Jamf Connect Verify
Jamf Connect Verify is a menu bar application that allows for continuous password validation between network and local accounts. Validation can occur in the background, avoiding user engagement, or with user interaction.
You can also do the following with Jamf Connect Verify:
Retrieve Kerberos tickets, if a Kerberos realm is specified
Note: Computers must be connected to an on-premise Active Directory domain controller during Kerberos authentication.
Add custom action menu items
Add a file share menu
Configure Silent Operation
The following cloud identity providers (IdPs) are supported in Jamf Connect Verify:
Microsoft Azure AD
Jamf Connect Verify ensures all activities with user passwords are performed securely. Apple’s APIs are used when possible, which allows Jamf Connect Verify to use macOS built-in features. Administrators can customize Jamf Connect Verify's menu items and set the application preferences with a configuration profile, the Preference menu user interface (UI), or using the defaults command from the Terminal.
Note: Only the most common preferences are displayed in the Preferences menu UI. Additional preferences must be configured with configuration profiles or with the macOS defaults command.
Local Password Sync
Jamf Connect Verify can be used to validate passwords with an organization's cloud identity provider (IdP).
Jamf Connect Verify uses a Resource Owner Password Grant (ROPG) SAML flow to validate the password against the cloud identity provider. This method allows for password validation without MFA prompts.
Note: ROPG does not retrieve a token, code, or any other form of SAML authentication. Only password verification occurs.
If a user enters an incorrect network password, Jamf Connect Verify will prompt the user to sign in to their Identity Provider to remedy the situation. Once corrected, the user will be prompted to sign in to Jamf Connect Verify again to continue the process.
After network authentication, the network password is verified locally using Apple's APIs. If the network password does not match the local password, the user will be prompted to enter their local password, which will update the following passwords to match the network password:
The local account
The user's Keychain password
The user's FileVault password, if FileVault is enabled
Jamf Connect Verify can synchronize keychain items when the user changes their network password. Keychain items to be synced are specified in the KeychainItems preference key, and then updated via Apple’s "SecKeychain" APIs.