Jamf Connect and ADFS… incorrect password

Fixing the “incorrect password” issue with Jamf Connect Login and ADFS.

Update 19th of March: It came to my attention that I'm missing the ROPG key in the config below. Again, I'm not able to fully test as I don't have an ADFS test environment.  I update the config below, adding the OIDCROPGID key, please let me know if it works for you.

Update 22nd: I just build out an entire ADFS farm. AD + ADFS + WAP servers, and federated it with Azure. I can use Jamf Connect Login to authenticate and create the account, but setting the <OIDCNewPassword> key to <false/> to validate it over ROPG and use it as local password still does NOT work for me. Adding the OIDCROPGID key below, does not change anything. I must be missing a key ingredient on ADFS to make it work. And while I managed to build out the ADFS farm, I'm not an ADFS expert, hence I'm wondering if this missing ingredient / setting might also make the passthrough of ROPG via Azure work... no idea, back to square one.
        ------------------------------------------------------
        <key>OIDCROPGID</key>
        <string>f7364cb1-2b34-4g64-9c83-38b827cd0a9e</string>
        ------------------------------------------------------

I was initially going to dedicate this post to deploying Jamf Connect Login with Okta. I wrote that Nomad Login+ Okta post a few months ago, so I assumed it would be a walk in the party to update my workflow now that Nomad Login+ moved under the Jamf Connect umbrella. Well, I still don’t know why but I ran into some roadblocks which I have to analyse first. Probably just due to my own doing, overlooking things or whatever it might be, but I’ll postpone writing about it till I have rock solid info to share. Stay tuned!

Hence, this post is going to be Azure related again. But because Jamf Connect is still fairly new to all of us, we can’t share too much information right! Jamf Connect truly is a beautiful tool to streamline the way end users authenticate to their Macs, apps and services, ensuring they only need 1 password to rule it all. Have a look at my previous post about how to do a basic deployment. Quite straight forward, no rocket science at all!

However it seems that some people ran into issues in environments with a mix of Azure and ADFS.

Continue reading “Jamf Connect and ADFS… incorrect password”

Jamf Connect Verify

Deploying Jamf Connect Verify

After deploying Jamf Connect Login with Azure in one of my previous posts, it was about time to have a look at adding ‘Verify’ to the mix as well. And while there are plenty of different deployment scenarios possible, I’m going to keep this one short and simple.

Note: Just for clarity, Jamf Connect Login is used with Azure or Okta. Jamf Connect Verify is a tool used with Azure, while Jamf Connect Sync (Nomad Pro) is used with Okta.

In my discussion about deploying Jamf Connect Login, I repackaged the installer and added a post-install script for the authchanger and Notify, etc…

I could just add the Jamf Connect Verify to the prestage package, but Jamf Connect Verify can actually be used without Jamf Connect Login. So for this quick overview, I’ll just deploy Verify separately. If you are deploying Verify together with Login, just repackage it like I did in my previous post. If not, just deploy it with a Jamf Pro policy, or even a stand alone pre-stage package if you have nothing else to deploy in the prestage. For testing, you can just run the installer on your test machine, nothing special.

Continue reading “Jamf Connect Verify”

Integrate Azure LDAP in Jamf Pro

Integrate Azure AD in Jamf Pro as an LDAP service.

With the release of Jamf Connect w/ Azure integration, Jamf provides a tool (amongst other functionality) to create local user accounts on your Macs. This based on the identity of the user in Azure.

I noticed this latest Jamf Connect release triggers additional interest in integrating Azure as an LDAP server. Azure LDAP integration was on my blog to-do list for some time now, but other topics jumped ahead in my priority list. So to finally clear this from my to-do list, hereby a quick post on how to add Azure as an LDAP service in Jamf Pro.

I’ll try to keep this one as short as possible. Managing Azure AD and enabling the required services (LDAPs) is a bit beyond my scope here. Allow me to assume that you already configured it for other integrations outside Jamf Pro.

Nevertheless, let’s run through the different steps on a high level overview, and try to highlight some important notes. After this we’ll have a look at the default mapping settings in Jamf Pro.

Continue reading “Integrate Azure LDAP in Jamf Pro”

Jamf, Nomad, Jamf Connect… just WOW ! What a surprise !

Wow, what a surprise indeed! That moment you are in the middle of mentioning the capabilities of Nomad to the sys admin you are on-boarding in Jamf Pro… the news of the year rolls in…!

Nomad is Jamf… wait, what? Can’t be?!… Time for a small break in the on-boarding session to figure out what just happened!

Yes, there is was, the email from Dean (Jamf CEO), followed by a lot of excitement in the internal chats, emails and other channels. Indeed, Nomad is Jamf and there is Jamf Connect now… just WOW!

But why all the fuzz? What’s Nomad anyway? Why is this such a big news?

Continue reading “Jamf, Nomad, Jamf Connect… just WOW ! What a surprise !”

Default LDAP mapping for Active Directory in Jamf

In today’s post I’d like to go through adding LDAP integration to Jamf Pro, with Microsoft Active Directory as Directory server, and more specific: share the default settings in case you have to configure the LDAP integration manually. So no magic in this post, just sharing the default workflow and AD mappings which might come in handy. I’ll share some other Directory Service mappings soon, such as freeIPA, OD,…

Before we start diving into the settings, just remember that, if you are a Jamf Cloud customer, you will first need to grant Jamf Cloud access to your AD server. Either by Whitelisting the IP adresses of Jamf Cloud, or by installing a Jamf Infrastructure Manager or ‘JIM’ in your DMZ. See my post on ‘JIM’: )

Once this is done, you can go into the settings of Jamf Pro and configure the LDAP connection using the wizard. Jamf Pro will automatically try to fetch the Directory settings and mappings.

Continue reading “Default LDAP mapping for Active Directory in Jamf”