We have successfully setup Jamf Connect menu bar icon to allow privilege elevation for just our technicians by using Roles with our OIDC provider Entra. The reason for this is that we don’t want standard users to be able to request or be full admins. There are times though when an admin needs to do something with admin rights under a users profile. With our solution the idea was that a technician could be on site or remote in and use the privilege elevation feature and sign in with their own credentials to make the standard user a temporary admin. Do what they need to do and end the session.
However, this is where we run into issues. First, Jamf Connect stores an Entra token for the session. If you select the privilege elevation option again it will skip the pop up Entra sign in screen and move straight to the reason for elevation and make you admin. This token we know last for quite a while. We can see the three tokens in keychain and remove them and the Entra sign in screen will properly show and require log in again.
The second cause of concern is the keychain session token will also allow the user to go to office.com and the technician be shown as signed in. (in the case of the user never having signed in to office).
We obviously can’t have this happen this way. Has anybody done something similar and managed to find a way to keep Jamf or Microsoft from storing the token?
Just as a side note we did try a conditional access policy for the Jamf application in Entra but since it’s external we can’t enforce the sign in frequency.
JAMF Connect Privilege Escalation for Tech Group only
+6Hi
This is a known behavior with Jamf Connect's privilege elevation when VerifyUserPromotion is enabled with Microsoft Entra ID. The OIDC tokens cached in the user's keychain persist after the elevation session ends, causing two issues: (1) subsequent elevation requests skip authentication, and (2) the technician's Entra session leaks to office.com.
Here are a few approaches to address this:
1. Use VerifyUserPromotionFIDO2 instead of VerifyUserPromotion
This setting forces authentication through a browser window and supports WebAuthn/FIDO2 keys. Because it uses a browser-based flow, the token handling is different and may reduce the cached token problem. It takes priority over VerifyUserPromotion.
<key>VerifyUserPromotionFIDO2</key>
<true/>Note: Your Jamf Connect OIDC app registration in Entra ID must use the redirect URI jamfconnect://loggedin.
2. Create a cleanup script to remove Entra tokens from keychain after demotion
You can use Jamf Pro to deploy a script (via policy or Jamf Connect's built-in script scheduling) that removes the cached OIDC tokens from the user's keychain when the elevation session ends. The three keychain items you identified can be removed programmatically:
#!/bin/zsh
# Remove Jamf Connect OIDC/Entra cached tokens from user keychain
currentUser=$(stat -f%Su /dev/console)
# Remove Microsoft Entra OIDC tokens stored by Jamf Connect
security delete-generic-password -l "com.jamf.connect.login" /Users/$currentUser/Library/Keychains/login.keychain-db 2>/dev/null
security delete-generic-password -l "com.jamf.connect" /Users/$currentUser/Library/Keychains/login.keychain-db 2>/dev/null
# You may also need to target specific Entra/Microsoft token entries
# List keychain items first to identify exact labels:
# security dump-keychain /Users/$currentUser/Library/Keychains/login.keychain-db | grep -i "jamf\|entra\|microsoft\|OIDC"You'll need to inspect the actual keychain item labels on a test machine (since you mentioned you can already see the three tokens) and adjust the security delete-generic-password commands accordingly.
3. Trigger cleanup automatically with Jamf Pro Policy
Since jamfconnect://demote can be called via URL scheme, you could combine the demotion and cleanup into a Jamf Pro policy:
#!/bin/zsh
# Demote the user
open jamfconnect://demote
# Wait for demotion to complete
sleep 5
# Clean up cached Entra tokens
currentUser=$(stat -f%Su /dev/console)
# [Insert your keychain cleanup commands here based on the token labels you identified]
4. Entra ID Token Lifetime Policies
While you mentioned Conditional Access didn't work because Jamf Connect is external, consider configuring Token Lifetime Policies in Entra ID specifically for the Jamf Connect app registration. You can set shorter access token lifetimes and restrict refresh token behavior. This won't prevent caching entirely, but reduces the window of exposure.
5. Consider filing a Feature Request with Jamf
The core issue — that Jamf Connect caches the OIDC token and doesn't clear it after the elevation session ends — is arguably a product gap. I'd recommend submitting a feature request via Jamf Ideas requesting that Jamf Connect automatically purge cached Entra tokens upon demotion, especially when a technician authenticates on behalf of a user.
References:
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.