Configuring Identity-Based Provisioning

Rather than requiring a user to enroll their device with an activation token, you can use identity-based provisioning to allow them to download the Jamf Trust app and then log in using their corporate credentials via an identity provider, such as Microsoft Azure or Okta.

Once the user logs in, the app is activated on their device, and the device is enrolled in Jamf.

Note:

This process is for unmanaged and managed devices. However, Jamf recommends that you use other methods to enroll managed devices.

Requirements
  1. When creating an Activation Profile, select Authenticated by Identity Provider, then choose your Identity Provider.
  2. Select the identity provider Connection that users of this Activation Profile will need to authenticate with.

After identity-based provisioning is configured, when a user downloads the Jamf Trust app and logs in with their corporate credentials, the correct Activation Profile is identified and used to enroll the device.

Default Device Provisioning via Identity Provider

When a user signs in to the Jamf Trust app, the most suitable Activation Profile is identified, based on:

  • A user's Azure tenant, group membership, and supported platforms in the case of Azure.

  • A user's Okta Organization URL, group membership, and supported platforms in the case of Okta.

When there is an existing Activation Profile using an identity provider, this function will be turned on automatically. However, if there is another existing Activation Profile being used as the default for the same Azure tenant, it will not be changed automatically.
Important:

Jamf Security uniquely identifies the appropriate Activation Profile in which to enroll devices. No two Activation Profiles can be identified as the default ones for the same Azure tenant and two different customers. You can have two different Activation Profiles, using the same Identity Provider group membership, which you can use for different device platforms.

Configuring Identity-Based Provisioning Priority

Activation Profiles with linked identity providers are listed in Devices > Deployment > Activation Profiles > Identity-Based Provisioning in RADAR.

The Identity-Based Provisioning tab provides an overview of all identity provider connections in your portals and all their associated Activation Profiles, specifically:

  • It displays all linked Azure tenants or Okta Orgs as configured in Identity Providers configuration and Activation Profiles that use them to authenticate users.

  • The third column contains Azure group IDs to fine-tune user enrollment when there are more Activation Profiles using the same Azure tenant.

  • The Use switch in the first column specifies whether an Activation Profile should be used for the "Sign in with ..." enrollment method.
    Note:

    You can still use Activation Profiles not enabled for this function for enrollment when you set up a managed app configuration in your UEM solution. For more information on deploying for specific platforms, see Deployment.

Enabling Identity-Based Provisioning
If you have selected "Microsoft Azure" or "Okta" as your identity provider, toggle the Use switch on to activate single sign-on for an Activation Profile.
Fine-Tuning the Configuration via Identity Provider Groups
Selecting one Activation Profile as a default for "Sign in with ..." is sufficient for smaller configurations.

There are more complex scenarios, such as:

  • Several Activation Profiles sharing the same Azure tenant or Okta Org

  • More RADAR portals sharing the same Azure tenant or Okta Org

In such cases, you can indicate the most suitable Activation Profile to be fine-tuned based on the identity provider groups that the user signing in is a member of, or by the device's supported platforms. This information is made available by the identity provider when the user signs in.

You can also specify identity provider user groups for each Activation Profile, which is taken into account during the sign-in process. If an Activation Profile has an assigned group which the signing in user is a member of and the user's device has a platform that the Activation Profile supports, then that profile is selected.
Note:

For Azure you must specify Azure group IDs in RADAR. For Okta, group names are supported.

Example:

Assume three Activation Profiles, all configured to allow activation when a user logs in with their Azure credentials, are displayed in the following order in the list of profiles:

  • An Activation Profile not supported for user's device platform: This does not support the platform of the user's device.

  • Proxy with Private Access: This profile is bound to users with a specific Azure group ID. This is a 36 character string beginning with a28d.

  • Private Access production: This profile is not locked to any specific Azure group.

Two things happen here:

  • The supported platforms take precedence and the first activation profile is not taken into account.

  • The group membership takes precedence.

  • The order of Activation Profiles is taken into account; that is, the first one with the mentioned user's group will be used for enrollment.

You can click Edit to add or remove Azure groups to or from an Activation Profile.

When configuring a profile, you will be notified of any potential conflicts with other profiles.

Activation Process Using Identity-Based Provisioning

As unmanaged devices do not support remote app installation by definition, end users must complete the following steps to activate Jamf Trust.

  1. The user downloads and installs Jamf Trust from their respective platform's App Store.

  2. The user opens the app and selects Sign in with Microsoft or Sign in with Okta as appropriate.

  3. When prompted, the user logs in with their IdP credentials.

  4. The user follows the in-app activation steps based on the settings in the Activation Profile.

After users have begun enrolling their devices, you can then view reports and deploy services.