Authentication Settings
You must configure and deploy authentication settings via a computer configuration profile. These settings allow Jamf Connect to authenticate at the login window and the menu bar app, as well as establish a connection between local user accounts on the Mac and a cloud identity provider (IdP).
Keep the following in mind when configuring authentication settings with Jamf Connect:
-
Authentication settings for the Jamf Connect menu bar app are contained in the IdPSettings dictionary class.
-
If using both the menu bar and login window in your environment, configuring Jamf Connect to create an initial password using a user's network account is recommended. This ensures users are not prompted to change their password immediately after account creation.
For more information, see Initial Local Password Creation. -
Minimum authentication settings vary by cloud IdP and environment.
Minimum Authentication Settings by Identity Provider
|
Identity Provider |
Login Window |
Menu Bar |
|
Azure AD |
|
|
|
Google Cloud ID |
|
Not Supported |
|
IBM Security Verify |
|
|
|
Okta |
|
|
|
OneLogin |
|
|
|
PingFederate |
|
|
|
Custom |
|
|
Login Window Authentication Settings
Domain: com.jamf.connect.login
Description: Used to allow Jamf Connect to complete authentication between your IdP and local accounts at the login window. Required settings vary by IdP.
|
Key |
Description |
Example |
|
OIDCProvider
|
Identity Provider Specifies your cloud identity provider. The following values are supported:
|
<key>OIDCProvider</key> <string>Azure</string> |
|
AuthServer
|
Auth Server (Okta Only) Your organization's Okta domain URL. |
<key>AuthServer</key> <string>yourcompany.okta.com</string> |
|
OIDCClientID |
Client ID The client ID of the Jamf Connect app in your IdP used to authenticate the user. |
<key>OIDCClientID</key> <string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string> |
|
OIDCRedirectURI |
Redirect URI The redirect URI used by your Jamf Connect app in your IdP. "https://127.0.0.1/jamfconnect" is recommended by default, but any URI value may be used as long as the configured value in your IdP matches the value in your Jamf Connect Login configuration profile. |
<key>OIDCRedirectURI</key> <string>https://127.0.0.1/jamfconnect</string> |
|
OIDCClientSecret |
Client Secret The client secret used by Jamf Connect Login and your IdP. |
<key>OIDCClientSecret</key> <string>insert-client-secret-here</string> |
|
OIDCTenant |
Tenant ID Specifies the Tenant ID for your organization that's used for authentication. |
<key>OIDCTenant</key> <string>c27d1b33-59b3-4ab2-a5c9-23jf0093</string> |
|
OIDCDiscoveryURL |
Discovery URL Your IdP's OpenID metadata document that stores OpenID configuration information. This value appears in the following format: "https://domain.url.com/.well-known/openid-configuration" Note: This key is required if your Identity Provider (OIDCProvider) is set to "Custom" or "PingFederate" |
<key>OIDCDiscoveryURL</key> <string>https://identity-provider-example-address.com/.well-known/openid-configuration</string> |
Menu Bar Authentication Settings
Domain: com.jamf.connect
Dictionary: IdPSettings
Description: Used to allow Jamf Connect to complete authentication between your IdP and local accounts. Required settings vary by IdP.
|
Key |
Description |
Example |
|
Provider |
Identity Provider (Required) The name of your cloud identity Provider. The following values are supported:
|
<key>Provider</key> <string>Azure</key> |
|
OktaAuthServer |
Okta Auth Server (Required: Okta Only) Your organization's Okta domain. A preceding "https://" is optional. |
<key>OktaAuthServer</key> <string>your-company.okta.com</string> |
|
ROPGID |
Client ID (Required: OpenID Connect Only) The client ID of your Jamf Connect app in your IdP. This value allows Jamf Connect to complete a resource owner password grant (ROPG), which is the process that performs password verification. |
<key>ROPGID</key> <string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string> |
|
DiscoveryURL |
Discovery URL Your IdP's OpenID Connect discovery endpoint. This value appears in the following format: " https://domain.url.com/.well-known/openid-configuration " If using AD FS, this value is your AD FS domain combined with the following: "/adfs/.well- known/openid-configuration\" Note: This key is required if your Identity Provider (OIDCProvider) is set to "Custom" or "PingFederate". |
<key>DiscoveryURL</key> <string>https://domain.url.com/.well-known/openid-configuration</string> |
|
TenantID |
Tenant ID The Tenant ID for your organization that is used for authentication. Note: If IBM Security Verify is your IdP, this value is required. |
<key>TenantID</key> <string>jamfconnect</string> |
|
ChangePasswordURL |
Change Password URL A URL to a password change web page in your IdP |
<key>ChangePasswordURL</key> <string>https://idp.example.com/.well-known/change-password</string> |
|
ResetPasswordURL |
Reset Password URL A URL to a password reset web page in your IdP |
<key>ResetPasswordURL</key> <string>https://idp.example.com/.well-known/reset-password</string> |
|
ClientSecret |
Client Secret The client secret of your Jamf Connect app in your IdP. |
<key>OIDCClientSecret</key> <string>yourClientSecret</string> |
|
SuccessCodes |
Password Verification Success Codes An array of strings that contain error codes from your IdP during an ROPG password verification, which should be interpreted as successful by Jamf Connect. For possible error codes that may need to be configured in your environment, see the following documentation from Microsoft: https://docs.microsoft.com/azure/active-directory/develop/reference-aadsts-error-codes If using OneLogin, set this key to "MFA", if multifactor authentication is used in your environment. |
<key>SuccessCodes</key> <array> <string>AADSTS50012</string> <string>AADSTS50131</string> </array> |
Related Information
For related information, see the following: