Jamf Nation Community

ExpendaBubble · ‎09-12-2023

Hello Jamf Nation,

I had Jamf Connect configured to create the local user account as Administrator if the Azure AD user has the Admin role assigned in the Jamf Connect Azure AD enterprise application. This worked like a charm until we introduced an enrollment customization with Single Sign-On Authentication (with user information passthrough enabled).

Now the user first has to authenticate with Azure via SSO before confirming the password once more in the Jamf Connect flow which then creates the local user. Although the user has to enter their password twice, the added benefit is of course the automatic "registration" of the user to the computer object in Jamf Pro.

However, as the title of this post indicates, it seems the 'roles' attribute is now ignored and the local user is always created as Standard.

Is there a way to benefit from the enrollment customization without losing the user roles functionality?

PS. Using Jamf Connect 2.27.0.

ExpendaBubble · ‎10-23-2023

Support has concluded that this is currently by design, and advised to to create a post at Jamf Nation Feature Requests. I have done so here: Improve Jamf Pro & Connect passthrough | Jamf Nation Feature Requests

Please add your votes!

View solution in original post

KeithStrand · ‎10-01-2023

I'm having the exact same issue. I'd love to work on this together to get it solved.

In addition to having only standard users created with sso enabled, I tried to ignore roles and make all users admins but then the Menu Bar disappeared which seems to be a bug of some kind. Also I want to be sure my Azure roles are correct could you share where and how you are setting the admin role in Azure. I think I did it right but would like to confirm.

Have you submitted a ticket to Jamf yet? If not I'd be happy to.

Cheers

Keith

KeithStrand · ‎10-01-2023

My previous settings below:

Display name - Administrator

Allowed member types - users/groups

value - admin

I just changed my app registration settings to the below but I don't think application is right.

ExpendaBubble · ‎10-02-2023

You should grant the role to users/groups, not applications.

KeithStrand · ‎10-03-2023

I changed the name in Azure from Administrator to Admin and change the key value in the profile to

Below are my settings ( I changed role to roles based on a post I saw from traveling tech guy. )

<key>OIDCAdmin</key>
<array>
<string>Admin</string>
</array>
<key>OIDCAdminAttribute</key>
<string>roles</string>

ExpendaBubble · ‎10-02-2023

I've got a ticket going. Will update this thread as information becomes available.

KeithStrand · ‎10-12-2023

I was able to get roles working via Entra with SSO enabled in our prestage. In the Entra Jamf app I changed the "Assignment required" to yes.

I also renamed my app role to "Admin" in the Jamf App registration area in Entra and made sure to use that in my .plist for Jamf Connect Login.

<key>OIDCAdminAttribute</key>
<string>roles</string>
<key>OIDCAdmin</key>

Did you get any ehlp via the ticket?

Cheers
<array>
<string>Admin</string>
</array>

ExpendaBubble · ‎10-16-2023

Glad to hear you got it fundamentally working.

The ticket isn't progressing very much, I'm afraid. Their suggestion was to copy the role configuration to the Jamf Pro SSO enterprise app/app registration (versus the Jamf Connect app). Hasn't worked for me though.

KeithStrand · ‎10-16-2023

For what it's worth I disabled the SSO custimization in my prestage enrollment and I still was able to grab user & location to popultae the jamf record after the fact. I admit I'm not sure what SSO in prestage gets us. I was able to remove 1 login speeding up the prestage and my roles still work.

I also did find a typo in my config profiles where "role" was used instead of "roles".

cheers

GraemeU · ‎10-18-2023

Hello, I am having the same issue here when enabling SSO via Pre-Stage customisation.

I assume this is due to the SAML claims from the 'Jamf Connect Login' app not being used due to the user info (and therefore lack of SAML claims) already being previously passed from the 'JAMF SSO' App. These would only be available if there was a second auth via JC, which would mean the use would need to complete 2 full 'SSO' logins during enrolment, which kind of defeats its purpose.

I had the same initial thought as your support rep, where creating the app roles and adding groups in the JAMF SSO app. However the mobileconfig scoped to devices will be using com.jamf.connect.login as the domain will not be looking at 'JAMF SSO' appID for SAML claims but rather 'JAMF Connect Login' appID.

For now I see the only option as to disable SSO as part of the ADE Customisation as I dont think this is a work flow that will work without another full SSO authentication being completed.

ExpendaBubble · ‎10-23-2023

Support has concluded that this is currently by design, and advised to to create a post at Jamf Nation Feature Requests. I have done so here: Improve Jamf Pro & Connect passthrough | Jamf Nation Feature Requests

Please add your votes!

Jamf Nation Community

Jamf Connect + Enrollment customization = Admin Roles issue