Troubleshooting Microsoft Azure Login Using JamfAAD

Updated: 17 June 2022
Product: Jamf Pro

The JamfAAD integrates Jamf Pro 10.17.0 or later with Microsoft Azure to grant conditional access, which allows you to use the JamfAAD (Azure Active Directory) to troubleshoot login issues with Microsoft Azure.

You can troubleshoot the following issues using the JamfAAD:

  • If users are marked as unresponsive in Azure Active Directory (Azure AD) and there are network issues, you can configure the JamfAAD to recheck for a valid token at check-in.

  • If you think users may be connecting to the wrong server or using an incorrect email address, you can enable additional JamfAAD logging.

  • If users are experiencing issues related to browser redirects during the signin process, you can configure the JamfAAD app to use WebView instead.

For more information on how to troubleshoot pre-fill authentication, see the Troubleshooting the JamfAAD Pre-fill Authentication Issue article.

Configure the JamfAAD Check-in to recheck for a valid Azure AD token

To resolve issues with users in an unresponsive state or network issues, you can configure the JamfAAD to recheck for a valid Azure AD token at check-in by using the tokenRetryCount and tokenRetryWaitTime preferences. By default, tokenRetryCount is set to zero retries and tokenRetryWaitTime is set to five seconds.

You can configure the JamfAAD check-in in the following ways:

  • Deploy a PLIST file using a configuration profile with the Custom Settings payload configured.

  • Run a script using a policy with the execution frequency of "Once per user per computer".

The following examples show how to configure the JamfAAD to retry three times with 42 seconds between each retry.
PLIST Example

To configure JamfAAD check-in by deploying a PLIST file, use the following example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>tokenRetryCount</key>
<integer>3</integer>
<key>tokenRetryWaitTime</key>
<integer>42</integer>
</dict>
</plist>

When configuring the Custom Settings payload, enter the following in the Preference Domain field: com.jamf.management.jamfAAD

For instructions on deploying configuration profiles with the Custom Settings payload configured, see the Deploying Custom Configuration Profiles Using Jamf Pro article.

Script Example

To configure JamfAAD check-in by running a script using a policy with the execution frequency of "Once per user per computer", use the following example:

#!/bin/sh
defaults write com.jamf.management.jamfAAD tokenRetryWaitTime -float 42
defaults write com.jamf.management.jamfAAD tokenRetryCount -int 3

For more information on how to run a script, see Scripts in the Jamf Pro Documentation.

Configure JamfAAD to use WebView

To avoid issues with browser redirection during the login process, you can configure the JamfAAD app to use WebView instead.

You can configure JamfAAD to use WebView in the following ways:

  • Deploy a PLIST file using a configuration profile with the Custom Settings payload configured.

  • Run a script using a policy with the execution frequency of "Once per user per computer".

The following examples show how to configure the JamfAAD to use WebView instead of a browser redirect.

PLIST Example (recommended)

To configure JamfAAD to use WebView by deploying a PLIST file, use the following example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>useWKWebView</key>
	<true/>
</dict>
</plist>

When configuring the Custom Settings payload, enter the following in the Preference Domain field: com.jamf.management.jamfAAD

For instructions on deploying configuration profiles with the Custom Settings payload configured, see the Deploying Custom Configuration Profiles Using Jamf Pro article.

Script Example
To configure the JamfAAD to use WebView for users signing into Azure AD, deploy a policy to managed computers that runs the following script:
#!/bin/sh
defaults write com.jamf.management.jamfAAD useWKWebView -bool true
Note:

The above command must be executed before the JamfAAD initiates the registration process.

Enabling Additional JamfAAD Logging

To troubleshoot issues with users logging in to the wrong server or using an incorrect email address, use the logPII preferences key to log additional personally identifiable information from the Azure login process. Personally and organizationally identifiable information is only logged on the computer's local log system— it is not sent to the Jamf Pro server. The log will report the following information:

  • userID—Email address used to log in

  • Authority host—Server the user was redirected to for sign in

  • Token number

You can enable JamfAAD logging in the following ways:

  • Deploy a PLIST file using a configuration profile with the Custom Settings payload configured.

  • Run a script using a policy with the execution frequency of "Once per user per computer".

PLIST Example
To enable JamfAAD logging by deploying a PLIST file, use the following example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key><key>logPII</key></key>
</true>
</dict>
</plist>

When configuring the Custom Settings payload, enter the following in the Preference Domain field:com.jamf.management.jamfAAD

For instructions on deploying configuration profiles with the Custom Settings payload configured, see the Deploying Custom Configuration Profiles Using Jamf Pro article.

Script Example
To enable JamfAAD logging by running a script using a policy with the execution frequency of "Once per user per computer", use the following example:
#!/bin/sh
defaults write com.jamf.management.jamfAAD logPII -bool true
If you want to disable JamfAAD logging, you can use the following script:
#!/bin/sh
defaults delete com.jamf.management.jamfAAD logPII