JAMF Connect - Azure - MFA Issues

mhegge
Contributor III

I am putting this out there because JAMF support has washed their hands in assisting us.

We integrated JAMF Connect with Azure AD recently and are currently testing.

The issue we are having is that Azure, and our MFA setup in Conditional Access, is requiring users to log in at EVERY restart. It also is requiring password verification after authenticating.

As you might imagine, this would cause some inconvenience to macOS users, especially if their means of MFA authentication was not at hand: phone, Microsoft Authenticator app (iphone or ipad) or other means.

MFA does not work this way for anything else requiring it. It is only required once per app, per device, until there is a password change.

Support suggestion was to exempt macOS from requiring MFA, essentially. This did not go over well with our Sys Admin who is heading the rollout of our MFA requirement.

This is a real frustration as JAMF Connect was touted as a solution for AD authentication, ability to provide zero-touch deployment in our environment, and create AD users without requiring the device be joined to AD. It does that, but at a real cost to user experience.

Trying to work with my Sys Admin as I do NOT have the rights to create or test policies in Conditional Access. Hoping there is someone out there in the same boat as us.

5 REPLIES 5

nick-at-artsed
New Contributor III

I am also really frustrated with this, clearly Jamf Connect is not Azure ready, we already enforce MFA on all staff and wanted Jamf Connect to be the solution to zero touch macOS deployments with a good user experience. Sadly this seems not to be possible yet.

Lodavigo
New Contributor II

@mhegge I am confused by your issue that Jamf Connect requires your users to log in at every restart? How did it work for you before Jamf Connect -- asked another way: Macs would have required a log in at every restart by default, right?

Or is the issue the fact that Jamf Connect requires a sign in to azure -> then your conditional access policy requires MFA -> then the user is prompted one more time to type their password in order to log in?

We use Azure and Jamf Connect for our Zero Touch, and aside from the multiple password entries each restart to log in, it hasn't been overly problematic yet.

@Lodavigo how does the offline log-in work with azure and MFA? 

Lodavigo
New Contributor II

Offline logins are allowed only for specific accounts that already exist on the machines, so offline logins that are then prompted for MFA isn’t really something that is possible, as offline logins don’t go thru Azure at all, so MFA can’t be invoked. 

I will say that the Azure Integration with JAMF Connect has been much better since v2.6, as it now allows for passthru of the credentials from JAMF Connect to the system, so users no longer need to type their passwords three times at a reboot (now only for FileVault and JAMF Connect). 

Jaykrishna1
Contributor II

It sounds like you're facing a challenge with the integration between JAMF Connect and Azure AD. Requiring users to log in every time they restart their Mac can cause inconvenience and impact the user experience.

I would suggest reaching out to the Microsoft support team to see if they have any suggestions or recommendations for resolving this issue. It might be that there are settings in Azure AD or Conditional Access that can be configured to address this behavior.

You can also check the JAMF Connect documentation and community forums to see if others have encountered this issue and if there are any suggested solutions.

In the meantime, it might be helpful to gather as much information as possible about the current configuration and setup, including the version of JAMF Connect and Azure AD being used, the MFA setup, and any relevant policies or settings in Conditional Access. This information can be shared with both JAMF and Microsoft support teams to help them better understand the issue and work towards a resolution.