How to Implement Temporary Permissions in Jamf Connect with Azure Entra

david_edgar
New Contributor III

How to Implement Temporary Permissions in Jamf Connect with Azure Entra

Background:

I got a bit frustrated the other day because, well, most folks have teams of people to configure these token settings, dig into the claims, and get everything working seamlessly. Meanwhile, I had NO IDEA what I was doing. As someone who manages desktop technicians, I work closely with them to handle the technical aspects of both macOS and Windows environments.

When I first dove into the Jamf Connect documentation on temporary elevation permissions, I’ll admit—I got a bit... annoyed. It didn't feel very easy for what seemed like a straightforward task.

So, if you’re in a similar boat, trying to configure these permissions with existing setups, this guide is for you. I’ve broken down the steps to make it a little less painful and help you get up and running without reinventing the wheel.

Assumptions

  1. Jamf Connect is already set up in your environment with your IDP configurations in place.
  2. You have a group set up in Azure Entra for users eligible for temporary elevation.
  3. You have permission to modify both the Jamf Connect application and Service Principal in Azure.

Jamf Connect Configuration Steps

  1. Open Jamf Connect Configuration Tool:

    • Use an existing Jamf Connect configuration profile or export the .plist from Jamf, if needed, and import it.
  2. Navigate to the "Connect" Menu:

    • Click the "Connect" button at the top and scroll down to the Temporary User Permissions section.
  3. Enable Temporary User Promotion:

    • Toggle "Enable Temporary User Promotion" to active.
  4. Set User Promotion Timer:

    • Set the timer to "0" (default). This allows dynamic control via Azure claims.
  5. Enable Verify User Promotion:

    • Toggle on Verify User Promotion for secure validation.
  6. Enable Promotion Reason Field:

    • This field allows specifying the reason for elevation, useful for future extension attributes.
  7. Add Reasons for Elevation:

    • Provide pre-set reasons that users can select when requesting elevation.
  8. Set Admin Attribute:

    • In the Admin Attribute field, enter "roles" (reflecting the group type used in Azure Entra).
  9. Add User Promotion Role:

    • Click the "+" to add a role. Name the role "LocalAdmin" and set a duration of 30 minutes.
  10. Save and Export Configuration:

  • Save the configuration as a .plist with a recognizable name for testing and deployment.

Azure Entra Setup

  1. Access Azure Portal:

  2. Configure Token Claims:

    • In the Jamf Connect application, navigate to Token Configuration.
    • Click Add a Group Claim, allowing ID, Access, and SAML tokens with default settings.
  3. Create App Role:

    • Go to App Roles (left-hand menu) and click "+ Create app role".
    • Set the following:
      • Display Name: Local Admin
      • Description: Your choice (e.g., “Temporary admin access for macOS”).
      • Allowed Member Types: Users/Groups
      • Value: LocalAdmin (important—this must match the Jamf Connect configuration).
  4. Assign the App Role to Users/Groups:

    • Search for the Jamf Connect service principal in the portal.
    • In the service principal, go to Users and Groups > + Add User/Group.
    • Create the appropriate group assignment:
      • Example: A new group named "macOS Local Admin".
      • Assign the necessary users to this group.
  5. Validate Configuration:

    • Test the setup by verifying token claims and ensuring the elevated permissions work as expected on macOS.

Conclusion

This guide ensures a seamless configuration of temporary permissions in Jamf Connect by integrating with Azure Entra. Once the roles and claims are correctly configured, you can grant temporary admin privileges to macOS users dynamically and securely.

Note: If I missed anything, just let me know!

3 REPLIES 3

AJPinto
Esteemed Contributor

Ill agree Jamfs documentation on this could be due to be clearer. I got everything setup a few months ago, and it immediately failed a security review which I should have seen coming. All of this process still makes the user an administrator, not the tech, and added our entire workforce is remote so the tech is never sitting in the user's lap.

 

We already had an Endpoint Permissions Manager in place, but I was hoping this would be a nice fall back, but it still has too many gaps that Jamf may not even be able to close.

david_edgar
New Contributor III

Our use case involved managing local admin access on both Windows and macOS. Previously, we maintained individual policies for each user and their assigned device. Now, by utilizing group management through Azure, we streamline the process—eliminating the need to recreate policies from scratch each time. Naturally, we have established policies and procedures to support this transition.

AJPinto
Esteemed Contributor

My employer has a very low risk tolerance. No users have elevated access on Windows or macOS, some support techs have admin accounts that they use on Windows to "run as" and the EPM tool fills gaps. On macOS if the EPM can't do it, the IAM team will use the EPM tool to promote the user to admin or we use Jamf to script the task. We would love a way for our admin accounts to work on macOS without having to log in to the OS to build the account, but alas that is not how macOS works lol.