Integrating with Microsoft Azure AD

To integrate with Azure AD, you must create an app registration for Jamf Connect.
  1. Log in to the Microsoft Azure Portal.
  2. Click the Azure Active Directory in the left sidebar.
  3. Click App registrations, and then click new registration.
  4. Enter Jamf Connect or something similar the Name field.
  5. Select Accounts in this organizational directory only in Supported account types.
  6. Choose Public client (mobile & desktop) from the Redirect URI pop-up menu, and then enter a valid URI, such as https://127.0.0.1/jamfconnect, in the Redirect URI field.
    Note:

    If you also plan to use the Jamf Unlock app in your organization, enter jamfunlock://callback/auth as an additional redirect URI to use for authentication.

  7. Click Register.
Your Jamf Connect app registration is added to Azure AD.

You can now edit the app registration to grant admin consent for API calls and modify authentication settings.

Granting Admin Consent for API Calls in Azure AD

  1. Navigate to your app registration.
  2. From the Manage section in the sidebar, click API permissions.
  3. In Grant Consent settings, click Grant admin consent for your company and then click Yes when prompted.

Modifying App Authentication Settings in Azure AD

  1. Navigate to your app registration.
  2. From the Manage section in the sidebar, click Authentication.
  3. In Advanced settings, set the Allow public client flows setting to Yes.
    Important:

    When this setting is set to Yes, the User & groups tab will be hidden, if you navigate to Azure AD Enterprise applications and select your app. If you need to assign specific users and groups your Jamf Connect app, disable this feature and re-enable it after users and groups are assigned.

Assigning Users

You can assign users to the application if you want to limit access. By default, any user in any domain can authenticate to the application. You can also do the following:

  • Hide Jamf Connect from users. This limits a user's interaction with the application to the loginwindow of a computer.

  • Grant admin consent for your organization. This can be done in the "Permissions" section of the application settings.

Important:

To ensure the User & groups tab is not unexpectedly hidden, make sure the Allow public client flows setting in Authentication settings is temporarily switched to No. After you assign users to the Jamf Connect app, you can re-enable this setting.

Designating App Roles

You can create users as local admins on computers by using app roles defined in Azure. To create roles, you will need to edit the application manifest.

Note:

You can also edit app roles by using Microsoft Azure's registered app roles UI that is in preview. To use the preview UI instead, navigate to your app registration and from the Manage section in the sidebar, click App roles | Preview.

Requirements
An app registration for Jamf Connect in Azure AD.
  1. Click the Azure Active Directory in the left sidebar.
  2. Click App registrations, and then select your Jamf Connect app registration.
  3. Click Manifest.
  4. In the manifest, find "appRoles": [], and then add your role entries to the manifest. The examples below will create "admin" and "standard" roles.
    Note:

    You must generate a universally unique identifier (UUID) for each role. Execute the following command using Terminal to generate a UUID:
 uuidgen | tr "[:upper:]" "[:lower:]"

    "appRoles": [
    {
    "allowedMemberTypes": [
    "User"
    ],
    "displayName": "Admin",
    "id": "fdff90b7-df09-4c19-8ab0-158cc9dc62e4",
    "isEnabled": true,
    "description": "Members of the Admin group.",
    "value": "Admin"
    },
    {
    "allowedMemberTypes": [
    "User"
    ],
    "displayName": "Standard",
    "id": "36610848-21ee-4cc0-afee-eaad59d442ea",
    "isEnabled": true,
    "description": "Members of the Standard group.",
    "value": "Standard"
    }
    ], 
  5. Click Save.

You can now explicitly add users to the application and define roles. By default, users with the admin role will be created as local admins on a computer unless the CreateAdminUser preference key is enabled, making all users admins. The list of roles that allow a user to be an admin can also be enabled with the OIDCAdmin preference key. To add roles to a user's Azure token, you must require User Assignment in the application properties.

Note:

If you are using Jamf Connect with Automated Device Enrollment (formerly DEP), remove this application from any conditional access controls. The user will be signing in to the computer before conditional access can be instantiated.

Enforcing Conditional Access Policies

If your organization uses Microsoft Conditional Access policies and wants to enforces those polices in Jamf Connect, you must add a web platform redirect URI to your Jamf Connect app registration. This allows Azure AD to recognize Jamf Connect as a cloud application that can be included in a Conditional Access policy.

Requirements

An app registration for Jamf Connect in Azure AD

  1. Navigate to your app registration.
  2. From the Manage section in the sidebar, click Authentication.
  3. Click + Add a platform in Platform integrations.
  4. In the Configure platforms pane, click Web.
  5. Enter an invalid URI that will not be used, such as https://0.0.0.0/jamfconnect.

    This allows Jamf Connect to be recognized as a cloud application.

  6. Click Configure.
Your Jamf Connect registered application can now be included or excluded from Conditional Access policies.
To add Jamf Connect to Conditional Access policies or to create a new policy for Jamf Connect, navigate to Azure Active Directory > Security > Conditional Access.
Important: To ensure users are not locked out of computers, make sure you carefully review policies before assigning them to computers with Jamf Connect. The following policies may prevent users from authenticating with Jamf Connect:
  • Require device to be marked as compliant

  • Require Hybrid Azure AD joined device

  • Require approved client app

  • Require app protection policy

For more information about about Conditional Access policies, see the Building a Conditional Access policy documentation from Microsoft.