Password Syncing with Jamf Connect

Jamf Connect can sync a user's local and network passwords. When Jamf Connect is configured with your cloud identity provider (IdP)'s minimum authentication settings, Jamf Connect will do the following by default:

  • Continuous Password Verification

    The user's network and local passwords are checked every 15 minutes to verify that they are in sync.

  • Sync Passwords

    Prompt a user to change their local password if it does not match the network password.

  • Manage Network Password Changes

    Facilitate a network password change when a password expires. Jamf Connect completes this change by opening a web view to your cloud IdP's password change URL. If Kerberos is used, the password change is completed directly in the Jamf Connect UI.

  • Password Expiration WarningsJamf Connect can display the number of days before a password expires in the menu bar. It can also notify the end user with a notification when a password is out of sync if notifications are allowed.

Keep the following in mind when using Jamf Connect to sync passwords:

  • Jamf Connect cannot display notifications unless the user allows them in System Preferences > Notifications. Mac administrators can also enable notifications for Jamf Connect with a notifications profile. If you use Jamf Pro, you can enable notifications remotely by navigating to Jamf Pro > Settings > Computer Management > Security and configuring the Automatically install a Jamf Notifications profile settings. 

  • If a network account password is changed without Jamf Connect (e.g., your organization's IdP web page for password changes), the previously used network password will remain the local password until Jamf Connect checks in (by default every 15 minutes) and prompts the user to update their password.

  • Users must know their old passwords in order to sync passwords. If a user updates their password without Jamf Connect and cannot remember their old password (previously used network password), log in as an administrator and see Change or reset the password of a macOS user account from Apple's Support website.

  • Jamf Connect will automatically use a password policy detected from your cloud IdP or Active Directory, if detected. If you configure the Password Policy (PolicyRequirements) setting in Jamf Connect or passcode restrictions with your MDM solution, you should make sure that the configured policy matches your organization's IdP password policy or is less restrictive to avoid password change errors.

    To ensure users are not locked out of their computer due to conflicting password policies, do not enforce the Change at Next Authentication (macOS 10.13 or later) (changeAtNextAuth) setting available in the Passcode payload via an MDM solution. Instead, allow your IdP's password policy to expire user passwords and use Jamf Connect to manage password changes.

To perform password syncing at the login window and during account creation, you must configure additional Jamf Connect settings. For more information about password syncing at the login window, see Initial Local Password Creation.

Password Syncing with Google

To sync passwords between a user's Mac and Google account, Jamf Connect uses Google's Secure LDAP service.

After a user authenticates in the Jamf Connect menu bar app, Jamf Connect uses the entered network username and password to attempt authentication to the LDAP server. If authentication fails, users are prompted to sync passwords.

To establish a secure connection between the computer and your organization's LDAP server domain, an LDAP certificate must be installed in a computer's system keychain. This certificate must be downloaded from an LDAP client in your Google admin console and then converted to .p12 format.

Note: Google authentication via the Jamf Connect menu bar app doesn't require OpenID Connect app integration.

Configuring the Menu Bar App for Google Cloud ID

You can configure the Jamf Connect menu bar app with the Application & Custom Settings payload in Jamf Pro or the Jamf Connect Configuration app.

In the IdPSettings dictionary, set the Identity Provider (Provider) setting to GoogleID, like the following: