIDC) protocol to communicate with the IdP.
Note: All network connections are made using the macOS URL-loading API, URLSession. All communications are secured with TLS to ensure they are not corrupted.
When Jamf Connect is finished with your password, the value is overwritten and deallocated.
For more information about OpenID Connect, see the following FAQ documentation from the OpenID Foundation: https://openid.net/connect/faq/
For more information about the Okta Authentication API, see the following developer documentation from Okta: https://developer.okta.com/docs/reference/api/authn/#application-types
If instructed, Jamf Connect stores the user’s password in their local keychain by using SecKeychainAddGenericPassword()and other SecKeychain API calls. The password is stored in the user's default keychain.
If a password is stored in the user's keychain and Kerberos is enabled, Jamf Connect will use that password on launch. If the password cannot authenticate the user, Jamf Connect deletes the password from the keychain to prevent lockouts. The user is then prompted to re-enter a valid password.
Active Directory Security
Jamf Connect does not require any security settings to be changed in Active Directory. Jamf Connect only uses SASL-authenticated binds when interacting with AD. By default, Jamf Connect uses the user’s Kerberos ticket to encrypt any LDAP traffic with AD. Jamf Connect can be configured to use SSL in addition to LDAP connections to AD.
Consider the following:
Jamf Connect runs in user space and not as root. Therefore, it has no more privileges than the currently logged in user.
Jamf Connect’s functionality is the same for admin and and standard macOS users.
Preference keys allow for full manipulation of Jamf Connect’s features. Managed preferences cannot be changed by users. You can set preferences through multiple methods:
Create a new configuration proﬁle in your MDM solution
Install a configuration profile locally
Set manually with the defaults command
Jamf Connect does not send user secrets to any service. The private key that generates your certificate signing request (CSR) never leaves the keychain. The process is only completed within Jamf Connect using Apple-provided SecKeychain and SecCertificate API calls.
Note: Private keys are marked as non-exportable by default; however, you can use a preference key to change this setting.
When sending the CSR to a Windows certificate authority (CA), Kerberos authentication is used, and the CSR is sent via SSL. The resulting signed public key is retrieved using Kerberos and SSL and then matched with the private key in the keychain.
Jamf Connect does not search for incoming connections. All communications from Jamf Connect are outbound and use the highest available level of transport security.