JAMF Connect - Azure - MFA Issues

mhegge
Contributor II

I am putting this out there because JAMF support has washed their hands in assisting us.

We integrated JAMF Connect with Azure AD recently and are currently testing.

The issue we are having is that Azure, and our MFA setup in Conditional Access, is requiring users to log in at EVERY restart. It also is requiring password verification after authenticating.

As you might imagine, this would cause some inconvenience to macOS users, especially if their means of MFA authentication was not at hand: phone, Microsoft Authenticator app (iphone or ipad) or other means.

MFA does not work this way for anything else requiring it. It is only required once per app, per device, until there is a password change.

Support suggestion was to exempt macOS from requiring MFA, essentially. This did not go over well with our Sys Admin who is heading the rollout of our MFA requirement.

This is a real frustration as JAMF Connect was touted as a solution for AD authentication, ability to provide zero-touch deployment in our environment, and create AD users without requiring the device be joined to AD. It does that, but at a real cost to user experience.

Trying to work with my Sys Admin as I do NOT have the rights to create or test policies in Conditional Access. Hoping there is someone out there in the same boat as us.

2 REPLIES 2

nick-at-artsed
New Contributor III

I am also really frustrated with this, clearly Jamf Connect is not Azure ready, we already enforce MFA on all staff and wanted Jamf Connect to be the solution to zero touch macOS deployments with a good user experience. Sadly this seems not to be possible yet.

Lodavigo
New Contributor II

@mhegge I am confused by your issue that Jamf Connect requires your users to log in at every restart? How did it work for you before Jamf Connect -- asked another way: Macs would have required a log in at every restart by default, right?

Or is the issue the fact that Jamf Connect requires a sign in to azure -> then your conditional access policy requires MFA -> then the user is prompted one more time to type their password in order to log in?

We use Azure and Jamf Connect for our Zero Touch, and aside from the multiple password entries each restart to log in, it hasn't been overly problematic yet.