User Roles and Groups

You can assign Jamf Protect users specific permissions based on user roles and groups. User roles can be configured locally in the Jamf Protect web app or by mapping groups from your cloud identity provider (IdP).

Users can receive roles from one or more of the following methods:
  • User-based assignmentRoles can be directly assigned to a user by editing the user's settings.
  • Group-based assignmentGroups allow you to configure roles for a group that can include one or more users directly in Jamf Protect.
  • Identity Provider MappingsIdentity Provider Mappings allow you to use a group membership in Microsoft Azure AD to automatically assign roles to users in Jamf Protect.
    Note:

    Azure AD is currently the only supported IdP for role assignment via Identity Provider Mappings. If your organization uses a different IdP, use group and user-based assignment to manage roles.

The following shows how users can receive roles based on the available methods:

Role Permissions

By default, there are currently two pre-configured roles available in Jamf Protect. You can also create a custom role with manually assigned permissions.

Full Admin
Can read and write all data and settings in Jamf Protect.
Note:
  • API Clients in Jamf Protect are currently assigned the Full Admin role and permissions by default. If you need to create an API client with custom permissions, contact Jamf Support.

  • New users are added to the Default group in Jamf Protect during their first sign-in, which is assigned the Full Admin role by default. Before you change the role of this group and to prevent lockout and sign-in errors, make sure you are assigned the Full Admin role via another method, such as user-based assignment or group-based assignment from another group.

Read Only
Can read all data and settings in Jamf Protect but cannot create or edit settings.
Custom
Can read or write a custom combination of settings configured within the role. Creating a custom role allows you to manually assign privileges to users.

Creating a Custom Role

  1. In Jamf Protect, click Administrative > Account
  2. Click the Roles tab.
  3. Click Create Role.
  4. Name your role.
  5. Configure permissions for your role.

    To help you configure roles, yo can use the in-app help documentation to learn more about each permission.

  6. Click Save.

Creating a Group

You can assign roles to a group in Jamf Protect and then assign users to your group.

  1. In Jamf Protect, click Administrative > Account
  2. Click the Groups tab.
  3. Click Create Group.
  4. Name your group.
  5. Choose the roles you want to assign to members of the group from the Roles pop-up menu.
  6. Click Save.
Your group is now available for use with Jamf Protect. To assign the group to users, go to the Users tab.

Adding an Identity Provider Mapping

Identity provider (IdP) mappings allow you to automatically assign roles to users based on group membership configured in Microsoft Azure AD. When a user signs in to Jamf Protect, Jamf Protect uses an ID token from Azure AD to look for any groups that are mapped to a role in Jamf Protect.

Important:

New users are added to the Default group in Jamf Protect during their first sign-in, which is assigned the Full Admin role by default. Before you configure roles, you may need to change the role of the Default group to Read Only or a custom role to ensure all users do not unexpectedly receive Full Admin permissions on sign-in.

Requirements
  • An integration between your Jamf Protect tenant and Azure AD.If you have already set up your Jamf Protect tenant to use single-sign on (SSO) for access with Microsoft Azure, no additional steps are required.

    For instructions, see Integrating with Microsoft Azure AD.

  • Groups names in your IdP that match the regex [Jj]amf.?[Pp]rotect (e.g., Jamf Protect, jamf protect, jamfprotect)

  1. In Jamf Protect, click Administrative > Account
  2. Click Identity Provider Mappings.
  3. Click Add Mapping.
  4. Enter a group name from your organization's identity provider in the Identity Provider Group Name field.
  5. Choose one or more roles to assign users from the Roles pop-up menu.
  6. Select the Use as Access Group checkbox to make membership in this group required for access to your Jamf Protect web app.
    Warning:

    When you create an access group, any users who are not a member of this group or another access group will no longer be able to access your Jamf Protect web app. Make sure you and all other Jamf Protect users are a member of an access group in Azure AD before saving this group.

  7. Click Save.

Users with membership to the group in Azure AD can now sign in to Jamf Protect and are assigned the roles associated with the IdP mapping in Jamf Protect.

If mapping a Jamf Protect group to an IdP does not correctly apply users to groups and assigned roles, you may need to analyze the user's ID token from Azure AD to ensure it includes the correct claims, which are defined by the group name in your Jamf Protect tenant.

To learn more about ID tokens and to decode an ID token from Azure AD, go to the following JSON Web Token (JWT) debugger web site from Auth0: https://jwt.io