Manage macOS admin privileges with the SAP – Privileges app

Limiting the use of macOS Admin rights with the open sources SAP – Privileges app.

Time to add some variety to the blog, so I’m starting a series of post which I’ll mix in between other more mainstream topics. I want to spend some time testing some hidden or maybe less known gems that will make your life as a macAdmin a bit easier.

And the honour for the first awesome little tool I’d like to discuss goes to: SAP – Privileges. I knew about the existence of this tool but never took the time to check it out…

So, let’s not waste any time and dive right into it!

Note: Little disclaimer from the SAP Github project page.

This project is 'as-is' with no support, no changes being made. You are welcome to make changes to improve it but we are not available for questions or support of any kind.

That said, there is no need to, as it just works as expected. Within the limitations of the design of course. Nevertheless, Rich Trouton was so friendly to point me to his own Privileges scripts and recipes to enhance the deployment! This made it even easier to use! Thanks Rich!

The basic idea behind the app is to ensure that your end users, who need to be Admin for specific tasks, don’t use their Admin account while performing day to day tasks which don’t require Admin privileges at all.

Continue reading “Manage macOS admin privileges with the SAP – Privileges app”

Jamf Connect and ADFS… incorrect password

Fixing the “incorrect password” issue with Jamf Connect Login and ADFS.

Update 19th of March: It came to my attention that I'm missing the ROPG key in the config below. Again, I'm not able to fully test as I don't have an ADFS test environment.  I update the config below, adding the OIDCROPGID key, please let me know if it works for you.

Update 22nd: I just build out an entire ADFS farm. AD + ADFS + WAP servers, and federated it with Azure. I can use Jamf Connect Login to authenticate and create the account, but setting the <OIDCNewPassword> key to <false/> to validate it over ROPG and use it as local password still does NOT work for me. Adding the OIDCROPGID key below, does not change anything. I must be missing a key ingredient on ADFS to make it work. And while I managed to build out the ADFS farm, I'm not an ADFS expert, hence I'm wondering if this missing ingredient / setting might also make the passthrough of ROPG via Azure work... no idea, back to square one.
        ------------------------------------------------------
        <key>OIDCROPGID</key>
        <string>f7364cb1-2b34-4g64-9c83-38b827cd0a9e</string>
        ------------------------------------------------------

I was initially going to dedicate this post to deploying Jamf Connect Login with Okta. I wrote that Nomad Login+ Okta post a few months ago, so I assumed it would be a walk in the party to update my workflow now that Nomad Login+ moved under the Jamf Connect umbrella. Well, I still don’t know why but I ran into some roadblocks which I have to analyse first. Probably just due to my own doing, overlooking things or whatever it might be, but I’ll postpone writing about it till I have rock solid info to share. Stay tuned!

Hence, this post is going to be Azure related again. But because Jamf Connect is still fairly new to all of us, we can’t share too much information right! Jamf Connect truly is a beautiful tool to streamline the way end users authenticate to their Macs, apps and services, ensuring they only need 1 password to rule it all. Have a look at my previous post about how to do a basic deployment. Quite straight forward, no rocket science at all!

However it seems that some people ran into issues in environments with a mix of Azure and ADFS.

Continue reading “Jamf Connect and ADFS… incorrect password”

Jamf Connect Verify

Deploying Jamf Connect Verify

After deploying Jamf Connect Login with Azure in one of my previous posts, it was about time to have a look at adding ‘Verify’ to the mix as well. And while there are plenty of different deployment scenarios possible, I’m going to keep this one short and simple.

Note: Just for clarity, Jamf Connect Login is used with Azure or Okta. Jamf Connect Verify is a tool used with Azure, while Jamf Connect Sync (Nomad Pro) is used with Okta.

In my discussion about deploying Jamf Connect Login, I repackaged the installer and added a post-install script for the authchanger and Notify, etc…

I could just add the Jamf Connect Verify to the prestage package, but Jamf Connect Verify can actually be used without Jamf Connect Login. So for this quick overview, I’ll just deploy Verify separately. If you are deploying Verify together with Login, just repackage it like I did in my previous post. If not, just deploy it with a Jamf Pro policy, or even a stand alone pre-stage package if you have nothing else to deploy in the prestage. For testing, you can just run the installer on your test machine, nothing special.

Continue reading “Jamf Connect Verify”

Integrate Azure LDAP in Jamf Pro

Integrate Azure AD in Jamf Pro as an LDAP service.

With the release of Jamf Connect w/ Azure integration, Jamf provides a tool (amongst other functionality) to create local user accounts on your Macs. This based on the identity of the user in Azure.

I noticed this latest Jamf Connect release triggers additional interest in integrating Azure as an LDAP server. Azure LDAP integration was on my blog to-do list for some time now, but other topics jumped ahead in my priority list. So to finally clear this from my to-do list, hereby a quick post on how to add Azure as an LDAP service in Jamf Pro.

I’ll try to keep this one as short as possible. Managing Azure AD and enabling the required services (LDAPs) is a bit beyond my scope here. Allow me to assume that you already configured it for other integrations outside Jamf Pro.

Nevertheless, let’s run through the different steps on a high level overview, and try to highlight some important notes. After this we’ll have a look at the default mapping settings in Jamf Pro.

Continue reading “Integrate Azure LDAP in Jamf Pro”