Our students are cheating on test using the Keyboard setting “Show math results”. I created a ticket with Jamf but they told me the only way to fix this is to use Blueprints but we are not set up with SSO. Is there another way of fixing this issue. Some very important state test are coming and our students are spreading the word on how to cheat.
Question
Students using Show Math Results to cheat on Math test.
+6Jamf Support is correct — Blueprints is currently the only way to restrict the "Show Math Results" keyboard feature via MDM. This is because Apple implemented this control as a Declarative Management declaration (MathSettings), not a traditional Configuration Profile restriction, so there's no payload you can push through a standard configuration profile.
The good news: You don't need a full external SSO/IdP setup to access Blueprints. Jamf offers Jamf ID as a built-in SSO option — no external identity provider (Entra ID, Okta, etc.) required. You just need to enable OIDC authentication in Jamf Pro through Jamf Account.
Here's what to do:
- Log in to Jamf Account and ensure your organization is set up
- In Jamf Pro, go to Settings > System > Single sign-on and enable OIDC authentication using Jamf Account
- Sign in to Jamf Pro with your Jamf ID
- Navigate to Blueprints and create a new blueprint using the Math Settings component to disable math calculation features
- Scope the blueprint to your student device groups
You can deploy and remove the blueprint dynamically — enable math features during lessons and disable them before tests.
References:
+15Greetings h1431532403240,
We have a similar situation and have not yet updated to SSO for Jamf. The complication here is that we are already integrated with our Okta IdP for access to our Jamf cloud instance using SAML. But, we do not want everyone (field support staff and departmental support units) to have access to the Jamf account in general, just the current access that they have within the Jamf cloud instance. Our local Identity and Access Management group is overloaded right now, and can’t assist us with this change. Is it possible to have both, Okta SAML for access to the Jamf cloud instance to manage endpoints, and OIDC for the Jamf Account only for the Jamf Administrators (2 of us).
+6Hi
Yes, you can absolutely have both running simultaneously. This is actually Jamf's recommended configuration for organizations already using SAML.
In Jamf Pro's Single Sign-On settings, there's a specific option: "Use SAML authentication for end users (using IdP settings from Jamf Pro)" — this lets you keep Okta SAML for your field support staff and end users while enabling OIDC through Jamf Account for administrators only.
Here's what makes this even easier for your situation: since only 2 of you need Blueprints access, you can use Jamf IDinstead of configuring Okta as an OIDC provider. This means your IAM team doesn't need to be involved at all.
Steps:
- Ensure both admins have a Jamf ID at account.jamf.com (create one if needed)
- In Jamf Pro, verify that each admin's Jamf Pro user account has a username/email matching their Jamf ID
- Go to Settings > System > Single sign-on, enable OIDC authentication, and select "Use SAML authentication for end users" to keep Okta SAML intact for everyone else
- The 2 admins can now log in with Jamf ID to access Blueprints, while all other users continue using Okta SAML exactly as before
Your field support staff and departmental support units will not gain access to Jamf Account — they'll continue authenticating through Okta SAML with the same permissions they have today.
References:
+15Cool, thank you very much. We have been very nervous about even touching this stuff while our IAM folks are unavailable.
+15I’m about to light the fuse on this. I have “Use SAML authentication for end users (using IdP settings from Jamf Pro)” turned on as directed. Do I leave “Allow authentication with Jamf ID” on? Thank you very much for your assistance. I’m probably being overcautious here, but that’s basically me on an average day anyway… 🤓
+6Hi
Yes, keep "Allow authentication with Jamf ID" on. Since you're using Jamf ID (not an external OIDC IdP) to log in, that's exactly what authenticates you and your fellow admin for Blueprints access. Turning it off would lock you out of the OIDC login.
Being overcautious with SSO changes is absolutely the right call — make sure you've saved your Failover Login URLbefore proceeding, just in case you need to get back in with local Jamf Pro credentials.
Reference: SSO with OIDC Through Jamf Account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.