Login Window Preferences

This reference contains all available preferences for the Jamf Connect login window.

Login Window Authentication Settings

  • Domaincom.jamf.connect.login
  • Description

    Used to allow Jamf Connect to complete authentication between your IdP and local accounts at the login window. Required settings vary by IdP.

Key

Description

OIDCProvider

Identity Provider

Specifies your cloud identity provider. The following values are supported:

  • Azure
  • IBMCI
  • GoogleID
  • OneLogin
  • Okta
  • PingFederate
  • Custom
<key>OIDCProvider</key>
<string>Azure</string>

AuthServer

Auth Server

(Okta Only) Your organization's Okta domain URL.

<key>AuthServer</key>
<string>yourcompany.okta.com</string>

OIDCClientID

Client ID

The client ID of the Jamf Connect app in your IdP used to authenticate the user.

<key>OIDCClientID</key>
<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

OIDCRedirectURI

Redirect URI

The redirect URI used by your Jamf Connect app in your IdP.

https://127.0.0.1/jamfconnect is recommended by default, but any URI value may be used as long as the configured value in your IdP matches the value in your Jamf Connect login configuration profile.

<key>OIDCRedirectURI</key>
<string>https://127.0.0.1/jamfconnect</string>

OIDCClientSecret

Client Secret

The client secret used by Jamf Connect Login and your IdP.

<key>OIDCClientSecret</key>
<string>insert-client-secret-here</string>

OIDCTenant

Tenant ID

Specifies the Tenant ID for your organization that's used for authentication.

<key>OIDCTenant</key>
<string>c27d1b33-59b3-4ab2-a5c9-23jf0093</string>

OIDCDiscoveryURL

Discovery URL

Your IdP's OpenID metadata document that stores OpenID configuration information. This value appears in the following format: "https://domain.url.com/.well-known/openid-configuration"

Note:

This key is required if your Identity Provider (OIDCProvider) is set to Custom or PingFederate

<key>OIDCDiscoveryURL</key>
<string>https://identity-provider-example-address.com/.well-known/openid-configuration</string>

LicenseFile

License File

The contents of a Jamf Connect license file encoded in Base64 data format.

<key>LicenseFile</key>
<string>encoded-license-content</string>

Initial Password Settings

  • Domaincom.jamf.connect.login
  • Description

    Used to determine how Jamf Connect creates a local password during account creation and if a user's local and network passwords should be verified during each login to make sure they are in sync.

Key

Description

OIDCNewPassword

 

Create a Separate Local Password

If set to true, this key prompts users to create a new password for their new local account.

If set to false, this key prompts users to re-enter their network password, which also becomes the local account password. This ensures a user's network and local password are synced during user creation.

Note:

This setting is enabled by default.

<key>OIDCNewPassword</key>
<true/>

OIDCROPGID

Client ID (Password Verification)

The Client ID of the registered app in your IdP used for authenticating the user's password via a resource owner password grant (ROPG) workflow. This value usually matches the OIDCClientID preference key.

<key>OIDCROPGID</key>
<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

CreateJamfConnectPassword

Create Jamf Connect Keychain

Automatically create a keychain item for Jamf Connect during the account creation process. This allows the Jamf Connect menu bar app to populate user credentials in the Sign In window when the app is first opened.

Note:

To use this setting, the Create a Separate Local Password (OIDCNewPassword) setting must be set to false.

<key>CreateJamfConnectPassword</key>
<true/>

ROPGSuccessCodes

Password Verification Success Codes

An array of strings that contain error codes from your IdP during an ROPG password verification, which should be interpreted as successful by Jamf Connect.

For possible error codes that may need to be configured in your environment, see Azure AD Authentication and authorization error codes documentation from Microsoft.

If using OneLogin, set this key to "MFA" if multifactor authentication is used in your environment.

<key>ROPGSuccessCodes</key>
<array>
<string>AADSTS50012</string>
<string>AADSTS50131</string>
</array>

Local and Network Authentication Management Settings

  • Domaincom.jamf.connect.login
  • Description

    Used to determine local and network authentication restrictions.

Key

Description

DenyLocal

Require Network Authentication

Determines if users can bypass network authentication and use local account credentials.

When set to true, the Local Login button is not available, and the user must use network authentication to log in.

If set to false, the Local Login button is available, and users can choose to authenticate locally.

<key>DenyLocal</key>
<false/>

DenyLocalExcluded

Users with local authentication privileges

Specifies which users can still locally authenticate if DenyLocalis set to true

<key>DenyLocalExcluded</key>
<array>
<string>user-one</string>
<string>user-two</string>
<string>user-three</string>
<string>user-four</string>
</array>

LocalFallback

Allow Local Fallback

This key is used with DenyLocal to force authentication to the IdP first, but then fall back to local authentication if a network connection is unavailable.

<key>LocalFallback</key>
<false/>
OIDCDefaultLocal

Use Local Authentication by Default

When set to true, Jamf Connect will use local authentication by default rather than network authentication, which ensures users can always log in without a network connection.

<key>OIDCDefaultLocal</key>
<false/>

Account Migration Settings

  • Domaincom.jamf.connect.login
  • Description

    Used to configure account connections between existing local accounts and network accounts.

Key

Description

Migrate

Connect existing local accounts to a network account

Allow existing local accounts to be connected to a network account.

This setting is typically used when you want a user's existing local account to have the same username and password as the user's network account.

When enabled, users must log in with their IdP, and then Jamf Connect will look for a matching local account.

Note:
  • To use this setting, the Require Network Authentication (DenyLocal) must be enabled. For more information, see Network and Local Authentication Restrictions.
  • For every successful network authentication, the user's record will be updated with the "NetworkSignIn" attribute. If a user only uses local authentication, this attribute will not be updated.
<key>Migrate</key>
<false/>

MigrateUsersHide

Local accounts prohibited from network account connection

A list of usernames of local accounts that are excluded from the migration process. These accounts will not be available during to user during the "Connect" step of the login process.

<key>MigrateUsersHide</key>
<array>
<string>admin</string>
<string>ladmin</string>
</array>

DemobilizeUsers

Demobilize Accounts

Determines if any existing Active Directory mobile accounts are demobilized, which is the process of converting a mobile account into a local account. Demobilization also removes the network authentication authority from the account.

Once demobilized, you can unbind computers from Active Directory.

Important:

If you unbind from Active Directory before demobilization, demobilization may fail if a user's Active Directory password and IdP password do not match and Jamf Connect is configured to sync the passwords during account creation. Make sure you demobilize accounts before unbinding from Active Directory and that the Active Directory domain is reachable during account creation with Jamf Connect. For instructions, see the Demobilizing and Unbinding Mobile Accounts with Jamf Connect and Jamf Pro Knowledge Base article.

<key>DemobilizeUsers</key>
<false/>

Login Window Custom Branding Settings

  • Domaincom.jamf.connect.login
  • Description

    Used to customize the Jamf Connect login window for your organization

Key

Description

BackgroundImage

Background Image

Path to a locally stored image to use as a background for the login window. This image file must be stored in a location that can be read from the login window.

<key>BackgroundImage</key>
<string>/usr/local/shared/background.jpg</string>

LoginLogo

Login Logo

Path to a locally stored image to use as a logo during password validation or local password creation.

Note:
  • A 250 x 250 pixel image is recommended.
  • Do not include a backslash "\" in your file path.
  • The image file and its file path must be assigned a permissions set that can be read from the login window, such as 444.
<key>LoginLogo</key>
<string>/usr/local/images/logo.png</string>

LoginWindowMessage

Login Window Message

A custom message to display in the lower-center of the login window.

<key>LoginWindowMessage</key>
<string>Log in with your company username and password.</string>

Login Window User Help Settings

  • Domaincom.jamf.connect.login
  • Description

    Used to allow users to access resources with a help button, join a Wi-Fi network in the login window, and use the power control buttons.

Key

Description

AllowNetworkSelection

Allow Network Selection

When set to true, this preference key allows users to configure and confirm their network connection preferences from the login window. To access this feature, users can click the Wi-Fi icon in the top-right of the login window.

Note:

To ensure the security of computers, users cannot select an open Wi-Fi network at the login window.

<key>AllowNetworkSelection</key>
<false/>

HelpURL

Help URL

Specify a URL to display at the login window that directs a user to a resource for onboarding or enrollment help.

<key>HelpURL</key>
<string>yourcompany.help.com</string>

HelpURLLogo

Help Icon

A custom image to use as a help icon.

Note:

To enable this feature, the HelpURL key must be used.

<key>HelpURLLogo</key>
<string>/usr/local/shared/helplogo.png</string>

LocalHelpFile

Backup Help File

A path to a local file, such as a network troubleshooting or onboarding guide, that users can access by clicking the help icon in the Jamf Connect login window.

This file is only displayed if the computer cannot connect to the internet or access the URL specified with the HelpURL key.

Note:

Supported file types include PDF and HTML.

<key>LocalHelpFile</key>
<string>/usr/local/shared/JamfConnectHelp.pdf</string>

OIDCHideShutdown

Hide Shut Down Button

Hide the Shut Down button from users at the login window

<key>OIDCHideShutdown</key>
<false/>

OIDCHideRestart

Hide Restart Button

Hide the Restart button from users at the login window

<key>OIDCHideRestart</key>
<false/>

Azure AD Hybrid ID Settings

  • Domaincom.jamf.connect.login
  • Description

    Used configure authentication and password syncing for Azure AD hybrid identity environments.

Key

Description

ROPGProvider

Identity Provider (Hybrid ID)

Specifies where Jamf Connect should attempt to sync passwords. The following values are supported:

  • Custom
  • Azure_v2
 
<key>ROPGProvider</key>

<string>Azure_v2</string>

ROPGTenant

Tenant ID (Hybrid ID)

The tenant ID in your organization to use for password verification.

<key>ROPGTenant</key>

<string>15e7196d-8bd5-4034-ae01-7bda4ad0c91e</string>

ROPGDiscoveryURL

Discovery URL (Hybrid ID)

Specifies your OpenID Connect discovery endpoint. If using AD FS, this value is your AD FS domain combined with the following: "/adfs/.well-known/openid-configuration"

Note:

This key is required if you set the ROPGProvider key to "Custom".

<key>ROPGDiscoveryURL</key>
<string>https://adfs.jamfconnect.com/adfs/.well-known/openid-configuration</string>

 

ROPGRedirectURI

Redirect URI (Hybrid ID)

The redirect URI used by the created application in AD FS or Azure AD.

https://127.0.0.1/jamfconnect is recommended by default, but any valid URI value may be used as long as the configured value in Azure AD or AD FS matches the value in your Jamf Connect Login configuration profile.

<key>ROPGRedirectURI</key>
<string>https://127.0.0.1/jamfconnect</string>

ROPGClientSecret

Client Secret (Hybrid ID)

The client secret of your Jamf Connect application. Consider the following scenarios when configuring client secrets:

  • If you are using the same client secret for both ROPG and the authorization grant with Azure AD, do not set this key. Jamf Connect Login will use the secret set with the OIDCClientSecret key for both authentication and password verification.
  • If you are not using a client secret for ROPG authentication, set this value to "NONE".
  • If using a different client secret for each authentication process, set both OIDCClientSecret and ROPGClientSecret to their respective values.
<key>ROPGClientSecret</key>

<string>your-client-secret</string>

Universal User Role Settings

  • Domaincom.jamf.connect.login
  • Description

    User role setting that can be used by any cloud IdP.

Key

Description

CreateAdminUser

Create Admin Users

Create all users as local administrators.

Note:

This key only creates new users as local administrators and does not enforce local account status after account creation. If user roles are configured in your IdP and specified with the Admin Roles (OIDCAdmin) setting, local user accounts may change during the next log in.

<key>CreateAdminUser</key>
<false/>

OpenID Connect User Role Settings

  • Domaincom.jamf.connect.login
  • Description

    Used to configure user roles from ID token attributes receive from an OpenID Connect authentication

Key

Description

OIDCAdminAttribute

Admin Attribute

Specifies which attribute stored in an ID token is used to determine if a standard or administrator local account should be created for a user. By default, Jamf Connect will use the "groups" attribute to find any values specified in the Admin Roles (OIDCAdmin) setting.

Note:
  • If using Azure AD, set this value to roles.
  • If using Google Identity, user roles cannot be defined using an ID token.
<key>OIDCAdminAttribute</key>
<string>groups</string>

OIDCAdmin

Admin Roles

Specifies which user roles (or groups) configured in your IdP become local administrators during account creation. You can specify one role or more roles as an array of strings. Jamf Connect looks for these values in the "groups" attribute of the ID token by default unless the Admin Attribute (OIDCAdminAttribute) setting is configured.

Note:

If using Google Identity, user roles cannot be defined using an ID token.

<key>OIDCAdmin</key>
<array>
<string>role-one</string>
<string>role-two</string>
<string>role-three</string>
<string>role-four</string>
</array> 

OIDCIgnoreAdmin

Ignore Roles

When set to true, Jamf Connect Login will ignore any roles that exist in your IdP. This key ensures local user accounts maintain their current status as either an administrator or standard account.

When set to false or unspecified, Jamf Connect Login will read the OIDCAdmin key for configured roles and will change a local user account status based on any roles in your IdP.

<key>OIDCIgnoreAdmin</key>
<false/>

Okta User Role Settings

  • Domain

    com.jamf.connect.login

  • Description

    (Okta Only) Used to configure user roles for new local accounts.

Key

Description

OIDCAccessClientID

Access Client ID

OIDC application to use for users that are allowed to create an account or log in to computers.

Note:

All users, including adminstrators, must be added to this app in your Okta admin console to ensure access to Jamf Connect.

<key>OIDCAccessClientID</key>
<string>0oad0gmia54gn3y8923h1</string>

 

OIDCAdminClientID

Admin Client ID

OIDC application to use for users who are created as local administrators during account creation.

Note:

Only administrators should be added to this app in your Okta admin console.

<key>OIDCAdminClientID</key>
<string>0oa0gwese54gn3y9O0h4</string>

 

OIDCSecondaryLoginClientID

Secondary Login Client ID

OIDC application to use for users that are allowed to create additional users on computers after the first account is created.

<key>OIDCSecondaryLoginClientID</key>
<string>0oa0grdsrhdsre54gn3y9O0h4</string>

OIDCRedirectURI

Redirect URI

The redirect URI used by your Jamf Connect app in your Okta.

https://127.0.0.1/jamfconnect is recommended by default, but any URI value may be used as long as the configured value in Okta matches the value in your Jamf Connect login configuration profile.

<key>OIDCRedirectURI</key>
<string>https://127.0.0.1/jamfconnect</string>

Okta Multifactor Authentication Settings

  • Domain

    com.jamf.connect.login

  • Description

    (Okta Only) Used to customize MFA options and text.

Key

Description

MessageOTPEntry

One-time Password Message

(Okta only) Text displayed when a user must enter a one time password (OTP) as a multi-factor authentication (MFA) method.

<key>MessageOTPEntry</key>
<string>Enter your verification code.</string>

MFARename

MFA Option Names

(Okta only) Custom names for each MFA option used with Okta authentication in your organization. For more information, about the types of MFA options you can configure with Jamf Connect and Okta, see Multifactor Authentication.
<key>MFARename</key>

   <dict>

	<key>push</key>
	
<string>Okta Verify app: PushNotification</string>
	
<key>question</key>

	<string>Okta Security Questions</string>

	<key>web</key>
<string>Duo Mobile app</string>
<key>sms</key>

	<string>Okta SMS: Verification Code</string>

	<key>google:token:software:totp</key>

	<string>Google Authenticator app: Verification Code</string>

	<key>okta:token:software:totp</key>

	<string>Okta Verifiy app: Verification Code</string>

	<key>token:hardware</key>

	<string>USB Security Key</string>

   </dict>

MFAExcluded

Hidden MFA Options

(Okta only) A list of MFA options that you do not want to display to users
<key>MFAExcluded</key>

   <array>

	<string>push</string>

	<string>question</string>

	<string>okta:token:software:totp</string
	<string>google:token:software:totp</string>	
	<string>token:hardware</string>

	<string>webauthn</string>
	<string>web</string>
   </array>

Advanced Login Authentication Settings

  • Domaincom.jamf.connect.login
  • Description

    Used to configure advanced authentication settings and use custom claims in an ID token.

Key

Description

OIDCAuthServer

Custom Okta Authorization Server

(Okta Only) Specifies a custom authorization server in your Okta tenant, which can be used to send custom scopes and claims in a user's ID token (stored via the OIDCIDTokenPath key) during local account creation.

To set this value, use the custom authorization server ID, which can be found as a string at the end of your custom authorization server's issuer URI. In the issuer URI below abc9o8wzkhckw9TLa0h7z is the authorization server ID.

Example: https://your-custom-auth-server.okta.com/oauth2/abc8o8wzjhckw
To use this setting, you must create an Okta app integration to define user roles for the (OIDCAccessClientID) setting.
Note:

This setting should only be used if your Okta tenant has a separate authorization server that manages OpenID Connect apps and ID token attributes. If this setting is configured with the same value as your primary tenant used with the Auth Server (AuthServer) setting, authentication with Okta may cause unexpected errors.

<key>OIDCAuthServer</key>
<string>abc8o8wzjhckw9TLa0t8q</string>

For more information about creating a custom authorization server, see the Okta Authorization Server documentation from the Okta Developer website.

OIDCIgnoreCookies

Ignore Cookies

Ignores any cookies stored by the loginwindow application

<key>OIDCIgnoreCookies</key>
<false/>

OIDCScopes

OpenID Connect Scopes

Specifies custom scopes, which return additional claims in a user's ID token during authorization. Standard scopes include openid, profile, and offline_access. If you include multiple scopes, add a "+" to separate them.

<key>OIDCScopes</key>
<string>openid+profile</string>

OIDCShortName

Short Name

Specifies which claim from a user's ID token to use as the account short name. The short name is added as an alias to the user's local account.

Note:

If the claim you want to use is not in the standard ID token, you can receive additional claims in an ID token by specifying additional claims with the OIDCScopes preference key.

<key>OIDCShortName</key>
<string>given_name</string>

OIDCROPGShortName

ROPG Short Name

Specifies which claim from an ID token to use as the username during the ROPG authentication (password verification) flow.

Note:

If the claim you want to use is not in the standard ID token, you can receive additional claims in an ID token by specifying additional claims with the OIDCScopes preference key.

This setting is only used in complex IdP environments where the the IdP does not respect the claims used by Jamf Connect to define the username (e.g., unique_name, preferred_username, email, and sub) during the ROPG workflow.

<key>OIDCROPGShortName</key>
<string>given_name</string> 

OIDCIDTokenPath

Formatted ID Token Path

Specifies the file path that can be used to store a user's formatted ID token.

Note:

This key requires the RunScript mechanism to be enabled. For more information, see Adding a Login Script.

<key>OIDCIDTokenPath</key>
<string>/tmp/token</string>

OIDCIDTokenPathRaw

Raw ID Token Path

Specifies the file path that can be used to store a user's raw ID token.

Note:

This key requires the RunScript mechanism to be enabled. For more information, see Adding a Login Script.

<key>OIDCIDTokenPathRaw</key>
<string>/tmp/token-raw</string>

UseUserInfo

(PingFederate only) When set to true, allows Jamf Connect to request additional claims from a PingFederate user token. This setting should only be used if your are issuing an internally managed reference token from PingFederate.

For more information about managing PingFederate, see the OAuth Configuration section the PingFederate Administrator's Manual.

<key>UseUserInfo</key>
<false/>

FileVault Settings

  • Domain

    com.jamf.connect.login

  • Description

    Used to configure how FileVault is enabled with Jamf Connect.

Key

Description

EnableFDE

Enable FileVault

If set to true, FileVault will be enabled for the first user that logs in to a computer.

<key>EnableFDE</key>
<false/>

EnableFDERecoveryKey

Save FileVault Recovery Key

If set to true, Jamf Connect will store the personal recovery key (PRK) in /var/db/NoMADFDE unless otherwise specified.

<key>EnableFDERecoveryKey</key>
<false/>

EnableFDERecoveryKeyPath

Set Recovery Key Filepath

Specifies a custom file path for the PRK rather than using /var/db/NoMADFDE by default.

<key>EnableFDERecoveryKeyPath</key>
<string>/usr/local/filevault</string>

LAPSUser

LAPS User

An existing local administrator account that Jamf Connect can change the password to the personal recovery key.

This setting is only used by Jamf Connect to help enable FileVault for standard accounts on macOS 10.15.x. This setting should not be used on computers with macOS 11.0.1 or later.

<key>LAPSUser</key>
<string>AdminUser</string>

Acceptable Use Policy Settings

  • Domain

    com.jamf.connect.login

  • Description

    Used to configure an acceptable use policy to users at the Jamf Connect login window

Key

Description

EULAFilePath

Acceptable Use Policy Document

Specifies the path to a file that contains an acceptable use policy document that users must agree to before logging in. The following file formats are supported:

  • PDF
  • TXT
  • RTF
  • RTFD
<key>EULAFilePath</key>
<string>/usr/local/shared/AcceptableUseExample.pdf</string>

EULAPath

Audit File Path

Specifies the file path to a directory where the user's acceptance record of the acceptable use policy is stored.

This file path must have permissions that allow the _SecurityAgent write access. /Users/Shared/ is recommended.

<key>EULAPath</key>
<string>/Users/Shared/</string>

EULAText

Acceptable Use Policy Text

Body text of the acceptable use policy.
Note:

To format the body text, you can enter *** in this string value to start a new line.

<key>EULAText</key>
<string>Example body text.***New line of example body text.</string>

EULATitle

Acceptable Use Policy Title

Title of the acceptable use policy

<key>EULATitle</key>
<string>Terms & Conditions</string>

EULASubTitle

Acceptable Use Policy Subtitle

Subtitle of the acceptable use policy

<key>EULASubTitle</key
<string>Accept these terms and conditions to start using your Mac.</string>

Login Script Settings

  • Domaincom.jamf.connect.login
  • Description

    Used to execute scripts during the login process.

    Note:

    The RunScript mechanism must be enabled before configuring script preferences.

Key

Description

ScriptArgs

Script Arguments

The arguments used with a specified script run by the RunScript mechanism

Note:

The ScriptPath key must bey specified.

<key>ScriptArgs</key>
<array>
<string>-v</string>
<string>-user</string>
</array>

ScriptPath

Script Path

Specifies the path to a script or other executable run by the RunScript mechanism. Only one script can be used with Jamf Connect Login at any time.

<key>ScriptPath</key>
<string>/usr/local/bin/loginScript</string>

NotifyLogStyle

Display Jamf Pro policy logs as status updates on the Notify screen

When the Jamf Connect notify screen is configured, display Jamf Pro's policy logs during Automated Device Enrollment (formerly DEP) as status updates to users.

To enable this setting, set this value to jamf.

<key>NotifyLogStyle</key>
<string>jamf</string>

UIDTool

Use a Custom UID Tool

Specifies a path to a UID tool that allows you to set a local user account's UID to a custom value during account creation. This can be used to match a local user account's UID with a user's LDAP UID attribute. Your UID tool must be an executable script.

Your UID tool must accept account short names and respond with the UID you want for the user account.

<key>UIDTool</key>
<string>/Users/Shared/UIDTool</string>

Pluggable Authentication Module (PAM) Settings

  • Domaincom.jamf.connect.login
  • Description

    Used to enable PAM authentication on computers.

Key

Description

AuthUIOIDCProvider

Identity Provider (PAM)

Specifies the identity provider to use for authentication via the Pluggable Authentication Module (PAM)

<key>AuthUIOIDCProvider</key>
<string>insert-identity-provider</string>

AuthUIOIDCClientID

Client ID (PAM)

The client ID of the created Jamf Connect app in your identity provider used for authentication via PAM

<key>AuthUIOIDCClientID</key>
<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

AuthUIOIDCRedirectURI

Redirect URI (PAM)

The redirect URI used by the created Jamf Connect app in your identity provider

<key>AuthUIOIDCRedirectURI</key>
<string>https://127.0.0.1/jamfconnect</string>

AuthUIOIDCTenant

Tenant ID (PAM)

The tenant in your identity provider used for authentication via PAM

Note:

If Okta is your IdP, this key is required.

<key>AuthUIOIDCTenant</key>
<string>dev-123456</string>

AuthUIOIDCClientSecret

Client Secret (PAM)

The client secret of your Jamf Connect app in your IdP. This value is only known by Jamf Connect and your IdP.

<key>AuthUIOIDCClientSecret</key>
<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>