Integrating with Okta

Because Jamf Connect authenticates Okta users directly to your domain using Okta's authentication API, you do not need to perform any additional tasks in the Okta admin console to enable authentication and password syncing. OpenID Connect app integrations are only required to do the following:

  • Configuring local role assignment

    You can determine if users are created with standard or administrator local accounts with Jamf Connect by creating different app integrations in Okta for standard users and administrators. You can then assign users to each app in Okta, and Jamf Connect uses the user's app assignment to create the correct local account type.

  • Deploying Jamf UnlockThe Jamf Unlock app only uses the OpenID Connect authentication protocol to authenticate users during the pairing process.

If you want to determine if users are created with standard or local accounts with Jamf Connect, you can create app integrations in Okta for standard users and administrators, and then assign users to the apps as needed. Jamf Connect will then use the app a user is assigned to create the correct local account type.

  1. Log in to the Okta Admin Console.
  2. Click Applications.
  3. Click Create App Integration.
  4. Do the following in the Create a new app integration window:
    1. Select OIDC - OpenID Connect as the sign-in method.
    2. Select Native Application as the application type.
    3. Click Next.
  5. Configure the following app integration settings:
    1. Enter a name for your app, such as Jamf Connect, in the Application name field.
    2. (Optional) Upload an application logo.
    3. Select the Authorization Code and Implicit (hybrid) code grant types.
    4. Depending on whether you are configuring an app for role assignment or Jamf Unlock authentication, enter one of the following in the Sign-in redirect URIs field:
      • Role Assignment (macOS)https://127.0.0.1/jamfconnect
      • Jamf Unlock Authentication (iOS)jamfunlock://callback/auth
    5. Click Save.
Your app integration can now be used for user role creation with Jamf Connect or authentication in the Jamf Unlock app.
If you want to determine if users are created with local administrator or standard accounts with Jamf Connect, repeat this process, and then assign administrators and standard users to their respective Okta app integrations.
Note: Administrators must be assigned to both app integrations.
Make sure you copy the following values to use in your Jamf Connect login window configuration profile:

  • The client ID's of each app integration. These values will be used to configure the corresponding Access Client ID, Admin Client ID, and Secondary Login Client ID settings.

  • The redirect URI. This value will be used to configure the Redirect URI setting.

Modifying Grant Types

You must modify the allowed grant types for each Jamf Connect app integration you create in Okta.

  1. Select your newly created Jamf Connect app.
  2. Do the following in the General pane:
    1. Select Implicit (Hybrid) in Allowed Grant Type.
    2. Select Allow ID Token with implicit grant type and Allow Access Token with implicit grant type.
    3. Click Save.

Repeat this process for app integration for Jamf Connect.

Enabling Multifactor Authentication

If you want to enable multifactor authentication (MFA) for users, you must enable MFA at the organization level rather than the app level. To enable MFA, navigate to Security > Authentication > Sign On in the Okta Admin Dashboard, and then create a new Sign On policy.

Disclaimer:

Jamf Connect may allow users with the same username and password to log in to the incorrect local account. To ensure users can only log in to their account, a multifactor authentication (MFA) method is recommended. Jamf does not accept any responsibility or liability for any damages or security exploitations due to identically provisioned account credentials.

Note:

Enabling MFA at the app level is not recommended and may cause errors in Jamf Connect.