With the release of Jamf Connect w/ Azure integration, Jamf provides a tool (amongst other functionality) to create local user accounts on your Macs. This based on the identity of the user in Azure.
I noticed this latest Jamf Connect release triggers additional interest in integrating Azure as an LDAP server. Azure LDAP integration was on my blog to-do list for some time now, but other topics jumped ahead in my priority list. So to finally clear this from my to-do list, hereby a quick post on how to add Azure as an LDAP service in Jamf Pro.
I’ll try to keep this one as short as possible. Managing Azure AD and enabling the required services (LDAPs) is a bit beyond my scope here. Allow me to assume that you already configured it for other integrations outside Jamf Pro.
Nevertheless, let’s run through the different steps on a high level overview, and try to highlight some important notes. After this we’ll have a look at the default mapping settings in Jamf Pro.
Let’s not try to re-invent the wheel here. Microsoft has a very extensive KB on how to enable LDAPs in Azure. I’ll run through it on a high level, but I’d really recommend you to follow it to the letter in case you still have to set it up.
Pre-reqs for Azure LDAPs integration in Jamf Pro:
- Azure subscription
- Azure AD directory
- Azure AD Domain Services enabled
- LDAPs enabled on the Azure Domain Services
- Valid SSL certificate
Before you can enable LDAPs you’ll need to have the Domain Services configured. Use this Microsoft KB to do so. Going through this would make this post way too long, and as said, the Microsoft KB is very detailed and straight forward to follow. I’m not an Azure expert or admin, so if I can do it, you should not have any problems either.
The initial configuration will ask you to go through the following 5 steps:
- Basics (domain, Azure subscription, Resource Group, Location)
- Network (Virtual network settings)
- Administrative group
- Synchronisation (Sync AD users to the Domain Services – more info)
Azure will start the deployment of the Domain Services, and you’ll see a notification ‘Deployment in progress’. This can take about an hour to complete! Just be patient and as always, get a coffee… ☕️☕️☕️
In the mean time, have a look in the Azure AD Domain Services blade to see your domain being provisioned. Wait for the ‘running’ status.
When the domain is ready, you need to update DNS settings for the virtual network. Just hit configure to complete this step.
The final step to enable domain services (before we can enable LDAPs) involves rehashing the users passwords!
To authenticate users on the managed domain, Azure Active Directory Domain Services needs password hashes in a format that's suitable for NTLM and Kerberos authentication. Azure AD does not generate or store password hashes in the format that's required for NTLM or Kerberos authentication, until you enable Azure Active Directory Domain Services for your tenant. For obvious security reasons, Azure AD also does not store any password credentials in clear-text form. Therefore, Azure AD does not have a way to automatically generate these NTLM or Kerberos password hashes based on users' existing credentials.
Take the time to read the Task 5 of the Azure AD Domain Services guide !Azure AD LDAPs config:
At this point you should have your Azure AD and Domain Services up and running. Next is enabling LDAPs. This is were we’ll need our SSL certificate. Have a look at step 1 and 2 in the Microsoft guide above in case you need help on how to create this certificate.
When you have your cert, go to the secure LDAP tab and enable LDAPs. Make sure to enable LDAPs via Internet but review the warning below. Upload the .pfx , and save the configuration.
When you enable secure LDAP access over the internet, your domain is susceptible to password brute force attacks over the internet. Therefore, we recommend setting up an NSG to lock down access to required source IP address ranges. See the instructions to lock down LDAPS access to your managed domain over the internet.
To lock down LDAPs access from JamfCloud, have a look at the article here to find the IP addresses which JamfCloud uses outbound. As I’m integrating in JamfCloud (EU) here, I locked it down like this:
That’s it! Now you should be all set to integrate Azure LDAPs into Jamf Pro.Jamf Pro Azure LDAP mappings:
The rest is straight forward, just add a manual LDAP configuration in Jamf Pro and add the correct mappings.
There are however a few things to keep in mind with Azure.
First of all you will need the external IP address of you Azure secure LDAP service:
The rest is quite standard, just a matter of adding the SSL cert and the mappings. Below I just added the default mappings I found in my Azure (Check with any Directory tool if needed).
NOTE: Just remember that for Azure, the 'Distinguished Username' is not really the 'Distinguished Username' format we are used to. Instead use the email@example.com format.
That’s it! Azure LDAP integration in Jamf Pro done!
I’m not adding any screenshots of the tests in the Jamf Pro LDAP interface. Just to shorten this post a little, but trust me… the above workflow and settings work!