Multifactor Authentication

Jamf Connect can enforce multifactor authentication (MFA) using your cloud identity provider (IdP). Depending on your IdP and the type of authentication used, Jamf Connect will handle MFA in one of the following ways:

  • OpenID Connect

    Jamf Connect will indirectly display any MFA challenges within a web view. The entire MFA experience is configured within your IdP's settings.

  • Okta Authentication API

    Jamf Connect presents Okta MFA challenges within the Jamf Connect UI. Some additional messaging can be customized via Jamf Connect settings to help users complete an MFA challenge.

Keep the following in mind when enabling MFA with Jamf Connect:

  • Whether MFA should be enabled at the organization, app, or user level varies by IdP and environment.

  • If configuring MFA with a third party mobile device app, make sure the app is distributed to users before or alongside Jamf Connect.

  • To ensure MFA is enforced at the login window, make sure you enable the Require Network Authentication (DenyLocal) setting in your login window configuration profile. Enabling the Allow Local Fallback (LocalFallback) setting and configuring Users with local authentication privileges (DenyLocalExcluded) to ensure users can log in without a network connection is recommended.

Multifactor Authentication by Identity Provider

The following table includes links to MFA documentation and general guidance for each IdP supported by Jamf Connect.

Identity Provider

MFA Documentation

Azure AD

You may need to configure the Password Verification Success Codes setting for both the Jamf Connect login window and menu bar to ensure password verification and syncing is successful.

For more information, see Authentication Settings.

For more information about MFA with Azure AD, see the How it works: Azure AD Multi-Factor Authentication documentation from Microsoft.

IBM Security Verify

See the Enabling MFA for your account documentation from IBM.

Google Cloud

See the Protect your business with 2-Step Verification documentation from Google's support website.

Okta

Supported MFA options include the following:
  • Okta Verify one-time password (OTP)
  • Okta Verify push notification
  • Okta Verify security question
  • Duo Mobile
  • Google Authenticator
  • Yubikey Hardware Token (U2F and WebAuthn are not supported.)
  • RSA security keys
  • SMS
Important:

When a user is required to complete the Okta Verify number challenge, the Okta Authentication API does not send an error response or message when the incorrect number is selected. Make sure to instruct users to manually click Cancel and retry Okta authentication when an incorrect number is selected.

For more information about MFA with Okta, see the following Okta documentation:

OneLogin

You may need to configure the Password Verification Success Codes setting for both the Jamf login window and menu bar to ensure password verification and syncing is successful.

For more information, see Authentication Settings.

For more information about MFA with OneLogin, see Add Multi-Factor Authentication Knowledge Base article from OneLogin.

PingFederate

See the Defining authentication policies documentation from Ping.