Basically the title.
Our Jamf Pro environment is setup with Jamf connect via Okta, and our users use their AD short name to login, so changing it to Azure AD would be too much of a change (unless we can change the login username).
As such, we can't leverage as easily AzureAD group membership on the local device.
Is it possible to use a policy + script to create a local group that contains the members of the Azure AD idp group?
Thanks!
Thanks for your very detailed response Bryant!
That makes perfect sense. I'll have a look into doing that + testing etc.
Cheers,
Nic
Thanks for your very detailed response Bryant!
That makes perfect sense. I'll have a look into doing that + testing etc.
Cheers,
Nic
Hi @njh359, what was the response? It looks like the post by Bryant2S has disappeared.
I'm in a similar situation and interested in any tips.
Hi @njh359, what was the response? It looks like the post by Bryant2S has disappeared.
I'm in a similar situation and interested in any tips.
Hey Deej,
Strange...
So unfortunately it's not a super simple.
I ended up connecting up the azure idp, and then had to put together a few scripts leveraging the Jamf API.
1. To create local groups named after their aad group counterparts
2. To run a jamf API call (https://XXXXX.jamfcloud.com/api/v1/cloud-idp/1001/test-user-membership) to test the logged on users membership of specific groups in aad.
3. If the user was a member i then added them to the relevant group.
As the group membership (in our scenario) can change, i used outset to run script 2/3 on login. So the entire AAD group wasn't actually passed into the local group, just the user.
But it works for us; we're using beyondtrust PMC, so the Azure users/groups option wasn't an option for our mac's.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.