User Roles for Local Accounts

Depending on which cloud identity provider (IdP) you use, you can configure Jamf Connect to create either administrator or standard local accounts for users. Local accounts are created in the following ways:

  • Use a user ID token to create local administrators—You can specify which user roles (or groups) from an ID token should used to create as local administrators. You can use the Admin Attribute (OIDCAdminAttribute) and Admin Roles (OIDCAdmin) settings to configure Jamf Connect to find a specific attribute sent by your (IdP) and then create a local account based on the specified role names.

  • Create all users as local administrators—You can use the Create Admin Users (CreateAdminUser) setting to create all new local accounts as administrators. This setting should be used when you either do not want to create any standard accounts on computers or when you need a user to temporarily perform administrator tasks after account creation. If any roles are configured in the IdP, they will be temporarily ignored (until the next login) to create the administrator account.

    Important: This setting only creates users as local administrators and does not enforce local account status after account creation. If user role attributes are configured in your IdP and included in a user's ID token, these attributes will be used during the subsequent login and may change the local account status. Use the Ignore Roles (OIDCIgnoreAdmin) to configure Jamf Connect to permanently ignore any role information in a user's ID token.

  • (Okta Only) Create multiple role-based app integrations in Okta—If using Okta, you can create role-based OpenIDConnect app integrations for Jamf Connect and then assign users each app integration. Jamf Connect can recognize specific app integrations for administrators, users who can log in with their Okta credentials, and users who can create additional local accounts.

OpenID Connect User Role Settings

Domain: com.jamf.connect.login

Description: Used to configure user roles from ID token attributes receive from an OpenID Connect authentication

Key

Description

Setting

OIDCAdminAttribute

Admin Attribute

Specifies which attribute stored in an ID token is used to determine if a standard or administrator local account should be created for a user. By default, Jamf Connect will use the "groups" attribute to find any values specified in the Admin Roles (OIDCAdmin) setting.

Notes:

  • If using Azure AD, set this value to "roles".

  • If using Google Identity, user roles cannot be defined using an ID token.

<key>OIDCAdminAttribute</key>

<string>groups</string>

OIDCAdmin

Admin Roles

Specifies which user roles (or groups) configured in your IdP become local administrators during account creation. You can specify one role as a string or multiple roles as an array of strings. Jamf Connect looks for these values in the "groups" attribute of the ID token by default unless the Admin Attribute (OIDCAdminAttribute) setting is configured.

Note: If using Google Identity, user roles cannot be defined using an ID token.

<key>OIDCAdmin</key>

<string>role</string>

 

or

 

<key>OIDCAdmin</key>

<array>

<string>role-one</string>

<string>role-two</string>

<string>role-three</string>

<string>role-four</string>

</array>

OIDCIgnoreAdmin

Ignore Roles

When set to true, Jamf Connect Login will ignore any roles that exist in your IdP. This key ensures local user accounts maintain their current status as either an administrator or standard account.

When set to false or unspecified, Jamf Connect Login will read the OIDCAdmin key for configured roles and will change a local user account status based on any roles in your IdP.

<key>OIDCIgnoreAdmin</key>

<false/>

Universal User Role Settings

Domain: com.jamf.connect.login

Description: User role setting that can be used by any cloud IdP.

Key

Description

Setting

CreateAdminUser

Create Admin Users

Create all users as local administrators.

Note: This key only creates new users as local administrators and does not enforce local account status after account creation. If user roles are configured in your IdP and specified with the Admin Roles (OIDCAdmin) setting, local user accounts may change during the next log in.

<key>CreateAdminUser</key>

<false/>

Okta User Role Settings

Domain: com.jamf.connect.login

Description: (Okta Only) Used to configure user roles for new local accounts.

Key

Description

Example

OIDCAccessClientID

Access Client ID

OIDC application to use for users that are allowed to create an account or log in to computers.

 

Note: All users, including adminstrators, must be added to this app in your Okta admin console to ensure access to Jamf Connect.

<key>OIDCAccessClientID</key>

<string>0oad0gmia54gn3y8923h1</string>

OIDCAdminClientID

Admin Client ID

OIDC application to use for users who are created as local administrators during account creation.

 

Note: Only administrators should be added to this app in your Okta admin console.

<key>OIDCAdminClientID</key>

<string>0oa0gwese54gn3y9O0h4</string>

OIDCSecondaryLoginClientID

Secondary Login Client ID

OIDC application to use for users that are allowed to create additional users on computers after the first account is created.

<key>OIDCSecondaryLoginClientID</key>

<string>0oa0grdsrhdsre54gn3y9O0h4</string>

Related Information

For related information about configuring roles in your IdP, see Integrating with an Identity Provider.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.