Skip to main content

Hi All, 

 

We have setup Jamf Pro SSO and Cloud idP for to EntraID.

 

We then tried to use the EntraID groups for the targeting of applications/configuration profiles but they wouldn’t scope correctly. 

 

I logged a ticket with jamf support and their theory was that because we map UserPrincipalName (i.e. Full email address), this doesn’t match the username on the local account because it doesn’t support the @ symbol. Their suggestion is to drop anything after the @ symbol on the mapping but it’s not that simple as we use the full UPN for other configurations in Jamf.


So i guess my question is does anyone else have iDP setup with Jamf and do you sync the full UPN and able to target users via EntraID groups? 

 

TIA.

This is what we’re using as the short name mappings to jamf. UPN is what is being used for our logins on macOS:
 

E.g.:
UPN=cwright1@domain.com
OnPremiseSamAccountName=cwright1

Of course, we have on premises AD so that works.  If you’re 100% native EntraAD, that would likely just be SamAccountName or something similar.

My suggestion is to search for a user (yourself for ex) in the Azure AD portal and find where they have that attribute you're looking for and match to it. FWIW, in my case, the On-prem SAM name was actually 

extension_xxxxxxxxxxxxxx_sAMAccountName

(Removed the actual value but you get the idea) but I didn't actually get that value through trial and error, I ended up having to ask our Entra team what the actual value was, so you many save time and just go to whoever on your .org.

Thanks both for your responses. I quickly changed my mapping to mailNickname as this is what we use in EntraID and after doing a device check-in it deployed the configuration profile. 

I then reverted the change as i’m not sure what the impact is…

Does this mapping only impact EntraID targeting? i.e. it doesn’t change anything else on the device or break anything? 

It could impact anything that you have created using a limitation.  How is the scoping created? You created a policy or profile and targeted scope to All devices (computer/mobile/whatever) and then use the tab to limit who actually gets it.

Or did you try to target the group directly?  It should be the limitations way and if you were doing direct targeting that could by why it was failing.  How is your environment set up? is it 100% Entra? Do you have a hybrid configuration where you also have on-prem AD? Are you Jamf connect or Kerberos SSO (old-school way was “Enterprise Connect”). If you’re hybrid and and can read on-prem then that makes life easier.

It could impact anything that you have created using a limitation.  How is the scoping created? You created a policy or profile and targeted scope to All devices (computer/mobile/whatever) and then use the tab to limit who actually gets it.

Or did you try to target the group directly?  It should be the limitations way and if you were doing direct targeting that could by why it was failing.  How is your environment set up? is it 100% Entra? Do you have a hybrid configuration where you also have on-prem AD? Are you Jamf connect or Kerberos SSO (old-school way was “Enterprise Connect”). If you’re hybrid and and can read on-prem then that makes life easier.

This is the answer.  Plain and simple, it only affects scoping based on user targeting.  Nothing more.

Terms & ConditionsCookie settings