Skip to main content

I am in the middle of deploying a centralized Jamf Pro instance for a large disparate organization. We're talking 5 business units with multiple sub-organizations, ultimately leading to well over 150 different Active Directory forests with no trust between them. So, 150+ separate LDAP directories.



We currently have an Okta integration that is being "fed" by these 150+ ADs, and while the Okta implementation is not the identity authority, it has every end user in it.



We are standing up our infrastructure for the Jamf Pro instance in AWS. We have no connection back to our corporate networks (which do not necessarily have communication with each other), and there is no plan to do so or to implement a VPN of any sort in AWS. So basically, AWS is its own island.



Rather than stand up 150+ instances of Jamf Integration Manager, I was hoping we could utilize our Okta integration to handle LDAP queries for the types of information we need in Jamf Pro. So Okta would become our LDAP source for all of the normal things we'd query: policy limitations, computer object information, etc.



Has anyone done something like this with Okta (or another identity provider), or is it even possible?

@stevewood I use Okta LDAP to scope policies in my Jamf environment. It will not scope to the AD groups the Okta accounts sync up. What I had to do is set up Okta groups that build based on AD group membership because Jamf can see those. Once I did that it worked like a charm.



Hi @gragnarok , I'm trying to figure out how to scope policies based on Okta groups and noticed your comment. How were you able to achieve this? Was it via an Extension attribute or did you use "limitations" in the policy scope? Any help would be greatly appreciated, thanks in advance!

Hi @gragnarok , I'm trying to figure out how to scope policies based on Okta groups and noticed your comment. How were you able to achieve this? Was it via an Extension attribute or did you use "limitations" in the policy scope? Any help would be greatly appreciated, thanks in advance!


Hey @mardini, we utilized "limitations" in the policy scope with the LDAP groups. I will say we have since moved away from using the LDAP groups to another method. We do a lot of our scoping via "Department" which is also fed off of the LDAP integration and we have a series of smart groups that populate based on the value of that field. Let me know if you have any other questions I can help with!

Reply


Terms & ConditionsCookie settings