Troubleshooting Microsoft Azure Login Using JamfAAD
The JamfAAD integrates Jamf Pro 10.17.0 or later with Microsoft Azure to grant conditional access, which allows you to use the JamfAAD (Azure Active Directory) to troubleshoot login issues with Microsoft Azure.
If users are marked as unresponsive in Azure Active Directory (Azure AD) and there are network issues, you can configure the JamfAAD to recheck for a valid token at check-in.
If you think users may be connecting to the wrong server or using an incorrect email address, you can enable additional JamfAAD logging.
If users are experiencing issues related to browser redirects during the signin process, you can configure the JamfAAD app to use WebView instead.
For more information on how to troubleshoot pre-fill authentication, see the Troubleshooting the JamfAAD Pre-fill Authentication Issue article.
Configure the JamfAAD Check-in to recheck for a valid Azure AD token
To resolve issues with users in an unresponsive state or network issues, you can configure the JamfAAD to recheck for a valid Azure AD token at check-in by using the tokenRetryCount
and tokenRetryWaitTime
preferences. By default, tokenRetryCount
is set to zero retries and tokenRetryWaitTime
is set to five seconds.
Deploy a PLIST file using a configuration profile with the Custom Settings payload configured.
Run a script using a policy with the execution frequency of "Once per user per computer".
- PLIST Example
To configure JamfAAD check-in by deploying a PLIST file, use the following example:
- Script Example
To configure JamfAAD check-in by running a script using a policy with the execution frequency of "Once per user per computer", use the following example:
Configure JamfAAD to use WebView
To avoid issues with browser redirection during the login process, you can configure the JamfAAD app to use WebView instead.
Deploy a PLIST file using a configuration profile with the Custom Settings payload configured.
Run a script using a policy with the execution frequency of "Once per user per computer".
The following examples show how to configure the JamfAAD to use WebView instead of a browser redirect.
- PLIST Example (recommended)
To configure JamfAAD to use WebView by deploying a PLIST file, use the following example:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>useWKWebView</key> <true/> </dict> </plist>
When configuring the Custom Settings payload, enter the following in the Preference Domain field: com.jamf.management.jamfAAD
For instructions on deploying configuration profiles with the Custom Settings payload configured, see the Deploying Custom Configuration Profiles Using Jamf Pro article.
- Script Example
- To configure the JamfAAD to use WebView for users signing into Azure AD, deploy a policy to managed computers that runs the following script:
#!/bin/sh defaults write com.jamf.management.jamfAAD useWKWebView -bool true
Note:The above command must be executed before the JamfAAD initiates the registration process.
Enabling Additional JamfAAD Logging
logPII
preferences key to log additional personally identifiable information from the Azure login process. Personally and organizationally identifiable information is only logged on the computer's local log system— it is not sent to the Jamf Pro server. The log will report the following information:userID—Email address used to log in
Authority host—Server the user was redirected to for sign in
Token number
Deploy a PLIST file using a configuration profile with the Custom Settings payload configured.
Run a script using a policy with the execution frequency of "Once per user per computer".
- PLIST Example
- To enable JamfAAD logging by deploying a PLIST file, use the following example:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>logPII</key> </true> </dict> </plist>
When configuring the Custom Settings payload, enter the following in the Preference Domain field:com.jamf.management.jamfAAD
For instructions on deploying configuration profiles with the Custom Settings payload configured, see the Deploying Custom Configuration Profiles Using Jamf Pro article.
- Script Example
- To enable JamfAAD logging by running a script using a policy with the execution frequency of "Once per user per computer", use the following example:
#!/bin/sh defaults write com.jamf.management.jamfAAD logPII -bool true
If you want to disable JamfAAD logging, you can use the following script:#!/bin/sh defaults delete com.jamf.management.jamfAAD logPII
Additional Information
Conditional Access in the Jamf Pro Documentation.
Integrating with Microsoft Intune to Enforce Compliance on Mac Computers Managed by Jamf Pro technical paper.