+4Does anyone know a way to exclude Jamf Connect from MFA in Azure Conditional Access?
I have created a web redirect URI to make Azure see the app registration in conditional access but when I add this as an exclusion users are still asked for MFA.
Thanks!
+4We want to try treating the connector IP address range as a trusted location, but have not been able to find the range that Jamf connector is using. I can see individual Jamf connection IP addresses in the Azure sign-in logs, but it would be nice to have the CIDR address
+4@nick-at-artsed Jamf support couldn't give me the IP addresses that the connector is using for Azure, but after going through the Azure failed sign-in logs, I put all of the IP addresses that were labeled as Jamf Azure AD Connector into a named location in Azure AD and and marked them as trusted. I then exempted that named location from our conditional access policy. So far, so good.
I'm not sure what range of IPs the Jamf connector is using, so I may have to keep adding to the named location. We'll see how it goes.
+8@nick-at-artsed Jamf support couldn't give me the IP addresses that the connector is using for Azure, but after going through the Azure failed sign-in logs, I put all of the IP addresses that were labeled as Jamf Azure AD Connector into a named location in Azure AD and and marked them as trusted. I then exempted that named location from our conditional access policy. So far, so good.
I'm not sure what range of IPs the Jamf connector is using, so I may have to keep adding to the named location. We'll see how it goes.
@jaellington any chance you'd be willing to share the list you've come up with? 🙂
+4@jaellington any chance you'd be willing to share the list you've come up with? 🙂
@raymondap so far:
54.208.14.206/32 | |
54.208.84.215/32 |
+4This eventually worked for us without the need for whitelisting IP's we just have a policy that applies to a group of users / all cloud apps / Jamf Connect excluded / require MFA
+4@jameschuong Apologies for the delay in replying. Hopefully you already have your answer, but if not:
You can create an IP range location in Azure AD by going to Security - Named Locations. Then you can click on '+ IP ranges location', give it a name (something like Jamf Pro Connector), and add the IP addresses. Then go back to your CA policy and click on Conditions. Then in the Locations tab, add your new Named Location to the Exclude list.
We did this about 8 months ago, and have had no issues with it so far.
Just found the list of IP address that JAMF is using. It doesn't match any of the IPs mentioned above, but it does include the ones that I'm seeing currently in sign in logs. Also, for anyone wanting to know how to whitelist IP addresses for conditional access policies, you need to create a named location. Just go to Security > Named Locations once you are in active directory. You will then add the named location as an exclusion under the Grants of the conditional access policy that is requiring MFA
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
