How to Implement Temporary Permissions in Jamf Connect with Azure Entra

Background:

I got a bit frustrated the other day because, well, most folks have teams of people to configure these token settings, dig into the claims, and get everything working seamlessly. Meanwhile, I had NO IDEA what I was doing. As someone who manages desktop technicians, I work closely with them to handle the technical aspects of both macOS and Windows environments.

When I first dove into the Jamf Connect documentation on temporary elevation permissions, I’ll admit—I got a bit... annoyed. It didn't feel very easy for what seemed like a straightforward task.

So, if you’re in a similar boat, trying to configure these permissions with existing setups, this guide is for you. I’ve broken down the steps to make it a little less painful and help you get up and running without reinventing the wheel.

Assumptions

1. Jamf Connect is already set up in your environment with your IDP configurations in place.
2. You have a group set up in Azure Entra for users eligible for temporary elevation.
3. You have permission to modify both the Jamf Connect application and Service Principal in Azure.

Jamf Connect Configuration Steps

1. Open Jamf Connect Configuration Tool:

   • Use an existing Jamf Connect configuration profile or export the .plist from Jamf, if needed, and import it.

2. Navigate to the "Connect" Menu:

   • Click the "Connect" button at the top and scroll down to the Temporary User Permissions section.

3. Enable Temporary User Promotion:

   • Toggle "Enable Temporary User Promotion" to active.

4. Set User Promotion Timer:

   • Set the timer to "0" (default). This allows dynamic control via Azure claims.

5. Enable Verify User Promotion:

   • Toggle on Verify User Promotion for secure validation.

6. Enable Promotion Reason Field:

   • This field allows specifying the reason for elevation, useful for future extension attributes.

7. Add Reasons for Elevation:

   • Provide pre-set reasons that users can select when requesting elevation.

8. Set Admin Attribute:

   • In the Admin Attribute field, enter "roles" (reflecting the group type used in Azure Entra).

9. Add User Promotion Role:

   • Click the "+" to add a role. Name the role "LocalAdmin" and set a duration of 30 minutes.

10. Save and Export Configuration:

• Save the configuration as a .plist with a recognizable name for testing and deployment.

Azure Entra Setup

1. Access Azure Portal:

   • Go to portal.azure.com and search for your Jamf Connect application.

2. Configure Token Claims:

   • In the Jamf Connect application, navigate to Token Configuration.
   • Click Add a Group Claim, allowing ID, Access, and SAML tokens with default settings.

3. Create App Role:

   • Go to App Roles (left-hand menu) and click "+ Create app role".
   • Set the following:
     • Display Name: Local Admin
     • Description: Your choice (e.g., “Temporary admin access for macOS”).
     • Allowed Member Types: Users/Groups
     • Value: LocalAdmin (important—this must match the Jamf Connect configuration).

4. Assign the App Role to Users/Groups:

   • Search for the Jamf Connect service principal in the portal.
   • In the service principal, go to Users and Groups > + Add User/Group.
   • Create the appropriate group assignment:
     • Example: A new group named "macOS Local Admin".
     • Assign the necessary users to this group.

5. Validate Configuration:

   • Test the setup by verifying token claims and ensuring the elevated permissions work as expected on macOS.

Conclusion

This guide ensures a seamless configuration of temporary permissions in Jamf Connect by integrating with Azure Entra. Once the roles and claims are correctly configured, you can grant temporary admin privileges to macOS users dynamically and securely.

Note: If I missed anything, just let me know!