Integrating with Microsoft Azure AD

Integrating Jamf Connect with Microsoft Azure AD involves the following steps:

  1. Create a registered app for Jamf Connect in Azure AD.

  2. (Optional) Assign users and designate user roles

Integrating with Microsoft Azure AD

Creating a New App Registration

  1. Log in to the Microsoft Azure Portal.

  2. Click the Azure Active Directory in the left sidebar.

  3. Click App registrations, and then click new registration.

  4. Enter "Jamf Connect" or something similar the Name field.

  5. Select Accounts in this organizational directory only under "Supported account types".

  6. Choose "Public client (mobile & desktop)" from the Redirect URI pop-up menu, and then enter a valid URI, such as "https://127.0.0.1/jamfconnect", in the Redirect URI field.

  7. Click Register.

Granting Admin Consent for API Calls

  1. Navigate to your Jamf Connect app registration.

  2. Under "Manage" in the sidebar, click API permissions.

  3. Under "Grant Consent", click Grant admin consent for your company and then click Yes when prompted.

Modifying Authentication Settings

  1. Navigate to your Jamf Connect app registration.

  2. Under "Manage" in the sidebar, click Authentication.

  3. Under "Default client type", switch the Treat application as a public client setting to Yes.

    Important: When this setting is set to Yes, the User & groups tab will be hidden, if you navigate to Azure AD > Enterprise applications and select your app. If you need to assign specific users and groups your Jamf Connect app, disable this feature and re-enable it after users and groups are assigned.

Assigning Users and Designating Roles

Once Jamf Connect is registered as a native app with Azure AD, you can configure settings to assign users and designate app roles.

Assigning Users

You can assign users to the application if you want to limit access. By default, any user in any domain can authenticate to the application. You can also do the following:

  • Hide Jamf Connect from users. This limits a user's interaction with the application to the loginwindow of a computer.

  • Grant admin consent for your organization. This can be done in the "Permissions" section of the application settings.

Important: To ensure the User & groups tab is not unexpectedly hidden, make sure the Treat application as a public client setting in Authentication settings is temporarily switched to No. After you assign users to the Jamf Connect app, you can re-enable this setting.

Designating App Roles

You can create users as local admins on computers by using app roles defined in Azure. To create roles, you will need to edit the application manifest.

  1. Click the Azure Active Directory in the left sidebar.

  2. Click App registrations, and then select your Jamf Connect app registration.

  3. Click Manifest.

  4. In the manifest, find "appRoles": [], and then add the desired entries to the manifest. The examples below will create "admin" and "standard" roles.

    Note: You must generate a universally unique identifier (UUID) for each role. Execute the following command using Terminal to generate a UUID:
    uuidgen | tr "[:upper:]" "[:lower:]"

    "appRoles": [

    {

    "allowedMemberTypes": [

    "User"

    ],

    "displayName": "Admin",

    "id": "fdff90b7-df09-4c19-8ab0-158cc9dc62e4",

    "isEnabled": true,

    "description": "Members of the Admin group.",

    "value": "Admin"

    },

    {

    "allowedMemberTypes": [

    "User"

    ],

    "displayName": "Standard",

    "id": "36610848-21ee-4cc0-afee-eaad59d442ea",

    "isEnabled": true,

    "description": "Members of the Standard group.",

    "value": "Standard"

    }

    ],

5. Click Save.

You can now explicitly add users to the application and define roles. By default, users with the admin role will be created as local admins on a computer unless the CreateAdminUser preference key is enabled, making all users admins. The list of roles that allow a user to be an admin can also be enabled with the OIDCAdmin preference key. To add roles to a user's Azure token, you must require User Assignment in the application properties.

Note: If you are using Jamf Connect with Automated Device Enrollment (formerly DEP), remove this application from any conditional access controls. The user will be signing in to the computer before conditional access can be instantiated.

For instructions on configuring app roles, see the following documentation from Microsoft: https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

Related Information

For related information, see the following:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.