Skip to main content

hey guys… having trouble scoping a self service policy to a specific Azure directory group.

 

I deployed the policy to all comptuers and all users, but limited the scope to our our Operations team group in Azure.

 

This obviously requires user to login to self service to see the policy, but logging into self service fails when using directory creds.  Directory user lookups are successful in the Cloud Identity Provider settings so I know Jamf can see the users, and we have self service set to allow users to login using directory creds. 

 

Anyone got any thoughts as to what I”m doing wrong

Are you federated to Okta or some other IDP?

https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Azure_AD_Integration.html#:~:text=When%20Azure%20AD,On%20(SSO) 

https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Azure_AD_Integration.html#:~:text=When%20Azure%20AD,On%20(SSO) 


thanks for the link.. that may explain it.  We really didn't want to enable SSO on self service just so users can install an app, but looks like that's our only option.

thanks for the link.. that may explain it.  We really didn't want to enable SSO on self service just so users can install an app, but looks like that's our only option.


If using Azure CID and MFA then yes.  Its your only option.

I think API/SelfService/Enrollment Portal authentication has to be LDAP or Local JAMF accounts, it does not support AAD or other IDP based authentication. 

I think API/SelfService/Enrollment Portal authentication has to be LDAP or Local JAMF accounts, it does not support AAD or other IDP based authentication. 


It does support Cloud IdP without SSO, that is how we use it. The user's get the regular Self Service login, not an SSO login. We use that to scope Self Service policies to specific Azure AD groups, using Limitations. 

So, I need to create a Cloud IdP group without SSO?

Reply


Terms & ConditionsCookie settings