Multifactor Authentication

Jamf Connect can enforce multifactor authentication (MFA) using your cloud identity provider (IdP). Depending on your IdP and the type of authentication used, Jamf Connect will handle MFA in one of the following ways:

  • OpenID Connect—Jamf Connect will indirectly display any MFA challenges within a web view. The entire MFA experience is configured within your IdP's settings.

  • Okta Authentication API—Jamf Connect presents Okta MFA challenges within the Jamf Connect UI. Some additional messaging can be customized via Jamf Connect settings to help users complete an MFA challenge.

Keep the following in mind when enabling MFA with Jamf Connect:

  • Whether MFA should be enabled at the organization, app, or user level varies by IdP and environment.

  • If configuring MFA with a third party mobile device app, make sure the app is distributed to users before or alongside Jamf Connect.

  • To ensure MFA is enforced at the login window, make sure you enable the Require Network Authentication (DenyLocal) setting in your login window configuration profile. Enabling the Allow Local Fallback (LocalFallback) setting and configuring Users with local authentication privileges (DenyLocalExcluded) to ensure users can log in without a network connection is recommended.

Multifactor Authentication by Identity Provider

The following table includes links to MFA documentation and general guidance for each IdP supported by Jamf Connect.

Identity Provider

MFA Documentation

Notes

Azure AD

https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks

You may need to configure the Password Verification Success Codes setting for both the Jamf login window and menu bar to ensure password verification and syncing is successful.

For more information, see Authentication Settings.

IBM Security Verify

https://cloud.ibm.com/docs/account?topic=account-enablemfa

N/A

Google Cloud

https://support.google.com/cloudidentity/answer/175197?hl=en&ref_topic=2759193&visit_id=637309596846751917-1337595352&rd=1

N/A

Okta

 

  • Enabling MFA at the organization level is required

  • Supported MFA options include the following:

    • Okta Verify one-time password (OTP)

    • Okta Verify push notification

    • Okta Verify security question

    • Duo Mobile

    • Google Authenticator

    • Yubikeys

    • RSA security keys

OneLogin

https://www.onelogin.com/getting-started/free-trial-plan/add-mfa

You may need to configure the Password Verification Success Codes setting for both the Jamf login window and menu bar to ensure password verification and syncing is successful.

For more information, see Authentication Settings.

PingFederate

https://support.pingidentity.com/s/marketplace-integration/a7i1W000000CfnAQAS/pingid-for-pingfederate

N/A

Related Information

For related information about managing network and local authentication with Jamf Connect, see Network and Local Authentication Restrictions.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.