Initial Local Password Creation

When a local account is created with Jamf Connect, users must create the password for the account after they have successfully authenticated with the cloud identity provider (IdP). With Jamf Connect, you can allow users to set the initial local password using one of the following methods:

  • Require users to enter their network account password from the cloud IdP, which will be reused to create a local account password. This ensures that both the local and network account passwords are synced immediately after local account creation. Jamf Connect uses a password grant authentication flow—referred to as either a Resource Owner Password Grant (ROPG) or Resource Owner Password Credentials (ROPC) grant—to verify that the password entered by the user matches the network account password.

    Note: To use this method, your IdP must support ROPG authentication grants. Google Cloud Identity cannot use this workflow during account creations.

  • Allow users to enter any password to use for their local account. This option can be used if you do not plan to continue syncing passwords after account creation.

To determine which method Jamf Connect will display to users, you can configure the Create a Separate Local Password (OIDCNewPassword) setting to enable or disable the ability for users to create any local password. By default, this setting is enabled.

Initial Password Settings

Domain: com.jamf.connect.login

Description: Used to determine how Jamf Connect creates a local password during account creation and if a user's local and network passwords should be verified during each login to make sure they are in sync.

Key

Description

Example

OIDCNewPassword

 

Create a Separate Local Password

If set to true, this key prompts users to create a new password for their new local account.

If set to false, this key prompts users to re-enter their network password, which also becomes the local account password. This ensures a user's network and local password are synced during user creation.

Note: This setting is enabled by default.

<key>OIDCNewPassword</key>

<true/>

OIDCROPGID

Client ID (Password Verification)

The Client ID of the registered app in your IdP used for authenticating the user's password via a resource owner password grant (ROPG) workflow. This value usually matches the OIDCClientID preference key.

<key>OIDCROPGID</key>

<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

CreateJamfConnectPassword

Create Jamf Connect Keychain

Automatically create a keychain item for Jamf Connect during the account creation process. This allows the Jamf Connect menu bar app to populate user credentials in the Sign In window when the app is first opened.

Note: To use this setting, the Create a Separate Local Password (OIDCNewPassword) setting must be set to false.

<key>CreateJamfConnectPassword</key>

<true/>

ROPGSuccessCodes

Password Verification Success Codes

An array of strings that contain error codes from your IdP during an ROPG password verification, which should be interpreted as successful by Jamf Connect.

For possible error codes that may need to be configured in your environment, see the following documentation from Microsoft: https://docs.microsoft.com/azure/active-directory/develop/reference-aadsts-error-codes

If using OneLogin, set this key to "MFA", if multifactor authentication is used in your environment.

<key>ROPGSuccessCodes</key>

<array>

<string>AADSTS50012</string>

<string>AADSTS50131</string>

</array>

Related Information

For related information, see the following sections in this guide:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.