Jamf Connect 1.19.1 Release

kaylee_carlson
Contributor

Jamf Connect Configuration 1.9.0: N/A
Jamf Connect Login 1.11.3:
• [PI-008086] Fixed an issue that sometimes caused Jamf Connect Login to create an invalid keychain item for Jamf Connect Sync or Verify when Jamf Connect received user information from Jamf Pro’s Enrollment Customization settings during account creation.

• [PI-008131] Fixed an issue that allowed end users to bypass multifactor authentication (MFA), when enabled, and use local authentication, if the MFA prompt timed out.

Jamf Connect Sync 1.4.3: N/A

Jamf Connect Verify 1.5.2: (Documentation Only) The “Configuring Jamf Connect Verify” section of the admin guide now includes OneLogin and IBM Cloud Identity as configurable IdPs. Note: OneLogin and IBM Cloud Identity are not included in the Jamf Connect Verify app Preferences menu. Use Jamf Connect Configuration, Jamf Pro, or a text editor to create a configuration profile.

Product Documentation
For more information, including Release Notes, please see the Jamf Connect Administrator Guide.

4 REPLIES 4

ecanault
New Contributor
New Contributor

Hi,

It seems that the /usr/local/lib/pam/pam_saml.so.2 file disappeared from this release :
c99b72efa0de498291b7cfe726744dc9

Perhaps it's normal because if I copy the file from an older release of Jamf Connect Login pacakge (1.11.0), it works as expected on the Mac
But, when I'm logged into the Mac thru SSH, I can gain root access without authentication :

Last login: Mon Jun 1 15:01:22 on ttys001 The default interactive shell is now zsh. To update your account to use zsh, please run chsh -s /bin/zsh. For more details, please visit https://support.apple.com/kb/HT208050. netomac95:~ emmanuel$ ssh ladmin@192.168.78.209 Password: Last login: Mon Jun 1 15:06:31 2020 from 192.168.78.214 ladmin@MacBook-Air ~ % sudo -s root@MacBook-Air ~ # whoami root root@MacBook-Air ~ #

Here is a copy of my /etc/pam.d/sudo file on macOS 10.15.4 :

# sudo: auth account password session auth required pam_saml.so auth sufficient pam_smartcard.so # auth required pam_opendirectory.so account required pam_permit.so password required pam_deny.so session required pam_permit.so

And the result of authchanger -print :

# authchanger -print Entry: system.login.console tries : 10000 class : evaluate-mechanisms comment : Login mechanism based rule. Not for general use, yet. shared : 1 version : 7 created : 612708829.897855 mechanisms: builtin:policy-banner JamfConnectLogin:CheckOkta JamfConnectLogin:PowerControl,privileged JamfConnectLogin:CreateUser,privileged JamfConnectLogin:DeMobilize,privileged builtin:login-begin builtin:reset-password,privileged loginwindow:FDESupport,privileged builtin:forward-login,privileged builtin:auto-login,privileged builtin:authenticate,privileged PKINITMechanism:auth,privileged builtin:login-success loginwindow:success HomeDirMechanism:login,privileged HomeDirMechanism:status MCXMechanism:login CryptoTokenKit:login loginwindow:done JamfConnectLogin:EnableFDE,privileged JamfConnectLogin:SierraFixes,privileged JamfConnectLogin:KeychainAdd,privileged modified : 612708996.4008451 Entry: system.preferences.network version : 0 allow-root : 1 modified : 612708996.328822 group : admin comment : Checked by the Admin framework when making changes to the Network preference pane. created : 612708829.897855 session-owner : 0 authenticate-user : 1 tries : 10000 shared : 1 class : user timeout : 2147483647 Entry: system.services.systemconfiguration.network k-of-n : 1 rule: is-root entitled _mbsetupuser-nonshared authenticate-admin-nonshared modified : 612708996.367339 comment : For making change to network configuration via System Configuration. version : 2 created : 612708829.897855 class : rule

Regards,
Emmanuel

PS : by using

auth required pam_saml.so auth required pam_opendirectory.so

in /etc/pam.d/sudo, it works as expected with SSH : the password is asked.
But you have the option to bypass IdP authentication locally on the Mac :-(.

david_engum
New Contributor III

@ecanault We have noticed this and will be releasing a new version of the Jamf Connect that fixes this problem as well as a few other problems. This release is planned for June 6.

ecanault
New Contributor
New Contributor

Hi @david.engum ,

Thanks for the feedback.
This update will also address the security issue regarding the remote SSH connection ?

ecanault
New Contributor
New Contributor

Hi,

It seems that the SSH issue is still here.
Cc @david.engum