Skip to main content

Hi everyone,

We're looking to harden our Jamf Pro environment and have a few questions before we proceed. Right now we have SSO turned on and pointing towards our IdP and it works fine. However in the Options section of Single Sign-On we have the following:

  • Allow users to bypass the Single Sign-On authentication TICKED
    I'm looking to turn this off, my question is will our break glass non-directory user account work still at the Failover URL we have generated?

  • Enable Single Sign-On for Self Service for macOS TICKED
    Leave this as-is

  • Enable Single Sign-On for User Authentication during Enrollment UNTICKED
    I'm looking to turn this on - will this redirect users to our IdP login page when they enrol a Zero Touch device?

  • Enable Single Sign-On for Account-Driven Enrollment UNTICKED
    Also looking to turn this on, but it sounds a lot like the option above so my question is what is the difference?

Once we have made the above changes, there's one more thing I'm looking to change if possible - in Enrollment customization we have one configured for our IdP, I'm wondering if we enable the last 2 options in Single Sign-On can we remove this?

 

Thanks in advance for any responses!

  • Allow users to bypass the Single Sign-On authentication - Disable this, it is a bypass to SSO. You would still need a local account in JAMF to take advantage of this bypass.
  • Enable Single Sign-On for Self Service for macOS - This just impacts SS, use as you wish. It's broken in our environment... So, I have it disabled, apparently some known product issue.
  • Enable Single Sign-On for User Authentication during Enrollment - a good idea to enable this one to allow users to use IDP credentials to enroll devices.
  • Enable Single Sign-On for Account-Driven Enrollment - Really only matters for BYOD, if you use this workflow its a good idea to enable

 

Your question: Each of these check boxes are for different things and are not related to each other. If you use the function, you want the box checked.

  • Allow users to bypass the Single Sign-On authentication - Disable this, it is a bypass to SSO. You would still need a local account in JAMF to take advantage of this bypass.
  • Enable Single Sign-On for Self Service for macOS - This just impacts SS, use as you wish. It's broken in our environment... So, I have it disabled, apparently some known product issue.
  • Enable Single Sign-On for User Authentication during Enrollment - a good idea to enable this one to allow users to use IDP credentials to enroll devices.
  • Enable Single Sign-On for Account-Driven Enrollment - Really only matters for BYOD, if you use this workflow its a good idea to enable

 

Your question: Each of these check boxes are for different things and are not related to each other. If you use the function, you want the box checked.


Thanks @AJPinto - some good advice there. I am definitly looking to turn off the bypass option as a priority.

Terms & ConditionsCookie settingsAccessibility statement