Configuring Local Account Role Assignment between Jamf Connect and Azure AD

This article explains how to configure role-based local account creation on Mac computers using Azure AD and Jamf Connect.

You can use the Jamf Connect login window to create local accounts on Mac computers in your organization. When integrated with Microsoft Azure AD, administrators can also configure which users are created as a local administrator a or standard account by completing the following steps:

  1. Configure administrator and standard app roles in your Jamf Connect app registration.

  2. Assign Azure AD users to the roles.

  3. Configure Jamf Connect to use roles from Azure AD for account creation.

Configuring App Roles

You can create users as local administrators on computers by using app roles defined in Azure AD.

You can use app roles in Azure AD to assign users specific roles for Jamf Setup.

Keep the following in mind when configuring roles in Azure AD for Jamf Setup:

  • Any role assignments in Azure AD will override any roles set via managed app configuration.

  • If a user is assigned only one role, Jamf Setup will automatically set up the device using that role and will not display the role selection screen.

  • If a user is not assigned any roles, Jamf Setup will display the role selection screen with a list of all roles available via managed app configuration.

  • To ensure the correct role is configured via Jamf Pro, the app role values must correspond to a Jamf Pro smart group.

Requirements
An app registration for Jamf Connect in Azure AD. For more information, see Integrating with Microsoft Azure AD in the Jamf Connect Documentation.
  1. Click the Azure Active Directory in the left sidebar.
  2. Click App registrations, and then select your Jamf Connect app registration.
  3. Click App Roles from the sidebar.
  4. Click + Create app role.
  5. In the Create app role pane, do the following:
    1. Enter a role name, such as Administrator, in the Display Name field.

      This value is only used in the Azure AD UI.

    2. Select Users/Groups for Allowed member types.
    3. Enter a role value, such as Administrator, in the Value field.

      This value is included in the user's ID token during Jamf Connect authentication.

    4. Add an app role description.
    5. Make sure the Do you want to enable this app role? checkbox is selected.
    6. Click Apply.
  6. Repeat this process to create additional app roles.

Your Jamf Connect app registration now has two or more app roles for role-based local account creation.

You can now assign the roles to any users who are also assigned the app. Assigned users will only be able to select those roles from Jamf Setup, and any other roles will be hidden

Assigning Users to Jamf Connect App Roles

You can assign users to app roles by navigating to your app registration's corresponding enterprise application settings in Azure AD.

Requirements

Make sure the Allow public client flows switch in the app registration's Authentication settings is temporarily set to No. This ensures the Users & groups tab is not hidden from the enterprise application settings UI.

  1. In Microsoft Azure, click Enterprise applications and then select your Jamf Connect app.
  2. From the Manage section in the sidebar, click Users & groups.
  3. Click + Add user/group.
  4. In the Add Assignment window, select users or groups to add to the Jamf Connect application, and then select a role for each new user or group.
  5. Click Assign.
Each user or group is assigned an app role, which can now be used to configure account creation in your Jamf Connect login window configuration profile.
Important:

Make sure go to the app registration's Authentication settings and re-enable the set the Allow public client flows switch to Yes.

Configuring Role-based Account Creation in Jamf Connect

You can map Jamf Connect's user role settings to the app roles in Azure AD for account creation. Keep the following in mind:

  • The OIDCAdminAttribute setting must be set to roles.

  • The OIDCAdmin setting specifies which user roles (or groups) configured in Azure AD become local administrators during account creation. This must match your app role's Value field.

In a Jamf Connect login window configuration profile, add the following two settings to specify which app roles in Azure AD should be used to create local administrator accounts:
<key>OIDCAdminAttribute</key>
<string>roles</string>
<key>OIDCAdmin</key>
  <array>
    <string>administrator</string>
  </array>
When a user assigned to an administrator role logs in to a Mac computer via the Jamf Connect login window, their local account is now created as a a local administrator. Users that are not assigned an administrator role are created as standard users on computers.

To disable all role-based account creation with Jamf Connect, you can use the Ignore Roles (OIDCIgnoreAdmin) setting.