Skip to main content

Hi,

In the olden days I would use dsconfigAD -groups to allow specific AD group members to log in as admins (e.g. Music Lab Staff are Admins on the Music Lab Macs) this would run as a policy on all Macs in the Music group. There doesn't seem to be a way to do this neatly with Jamf Connect & Okta, the Admin Group grants those users Admin on all Macs.

What is the best way to achieve this using Jamf Connect with Okta?

My current thinking is that the Domain Admins group remains we create additional Groups in Okta (e.g. Music Admins) with their own Admin Client ID and a separate Jamf Connect Login Config Profile for each Smart Group e.g. Jamf Connect Login Music profile allows members of Domain Admins and Music Admins to log in with admin privs but members of Computer Science Admins can log in but get a standard account.

Am I overthinking this, is there an easier way?

 

MacOS has no way to see the Okta groups, so you cannot have macOS behave in a specific way based on user group membership. However, JAMF Connect can create an account as an admin account based on what Okta tells JAMF connect to do. You could have two Okta Apps setup for JAMF connect, one of which grants local admin access if the user is a member of a specific group.

 

If your JAMF instance is setup to see your LDAP instance, you could set a policy to run targeting users with a specific AD group. I have noticed that using policy and configuration profile limitations to be flaky at best and are best used with selfservice rather than trying to be automatic. 

I map the ad department field to a Jamf user Department eg. Staff or Student. Then create a policy to trigger at login, granting admin using the files and processes payload.

As AJPinto said, there's issues calculating ldap groups when used to limit a policies scope (in the known issues).

Reply


Terms & ConditionsCookie settings