Integrating with Google Identity

Integrating Jamf Connect with Google Cloud Identity involves two separate integration steps to use both the login window and menu bar app:

Creating an OpenID Connect Integration for the login window

Jamf Connect uses the OpenID Connect authentication protocol to create local accounts and log in users via network authentication.

Creating and deploying an LDAP certificate for menu bar app password syncing

Jamf Connect leverages LDAP authentication with Google's Secure LDAP service to verify a user's network password matches their local password on the Mac.

Creating an OpenID Connect Application Integration for the Login Window

You must integrate Jamf Connect with Google ID by creating OAuth 2.0 credentials for the app.

  1. Log in to Google Cloud.
  2. Click the Navigation menu icon in the upper-left corner.
  3. Click APIs & Services > Credentials.
    Note:

    You may be prompted to create a project and assign it to your organization.

  4. Choose OAuth client ID from the Create credentials pop-up menu.
  5. Do the following on the Create OAuth client ID page:
    1. Under Application type, select Web application.
    2. Enter Jamf Connect or something similar in the Name field.
    3. Enter a valid URI, such as https://127.0.0.1/jamfconnect, in the Authorized redirect URIs field.
  6. Click Create.

Your client credential for Jamf Connect has been successfully created, and a dialog containing your client ID and client secret will display.

Make sure to copy the client ID and client secret to your clipboard. These values must be included in your Jamf Connect configuration profile.

Important:

You must also configure Google's user consent screen, which describes what information Jamf Connect will access from the user's Google account. To configure this screen, navigate to API & Services > Credentials > OAuth consent screen.

Generating a PKCS12 (.p12) Keystore File from a Google Cloud LDAP Client

Google's Secure LDAP service generates a certificate that serves as the primary authentication mechanism for the LDAP clients to authenticate with Secure LDAP.

This certificate is used to allow Jamf Connect to sync a user's Google and local password on a Mac computer.

Requirements

  • A Google Identity subscription that includes Google's LDAP service so you can download a certificate.

    For a list of supported Google Identity subscriptions, see Supported Cloud Identity Providers.

    For more information about Google's Secure LDAP service, see About the Secure LDAP service on the Google Workspace Admin Help website and Add and connect new LDAP clients on Google's Cloud Identity Help website.

  • OpenSSL must be installed in your local environment to convert the certificate and key to .p12 keystore format.

  1. Log in to your Google Admin console.
  2. Click Apps and then LDAP.
  3. Choose the LDAP client you want to integrate with Jamf Pro.

    The service switch status needs to be On for the chosen LDAP client.

  4. Click Authentication.
  5. Download the certificate file that you will use when integrating with Jamf Pro.
  6. Extract the downloaded archive. The output should contain the certificate (.crt) file and the private key (.key) file.
  7. To generate the .p12 keystore file, execute the following command:
    openssl pkcs12 -export -out /path/to/generated/keystore.p12 -inkey /path/to/saved/privatekey.key -in /path/to/saved/certificate.crt
  8. Create a password when prompted.

    This is the password you'll use when accessing the keystore file. Store this password in a secure location.

You can now upload the generated .p12 keystore file to Jamf Pro or locally add it to a computer's system keychain.

Deploying a .p12 Keystore File using Jamf Pro

A .p12 keystore file generated from an LDAP client in your Google Admin console must be installed on computers to allow Jamf Connect to sync user passwords.

You can use Jamf Pro to deploy this file by uploading it to the Certificates payload in a configuration profile.

  1. In Jamf Pro, click Computers at the top of the sidebar.
  2. Click Configuration Profiles in the sidebar.
  3. Click New .
  4. Use the General payload to configure basic settings for the configuration profile.
  5. In the Certificates, payload, click Configure.
  6. Name your certificate.
  7. Upload the generated .p12 file and enter the LDAP keystore password.
  8. Select Allow all apps access.
  9. Click Save .

The configuration profile is deployed to target computers.

Manually Installing a .p12 Keystore File

A .p12 keystore file generated from an LDAP client in your Google Admin console must be installed on computers to allow Jamf Connect to sync user passwords.

You can manually install this file by adding it to the system keychain via Keychain Access.

  1. Open Keychain Access, and drag and drop to the .p12 file into the System Keychain pane.
  2. When prompted, enter the LDAP client keystore password that you created when you generated the keystore file.
  3. From the System Keychain pane, click the My Certificates tab.
  4. Edit the LDAP certificate's trust settings to make the certifiacte always trusted:
    1. Right-hand click the LDAP certificate and click Evalute "Your-Certificate-Name"..., and then click Continue.
    2. Click Show Certificate...
    3. Expand the Trust expander, and then select Always Trust from the pop-up menu.
  5. Allow all applications to access the certificate:
    1. Click the expand triangle next to the LDAP certificate.
      The LDAP private key displays.
    2. Double-click the private key.
      A Private Key window displays.
    3. Make sure Allow all applications to access this item is selected.
      Note:

      If you to restrict access to just ldapsearch, you can add /usr/bin/ldapsearch to the list of applications with access.

Testing a .p12 Keystore File and Connection

After Deploying a Keystore File via Jamf Pro or Manually Installing a Keystore File Locally, test the configuration with the ldapsearch command line tool.

  1. Test the configuration with the ldapsearch command line tool using the following: 
    LDAPTLS_IDENTITY="LDAP Client" ldapsearch -uLLL -w USERPASSWORDGOESHERE -D 'USERNAME@GOOGLEDOMAIN.EXT' -H ldaps://ldap.google.com -b 'dc=USERNAME@GOOGLEDOMAIN.EXT'
    Substitute the following fields in the command after the command flags: :
    -wUser's password. You may need to escape special characters by placing the password in single quotes and braces (e.g., '{userP@$$w*rd}' ).
    -DUser's username in User Principle Name (UPN) or email address format (e.g., user.connect@example.com).
    -bUser's username in DC format (e.g., dc=user.connect@example.com).
  2. Confirm that your authentication result is successful.
    Note: These are sample results.
    Successful (Your result may include information about group membership in addition to user information.)
    admin@macos-11 ~ % LDAPTLS_IDENTITY="LDAP Client" ldapsearch -uLLL -w theRightPasswordGoesHere -D 'first.last@example.com' -H ldaps://ldap.google.com -b 'dc=first.last@example.com'
dn: dc=user,dc=connect@example,dc=com
ufn: user.connect@example.com
objectClass: top
objectClass: domain
objectClass: dcObject
dc: user
 
dn: ou=Groups,dc=first,dc=last@example,dc=com
ufn: Groups, first.last@example.com
objectClass: top
objectClass: organizationalUnit
ou: Groups
 
dn: ou=Users,dc=first,dc=last@example,dc=com
ufn: Users, first.last@example.com
objectClass: top
objectClass: organizationalUnit
ou: Users
description: OrganizationName
    Unsuccessful: The user is unknown and an incorrect password was entered.
    admin@macos-11 ~ % LDAPTLS_IDENTITY="LDAP Client" ldapsearch -uLLL -w wrongpassw0rd -D 'first.last@example.com' -H ldaps://ldap.google.com -b 'dc=first.last@example.com'
ldap_bind: Invalid credentials (49)
    additional info: Incorrect password
    Unsuccessful: The user is part of the Google Workspace domain but not part of the group of users allowed to authenticate with this LDAP server.
    admin@macos-11 ~ % LDAPTLS_IDENTITY="LDAP Client" ldapsearch -uLLL -w SuperSecretPassword -D 'first.last@example.com' -H ldaps://ldap.google.com -b 'dc=first.last@example.com'
ldap_bind: Insufficient access (50)
    additional info: Not authorized to authenticate password
    Unsuccessful: The LDAP certificate is missing or incorrectly permissioned (i.e., not scoped to allow all apps access or scoped to a user level instead of a system level certificate) or the LDAP service is turned off in admin.google.com.
    admin@macos-11 ~ % LDAPTLS_IDENTITY="LDAP Client" ldapsearch -uLLL -w macOSJNUC.8 -D 'first.last@example.com' -H ldaps://ldap.google.com -b 'dc=first.last@example.com'
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)