Is the following OK? (Login window, local user account changes)

ManuCa
New Contributor

Hi everyone!

 

I apologize in advance as my experience with JAMF is less than 1 week so my vocabulary might be off.

We have deployed JAMF PRO + Connect along Google Workspace as our IdP and I wanted to know how to handle the following:

-After pushing out the configuration profile and logging out of my local user account (which had admin rights), the Jamf Connect login window appears. However, introducing my work email and its password doesn't work. It accepts them but then the local user login screen appears saying "incorrect password" (Because my work mail password and local user account password are different ofc). If I try this with a test account I have in google workspace, a window asking me to select the local user appears. Why is this happening? How can I avoid it?

-My local user account was downgraded to a standard account even though I'm an admin in google workspace. I understand JAMF takes the roles set in the IdP to define the local account role. Is this correct? is it working as intended with Google Workspace? How can I avoid this in the future and how could I revert it?

-Restarting the computer makes the Jamf Connect login window go away. I guess that the following happens: When using JAMF connect for the first time, it syncs the local account password with the network one and then when the FV login window appears, it checks the credentials and if they are ok, it bypasses the JAMF connect window?

Hope I have been clear! Please ask me anything if some point was confusing or I didn't give enough information.

1 REPLY 1

abrunner
New Contributor III

First, I highly recommend carefully reading the documentation. Two of your 3 questions can be answered by it: https://www.jamf.com/resources/product-documentation/jamf-connect-documentation-version-2-9-0/

It sounds like your local user account is synced to a Jamf Connect profile already, which is why you were not prompted. You get the prompt on login with the test user because Jamf Connect needs to know if its supposed to create a new local user or sync to an existing. The way we fixed this when we implemented was to uninstall the Connect Login Window and reinstall. Follow these instructions to do so: Uninstall the Login Window

There is a preference in the Jamf Connect configuration that specifies whether or not Connect should obey the IDP admin settings. https://docs.jamf.com/jamf-connect/2.9.0/documentation/User_Roles_for_Local_Accounts.html

Finally, it sounds like you have Connect configured to bypass the login window when the user successfully unlocks FileVault, so yes, that is functioning as it should. The only time you should see the Connect Login window is if the user logs out instead of shutting down, restarting, or locking the computer.