04-22-2022 02:19 PM - edited 04-22-2022 05:36 PM
Jamf Connect has been working in our environment for a few weeks, but we've run into some issues with MFA with security keys.
On a computer undergoing prestage enrollment, an SSO window appears prior to configuration. MFA works without issue. After prestage completes, the SSO window appears again. At this point, it should be creating the local account, and connecting to AzureAD. However, if the account is authorized to use a FIDO2 security key, the MFA page will hang.
Following this guide, I was able to get MFA working successfully for most logins without issue even with a security key authentication available except when logging into the computer. For all other logins, I don't run into any errors on MFA unless it's when I actively choose Windows Hello/Security Key.
Solved! Go to Solution.
Posted on 05-02-2022 10:03 AM
After working with support, this is the answer I was given. Sharing for posterity.
Unfortunately, Jamf Connect nor the Enrollment Customization feature support FIDO2 MFA. This is because macOS does not support FIDO2 in wkwebview (aka WebKit), which is what Jamf Connect and Jamf Pro use for SSO authentication through Jamf Connect Login and Enrollment Customization SSO Panes, respectively.
It was also suggested I create a policy in AzureAD to exclude Jamf Connect from FIDO2 MFA.
Posted on 05-02-2022 10:03 AM
After working with support, this is the answer I was given. Sharing for posterity.
Unfortunately, Jamf Connect nor the Enrollment Customization feature support FIDO2 MFA. This is because macOS does not support FIDO2 in wkwebview (aka WebKit), which is what Jamf Connect and Jamf Pro use for SSO authentication through Jamf Connect Login and Enrollment Customization SSO Panes, respectively.
It was also suggested I create a policy in AzureAD to exclude Jamf Connect from FIDO2 MFA.
3 weeks ago
Thanks for this. You have saved me further headache. I have been trying to figure out how to get the Yubikey which is also a FIDO2 device to work with Jamf connect with no luck. Nice to know it is not supported. I guess the best thing I can try to do is see if I can exclude mac users in our azure tenant from needing to use MFA period since Jamf connect is using FIDO2.