You can either deny or allow that feature but there is no real benefit except that it will prompt you to sync passwords when logging in, if the Network and Local password do not match. 

For us its 1st time login with IDP credentials and not having to jump through a bunch of hoops to make sure users account names match what we want them to match. Also less touch is better, a user just logging in with the same creds they log in to windows with is either on the helpdesk. 

Now if only JAMF Connect could just IDP creds all the time, and not use local creds at all unless its offline that would be nice. Needing to log in with an old password to sync a new password is not a good experience if a user forgets their password.

Thank you both for your replies. These are the aspects I was starting to settle on. I just need a solid answer for the inevitable question: "Why do I have to log in twice now?" :) 

I believe you can setup FDEAutoLogin so that your users only see the Filevault screen but that is pointless because it skips the Jamf Connect login window. 

I agree that the password sync process is not a good experience for users. The local and network passwords just add complexity and our users are less than technical so we get helpdesk tickets about it constantly. 

This is how I usually explain it to people. 

AppleID's will SSO all Apple Services. Okta of course does not use AppleID's and Apple does not use Okta credentials (probably AAD as the source of truth). Your mac users have a leg in two different worlds, and need to authenticate each world individually until the two worlds decide to work together. JAMF Connect is trying to form a bridge, but each of those worlds still need to be authenticated by the user for JAMF Connect to bridge (sync) them.

---