Jamf Connect Login Benefits

danbaver
New Contributor III

Hi all,

I'm looking for some feedback regarding Jamf Connect. We've recently purchased Connect and have it all setup and ready to go, it's connected to our IdP, which is Azure AD but gets passed through Okta for authentication. Everything is working perfectly: Connect menu bar app works wonderfully, as does the Connect Login window.

When connected to the Internet, the Connect login window requires Okta MFA authentication. When not connected to the Internet, local login can be used. Which makes sense, we can't have users not being able to log into their machines if they aren't connected to the Internet. All working as designed wonderfully. However, mu question is this: If people can bypass MFA authentication and just login locally, what is the actual benefit of using the Connect Login window? I feel like I'm missing something simple.

5 REPLIES 5

healthcareaa
New Contributor III

You can either deny or allow that feature but there is no real benefit except that it will prompt you to sync passwords when logging in, if the Network and Local password do not match. 

AJPinto
Honored Contributor III

For us its 1st time login with IDP credentials and not having to jump through a bunch of hoops to make sure users account names match what we want them to match. Also less touch is better, a user just logging in with the same creds they log in to windows with is either on the helpdesk. 

 

Now if only JAMF Connect could just IDP creds all the time, and not use local creds at all unless its offline that would be nice. Needing to log in with an old password to sync a new password is not a good experience if a user forgets their password.

danbaver
New Contributor III

Thank you both for your replies. These are the aspects I was starting to settle on. I just need a solid answer for the inevitable question: "Why do I have to log in twice now?" :) 

I believe you can setup FDEAutoLogin so that your users only see the Filevault screen but that is pointless because it skips the Jamf Connect login window. 

 

I agree that the password sync process is not a good experience for users. The local and network passwords just add complexity and our users are less than technical so we get helpdesk tickets about it constantly. 

AJPinto
Honored Contributor III

This is how I usually explain it to people. 

 

AppleID's will SSO all Apple Services. Okta of course does not use AppleID's and Apple does not use Okta credentials (probably AAD as the source of truth). Your mac users have a leg in two different worlds, and need to authenticate each world individually until the two worlds decide to work together. JAMF Connect is trying to form a bridge, but each of those worlds still need to be authenticated by the user for JAMF Connect to bridge (sync) them.