Deploying Jamf Connect Login

Installation

You can install Jamf Connect Login with the signed package installer provided by Jamf. This package is signed by a valid Apple Developer identity and will install Jamf Connect Login in the following location:

/Library/Security/SecurityAgentPlugins

The package also installs the following authentication tools:

  • authchanger

    /Library/Security/SecurityAgentPlugins/JamfConnectLogin.bundle/Contents/MacOS/authchanger

    The authchanger runs at the end of the installation, which updates the authorization database for OpenID Connect authentication and enables Jamf Connect Login.

  • Pluggable Authentication Module (PAM)

    /usr/local/lib/pam/pam_saml.so.2

For more information about the authchanger and PAM, see Authentication Tools.

You can use the package installer with multiple macOS management tools that allow package deployment. After installing the package and a configuration profile, the login window will display on the next log in attempt. Restarting the computer is not required.

Note: If you would like to use a non-standard authorization rule set, you can rebuild the package without the authchanger binary and supply your own method for updating the authorization database.

Deployment

You can deploy Jamf Connect Login to target computers in your environment using your preferred MDM solution.

Note: This workflow assumes you have met the general requirements for Jamf Connect. For more information, see General Requirements and IdP Compatibility.

  1. Open the Jamf Connect DMG and download the following packages:

    • Jamf Connect Login

    • Jamf Connect Configuration

  2. Create a Jamf Connect Login configuration profile:

    1. Open Jamf Connect Configuration.

    2. Click New.

    3. Select your IdP from the Identity Provider pop-up menu and complete the required fields.

    4. (Optional) Click Advanced Setup to configure additional settings and test your configuration. For more information, see Jamf Connect Configuration.

    5. Click Save to generate a configuration profile for Jamf Connect Login.

  3. Upload your Jamf Connect configuration profile file to your MDM solution. If using Jamf Pro, use the "Custom Settings" payload.
    For more information about custom configuration profiles, see the Deploying Custom Configuration Profiles using Jamf Pro Knowledge Base article.

  4. Upload the provided license key configuration profile to your MDM solution.

    Note: You can use the same license key for all Jamf Connect apps.

  5. Scope the uploaded profile from step 4 to the same computers targeted in step 3.

    Important: If using Okta, you must also enable Okta authentication by renaming the Jamf Connect Login installer package to include "Okta" in its name. The package name is not case-sensitve.

  6. Upload the PKG files for Jamf Connect Login to your MDM solution.

  7. Create a policy to deploy packages from step 6 and scope the policy to targeted computers.

Default Jamf Connect Login Mechanism

The XML below is the default loginwindow mechanism that the authchanger tool installs. All mechanisms installed with Jamf Connect Login are prefixed with "JamfConnectLogin".

Note: You can list the mechanisms in any order to accommodate your workflow.

<key>mechanisms</key>
<array>
<string>builtin:policy-banner</string>
<string>JamfConnectLogin:CheckAzure</string>
<string>JamfConnectLogin:CheckOIDC</string>
<string>JamfConnectLogin:PowerControl,privileged</string>
<string>JamfConnectLogin:CreateUser,privileged</string>
<string>JamfConnectLogin:DeMobilize,privileged</string>
<string>builtin:login-begin</string>
<string>builtin:reset-password,privileged</string>
<string>builtin:forward-login,privileged</string>
<string>builtin:auto-login,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>PKINITMechanism:auth,privileged</string>
<string>builtin:login-success</string>
<string>loginwindow:success</string>
<string>loginwindow:FDESupport,privileged</string>
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
<string>CryptoTokenKit:login</string>
<string>loginwindow:done</string>
<string>JamfConnectLogin:EnableFDE,privileged</string>
<string>JamfConnectLogin:SierraFixes,privileged</string>
</array>

The only built-in macOS mechanism removed is loginwindow:login, which displays the standard macOS login window.

Logging

You can view logs from Jamf Connect Login with the Console application or using the log command in Terminal. When capturing logs, you can filter on all logs from the Security Agent process, which runs all of the Jamf Connect Login mechanisms. Alternatively, you can filter the com.jamf.connect.login subsystem. The most recent login on the computer is stored in the following location: /private/tmp/jamf_login.log

To debug the logging process, use secure shell (SSH) to access the computer and execute following command:

log stream --predicate 'subsystem == "com.jamf.connect.login"' --debug

Note: Remote Login must be enabled on the computer to use SSH.

To stop logging, press control-C.

You can also execute the log show command to view logs after the user login process completes:

log show --predicate 'subsystem == "com.jamf.connect"' --debug

For more information see the Collecting Logs in Jamf Connect Login Knowledge Base article.

Related Information

For related information see the following sections of this guide:

For related information about customizing the Jamf Connect Login package, see the Customizing the Jamf Connect Login Package with Composer Knowledge Base article.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.