Initial Local Password Creation
When a local account is created with Jamf Connect, users must create the password for the account after they have successfully authenticated with the cloud identity provider (IdP). With Jamf Connect, you can allow users to set the initial local password using one of the following methods:
-
Require users to enter their network account password from the cloud IdP, which will be reused to create a local account password. This ensures that both the local and network account passwords are synced immediately after local account creation. Jamf Connect uses a password grant authentication flow—referred to as either a Resource Owner Password Grant (ROPG) or Resource Owner Password Credentials (ROPC) grant—to verify that the password entered by the user matches the network account password.
Note: To use this method, your IdP must support ROPG authentication grants. Google Cloud Identity cannot use this workflow during account creations.
-
Allow users to enter any password to use for their local account. This option can be used if you do not plan to continue syncing passwords after account creation.
To determine which method Jamf Connect will display to users, you can configure the Create a Separate Local Password (OIDCNewPassword) setting to enable or disable the ability for users to create any local password. By default, this setting is enabled.
Initial Password Settings
Domain: com.jamf.connect.login
Description: Used to determine how Jamf Connect creates a local password during account creation and if a user's local and network passwords should be verified during each login to make sure they are in sync.
|
Key |
Description |
Example |
|
OIDCNewPassword
|
Create a Separate Local Password If set to true, this key prompts users to create a new password for their new local account. If set to false, this key prompts users to re-enter their network password, which also becomes the local account password. This ensures a user's network and local password are synced during user creation. Note: This setting is enabled by default. |
<key>OIDCNewPassword</key> <true/> |
|
OIDCROPGID |
Client ID (Password Verification) The Client ID of the registered app in your IdP used for authenticating the user's password via a resource owner password grant (ROPG) workflow. This value usually matches the OIDCClientID preference key. |
<key>OIDCROPGID</key> <string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string> |
|
CreateJamfConnectPassword |
Create Jamf Connect Keychain Automatically create a keychain item for Jamf Connect during the account creation process. This allows the Jamf Connect menu bar app to populate user credentials in the Sign In window when the app is first opened. Note: To use this setting, the Create a Separate Local Password (OIDCNewPassword) setting must be set to false. |
<key>CreateJamfConnectPassword</key> <true/> |
|
ROPGSuccessCodes |
Password Verification Success Codes An array of strings that contain error codes from your IdP during an ROPG password verification, which should be interpreted as successful by Jamf Connect. For possible error codes that may need to be configured in your environment, see the following documentation from Microsoft: https://docs.microsoft.com/azure/active-directory/develop/reference-aadsts-error-codes If using OneLogin, set this key to "MFA", if multifactor authentication is used in your environment. |
<key>ROPGSuccessCodes</key> <array> <string>AADSTS50012</string> <string>AADSTS50131</string> </array> |
Related Information
For related information, see the following sections in this guide:
-
Authentication Protocols
Learn about how Jamf Connect completes authentication during account creation. -
Password Syncing
Learn more about password syncing with Jamf Connect.