User Roles for Local Accounts

Depending on which cloud identity provider (IdP) you use, you can configure Jamf Connect to create either administrator or standard local accounts for users. Local accounts are created in the following ways:

  • Use a user ID token to create local administrators

    You can specify which user roles (or groups) from an ID token should used to create as local administrators. You can use the Admin Attribute (OIDCAdminAttribute) and Admin Roles (OIDCAdmin) settings to configure Jamf Connect to find a specific attribute sent by your (IdP) and then create a local account based on the specified role names.

  • Create all users as local administrators

    You can use the Create Admin Users (CreateAdminUser) setting to create all new local accounts as administrators. This setting should be used when you either do not want to create any standard accounts on computers or when you need a user to temporarily perform administrator tasks after account creation. If any roles are configured in the IdP, they will be temporarily ignored (until the next login) to create the administrator account.

    Important:

    This setting only creates users as local administrators and does not enforce local account status after account creation. If user role attributes are configured in your IdP and included in a user's ID token, these attributes will be used during the subsequent login and may change the local account status. Use the Ignore Roles (OIDCIgnoreAdmin) to configure Jamf Connect to permanently ignore any role information in a user's ID token.

  • (Okta Only) Create multiple role-based app integrations in Okta

    If using Okta, you can create role-based OpenID Connect app integrations for Jamf Connect and then assign users each app integration. Jamf Connect can recognize specific app integrations for administrators, users who can log in with their Okta credentials, and users who can create additional local accounts.