Posted on 02-28-2024 07:59 AM
Hey Everyone!
Jamf Connect: 2.32.0
macOS: Sonoma 14.3.1
A little back story here. We have Jamf Connect setup with Azure/Entra as our IDP. Our organization is working on moving from a Local on premise AD to Azure/Entra cloud only solution. With that being said I made some cloud only accounts in Azure/Entra and have been playing with new cloud only groups for Jamf Connect with the "Standard" and "Administrator" roles.
I have no problem logging in as these cloud accounts with a standard or administrator role. Here is where I am stuck, on a login with my account which originates from LocalAD and is synced to Azure/Entra I am prompted to do MFA via the Microsoft Authenticator app at the Jamf Connect login screen when I restart or come up from a shut down to unlock the Mac (THIS IS WHAT I WANT) the PROBLEM is with these new Azure/Entra only cloud accounts I am NOT prompted for MFA even though it is setup for the user and they are not in any exclusion groups or CA policies that I can find in Azure/Entra.
I know this is more of an IDP problem I assume but maybe it is Jamf Connect? Jamf Connect does not make the decision to prompt MFA your IDP does but I can't seem to unbury what causes these cloud accounts to just be able to bypass MFA at restart (WHAT I DON'T WANT). I would ideally like the MFA prompting to occur for all accounts those in local ad and those in the cloud as we begin transition period which may last awhile.
Any ideas where I can start digging on the Jamf or Azure/Entra side that I may have missed?
Thank You!
-Paul
Posted on 02-28-2024 11:33 AM
You are correct in the fact that Jamf Connect has no control over when the IDP prompts for MFA. Jamf Connect does independently support MFA authentication with a token outside of the IDP.
Just to ask the question. Are you checked to confirm the devices are bypassing MFA at the macOS Login Screen, and not at the FileVault screen? FileVault would have no concept of MFA or Jamf Connect.
Posted on 02-28-2024 12:30 PM
Hey AJ,
Thanks for your response. Yes, so the FV login screen should never prompt 2FA its simply to unlock FV from a restart or shutdown. The Jamf Connect login screen that shows the O365 sign in boxes is where MFA should be prompting but is not for these cloud only users.
I used the Jamf Connect Configuration app and used the OIDC auth with my account and the two cloud accounts I made. The two cloud accounts don't prompt MFA on the test and receive tokens, my account does prompt 2FA and tokens pass once I authenticate.
Thank You!
Posted on 05-13-2024 06:31 AM
The accounts are still local accounts on the Mac. Jamf Connect is simply bypassing the default login process and allowing you to hook into an IDP for authentication and MFA. If it's working for you and not the other users, that would imply the Azure App integration, and the Jamf Connect configurations are correct. I would suggest checking the user's configurations in Azure as they may have different groups causing a different behavior.
Posted on 05-09-2024 01:44 PM
Alright, for anyone who is running into similar issues this was my solve: https://learn.jamf.com/en-US/bundle/jamf-connect-documentation-current/page/Modifying_Jamf_Connect_f...
Once I implemented the above 2FA prompts now for Cloud Only users.