Jamf Nation Community

ghloeffler12 · ‎09-20-2021

I had a question about configure Jamf Connect Login.

We are a small company of about 100 macs and most users are on local accounts that have admin rights.

Because most of our users are on local accounts we wanted to bring in Jamf Connect for the password sync functionality between Azure and the local user accounts. This is something we had looked at previously but have never tried to implement.

During testing we noticed that Jamf Login was converting those admin user accounts back to standard accounts. I believe this is because we have the users listed as standard accounts on Azure. We did try using the Jamf Login configuration options to assign the admin role but it's looking like you have to have to set it up on both Azure and the configuration profile.

The main problem with configuring it in Azure is that from talking to Jamf support that will give a user admin access to any machine they log into that has Connect on it. Is there a way to bypass the Jamf login portion? Or to let the users keep their admin access on their local accounts without giving them the same level of access on other devices?

Thanks!

akw0045 · ‎09-20-2021

I made a self service option for the 1 offs that don't need to be admin on every jamf connect computer.

it just runs this:

authchanger -reset

that'll reset you to the default apple log in screen.

The special cases get this work flow:

Jamf Connect Login to create account and get them added to filevault
default apple log in after they get created
make them admin. (they'll stay admin as long as they don't sign into the computer through Jamf Connect Login)

Tribruin · ‎09-20-2021

It looks like you have have the OIDC User Role settings setup in Azure and your config profile. Check this link out:

https://docs.jamf.com/jamf-connect/2.4.5/documentation/Login_Window_Preferences.html#ID-00007186

Try setting the preference `OIDCIgnoreAdmin` to true to prevent Jamf Connect from changing the user roles.