Can you stilll log in to a Mac that uses Jamf Connect if it's offline?

tom_s
New Contributor II

I haven't been able to find a definitive answer to this as I research Jamf Connect for our environment (although I suspect the answer is "no"), so I thought I'd double-check here.

When you have Jamf Connect Login deployed and enabled, are you still able to log in to a Mac when that device is offline? Or is there no credential caching of any sort, and you must be Internet-connected for each login, no exceptions?

Let's assume that a) this is not the first time that this user is logging in, and that b) this is a primary user for the computer (if this matters). We are using OneLogin as our IdP.

Also, can the user enroll/continue to use Touch ID with Jamf Connect Login (assuming all regular Touch ID requirements, i.e. no Touch ID after reboot, length of time since last authentication, etc.)

Lastly, I'm assuming that if we decide to use Jamf Connect Login ONLY for onboarding (with Internet connectivity), and afterwards transition to using ONLY Jamf Verify for the password sync component, then the answer to my question becomes a definite "yes" - but please let me know if otherwise.

Thanks in advance!
Tom

1 ACCEPTED SOLUTION

kendalljjohnson
Contributor II

Hey Tom,

We just deployed Jamf Connect Login & Verify with OneLogin as our IDP. Jamf Connect Login creates a local login account as if it was being created within macOS, just using your IDP credentials for that account creation process. So yes, the account is fully "cached" since it is created as a standard local account.

There are 2 key-value pairs you could use to control the experience you want with Jamf Connect Login: DenyLocal and OIDCDefaultLocal. DenyLocal set to false would allow a local login, therefore allowing an offline login. With OIDCDefaultLocal set you can configure it to default to the local login, rather than your IDP login screen. So if a new user is needing to login that does not already locally exist, they could hit cancel from from the local login screen to jump back to the IDP login screen. Keep in mind the local login screen would have a slightly different look than the default macOS login screen, but would provide the same functionality.

TouchID is fully usable and available, the lock screen remains as the standard macOS experience. And yes, your idea of pulling Jamf Connect Login after rollout would work as well assuming new users are not needing to be created afterwards.

Hope that helps!

Kendall

View solution in original post

3 REPLIES 3

kendalljjohnson
Contributor II

Hey Tom,

We just deployed Jamf Connect Login & Verify with OneLogin as our IDP. Jamf Connect Login creates a local login account as if it was being created within macOS, just using your IDP credentials for that account creation process. So yes, the account is fully "cached" since it is created as a standard local account.

There are 2 key-value pairs you could use to control the experience you want with Jamf Connect Login: DenyLocal and OIDCDefaultLocal. DenyLocal set to false would allow a local login, therefore allowing an offline login. With OIDCDefaultLocal set you can configure it to default to the local login, rather than your IDP login screen. So if a new user is needing to login that does not already locally exist, they could hit cancel from from the local login screen to jump back to the IDP login screen. Keep in mind the local login screen would have a slightly different look than the default macOS login screen, but would provide the same functionality.

TouchID is fully usable and available, the lock screen remains as the standard macOS experience. And yes, your idea of pulling Jamf Connect Login after rollout would work as well assuming new users are not needing to be created afterwards.

Hope that helps!

Kendall

tom_s
New Contributor II

Oh wow, that was super-fast and VERY helpful - thanks so much Kendall!

Having looked at that Configuring Jamf Connect doc you linked yo, it would appear using DenyLocal set to False, along with LocalFallback set to True should provide us with the desired login workflow.

And speaking of desired workflow, and your experiences with implementing this in your environment, can you comment re: the double-login issue? If I understand it correctly, as long as your given configuration has the user authenticate via the IdP login screen, that user will need to enter their password again at the local login prompt, correct? I'm assuming OneLogin hasn't found an ability to pass the IdP password for local login transparently (I'm guessing due to macOS limitations)?

So assuming the above is true, the way to avoid the double-login issue would be to use the settings you suggested (set DenyLocal to False and set OIDCDefaultLocal to True), in which case the IdP login screen would be bypassed entirely. And if a OneLogin user that doesn't already have a local account wanted to log in (say, me, as a company admin), one could just cancel at the local login screen and then log in with OneLogin credentials. Does that sound about right?

kendalljjohnson
Contributor II

Exactly. The confirming of the password only appears after an IDP login, local login only requires username/password once.