Creating a Custom Scope for Jamf Connect and Conditional Access Policies

Creating a custom scope for Jamf Connect applications ensures that Active Directory Conditional Access policies apply as expected to the Jamf Connect login application and the Resource Owner Password Grant (ROPG) check appears as a successful login on sign-in logs.

Administrators may observe failed login attempts in the log for the enterprise application created in Azure Active Directory when using Jamf Connect and a Conditional Access policy that requires multifactor authentication (MFA) for the target of "All cloud apps". While this is expected behavior of the ROPG workflow, it may trigger a user appearing in the Microsoft Azure risky sign-ins report.

The target of "All cloud apps" applies policies beyond the logins to specific cloud services and applies policies to non-interactive workflows like those with ROPG. Specifically, the "All cloud apps" target applies to any application requesting a login with the scope of any of the following: openid, profile, or email.

The OpenID Connect 2.0 uses these default scopes to obtain an access or identity token for a client application. Consequently, in its default configuration, Jamf Connect login uses the openid, profile, or email scope. The only way to apply a Conditional Access policy in this default behavior is to apply the policy to "All cloud apps" with no exceptions applied, or the Conditional Access policy will break.

Creating a custom scope for Jamf Connect and Conditional Access policies involves the following steps:
Note:

The following steps require Jamf Connect version 2.14 or later.

  1. Creating an app registration with a custom API

  2. Configuring scope for the Jamf Connect deployment file

  3. Creating an app registration using a new API permission

  4. Creating an Azure Conditional Access policy

  5. Removing Conditional Access policies applied to "All cloud apps"

  6. Creating a Jamf Connect configuration profile

Step 1: Creating an App Registration with a Custom API

  1. Log in to the Microsoft Azure Portal.
  2. Click the Azure Active Directory in the left sidebar.
  3. Click App registrations, and then click new registration.
  4. Enter Jamf Connect - API Access or something similar into the Name field.
  5. Select Accounts in this organizational directory only in Supported account types.
  6. Navigate to API permissions in the Manage section of the sidebar.
  7. In Grant Consent settings, click Grant admin consent for your company and then click Yes when prompted.
  8. Navigate to Expose an API in the Manage section of the sidebar.
  9. Enter the Application ID URI.

    A default entry is created based on the pattern of api://[application ID].

Step 2: Configuring Scope for Jamf Connect Deployment File

  1. In the Microsoft Azure Portal, navigate to Expose an API in the Manage section of the sidebar.
  2. Click Add a Scope.
  3. Enter jamfconnect as the scope name.
  4. Click Admins only.
  5. Enter a display name for Admin consent.
  6. Enter description for Admin consent.
  7. Click Add scope.
    Best Practice:

    Make a note of your scope so that it can be easily applied to your configuration files.

Step 3: Creating an App Registration Using a New API Permission

  1. Click the Azure Active Directory in the left sidebar.
  2. Click App registrations, and then click new registration.
  3. Name the app Jamf Connect - OIDC Endpoint.
  4. Select Accounts in this organizational directory only in Supported account types.
  5. (Optional) Choose Public client (mobile & desktop) from the Redirect URI pop-up menu, and then enter https://127.0.0.1/jamfconnect in the Redirect URI field.
  6. Click Register.
  7. Navigate to API permissions in the Manage section of the sidebar.
  8. In Grant Consent settings, click Grant admin consent for your company and then click Yes when prompted.
  9. Click Add a permission.
  10. Select the My APIs tab.
  11. Select the name of the app you created.
  12. Click Delegated permissions and select the jamfconnect checkbox.
  13. Click Add permissions.
  14. In Grant Consent settings, click Grant admin consent for your company and then click Yes when prompted.
  15. (Optional) Create an app role for users to become an administrator user on a client Mac computer. For more information about creating an app role, see the Configuring Local Account Role Assignment between Jamf Connect and Azure AD article.
  16. (Optional) Create an app role for users to have standard rights on a client Mac computer.
  17. Navigate to Azure Active Directory > Enterprise Application.
  18. Select the Jamf Connect - OIDC Endpoint application.
  19. Select users or groups to add to the Jamf Connect - OIDC Endpoint application, and then select a role for each new user or group.
    Note:

    Users or Groups must be assigned to the application for the Roles attribute to work.

Step 4: Creating an Azure Conditional Access Policy

  1. In the Microsoft Azure portal, navigate to Azure Conditional Access.
  2. Create a new policy.
  3. Name the policy.
  4. Under Users or workload identities, select a test user to test your conditional access policy.
  5. Under Cloud apps or actions, select the conditional access policy you created in Step 1: Creating an App Registration with a Custom API.
  6. Select Grant access.
  7. Select Require multi-factor authentication.
  8. Select On in the Enable policy toggle button groups.
  9. Click Create.

Step 5: Removing Conditional Access Policies Applied to "All cloud apps"

  1. In the Microsoft Azure portal, navigate to Azure Conditional Access.
  2. Examine any application applied to the scope of "All cloud apps" that has Require multifactor authentication access granted.
  3. Set the Enable policy toggle buttons group to off for each identified application.

Step 6: Creating a Jamf Connect Configuration Profile

  1. In Jamf Connect Configuration, click the + icon at the bottom-left of the window.
  2. Name your new configuration by clicking on it in the sidebar.
  3. Click the Identity Provider tab.
  4. Select Azure in the Identity Provider menu.
  5. Enter the application ID of the public application you created in Step 3: Creating an App Registration Using a New API Permission in the OIDC Client ID and ROPG Client ID fields.
  6. Enter the universally unique identifier (UUID) of the tenant for your Azure instance in the Tenant ID field.
  7. Combine the scope you saved in Step 1: Creating an App Registration with a Custom API with +openid+profile+email and enter the new scope in the OpenID Connect Scopes field.

    The new scope should look similar to the following: api://[RANDOM UUID STRING]/jamfconnect+openid+profile+email

  8. (Optional) Enter https://127.0.0.1/jamfconnect in the OIDC Redirect URI field.
  9. Click Test and select OIDC test.

    Confirm that your test user was prompted for multifactor authentication before receiving a token.