Integrating with Okta

Because Jamf Connect authenticates Okta users directly to your domain using Okta's authentication API, you do not need to perform any additional tasks in the Okta admin console to enable authentication and password syncing. OpenID Connect app integrations are only required to do the following:

  • Configuring role assignment

    If you want to determine if users are created with standard or local accounts with Jamf Connect, you can create app integrations in Okta for standard users and administrators, and then assign users to the apps as needed. Jamf Connect will then use the app a user is assigned to create the correct local account type.

  • Deploying Jamf UnlockThe Jamf Unlock app only uses the OpenID Connect authentication protocol to authenticate users during the pairing process.

If you want to determine if users are created with standard or local accounts with Jamf Connect, you can create app integrations in Okta for standard users and administrators, and then assign users to the apps as needed. Jamf Connect will then use the app a user is assigned to create the correct local account type.

  1. Log in to the Okta Admin Console.
    Note:

    Make sure your Okta console is displayed in the Classic UI version.

  2. Click Applications.
  3. Click Add Application, and then click Create New App.
  4. Do the following in the Create a New Application Integration window:
    1. Select Native App from the Platform pop-up menu.
    2. Select Connect.
    3. Click Create.
  5. (Optional) Do the following on the Create OpenID Connect Integration page:
    1. Enter a name for your app, such as Jamf Connect, in the Application name field.
    2. Upload an application logo.
    3. Depending on whether you are configuring an app for role assignment or Jamf Unlockvalid URI, enter one of the following dsuch as https://127.0.0.1/jamfconnect, in the Login redirect URIs field.
      • Role Assignment (macOS)https://127.0.0.1/jamfconnect
      • Jamf Unlock Authentication (iOS)jamfunlock://callback/auth
    4. Click Save.
Your app integration can now be used for user role creation with Jamf Connect or authentication in the Jamf Unlock app.
If you want to determine if users are created with local administrator or standard accounts with Jamf Connect, repeat this process, and then assign administrators and standard users to their respective app integrations.
Note: Administrators must be assigned to both app integrations.
Make sure you copy the following values to use in your Jamf Connect login window configuration profile:

  • The client ID's of each app integration. These values will be used to configure the corresponding Access Client ID, Admin Client ID, and Secondary Login Client ID settings.

  • The redirect URI. This value will be used to configure the Redirect URI setting.

Modifying Grant Types

You must modify the allowed grant types for each Jamf Connect app integration you create in Okta.

  1. Select your newly created Jamf Connect app.
  2. Do the following in the General pane:
    1. Select Implicit (Hybrid) in Allowed Grant Type.
    2. Select Allow ID Token with implicit grant type and Allow Access Token with implicit grant type.
    3. Click Save.

Repeat this process for app integration for Jamf Connect.

Enabling Multifactor Authentication

If you want to enable multifactor authentication (MFA) for users, you must enable MFA at the organization level rather than the app level. To enable MFA, navigate to Security > Authentication > Sign On in the Okta Admin Dashboard, and then create a new Sign On policy.

Disclaimer

Jamf Connect may allow users with the same username and password to log in to the incorrect local account. To ensure users can only log in to their account, a multifactor authentication (MFA) method is recommended. Jamf does not accept any responsibility or liability for any damages or security exploitations due to identically provisioned account credentials

Note:

Enabling MFA at the app level is not recommended and may cause errors in Jamf Connect.