Help

Jamf Connect Notify user & location conundrum

csmith706
New Contributor

Posted on ‎12-02-2023 05:47 AM

Hey All,

First time poster so be kind :-)

Setting up a Jamf Pro solution whereby we are setting up ADE enrolment for new device but also migrating devices from a different MDM vendor solution. Solution Jamf Pro integrated with EntraID/Azure for cloud IdP and also SSO to entra, Jamf Connect is being used. Devices are off corp network and have no direct sight of on premises AD i.e no Kerberos.

Migrated device have local mac accounts that use the sAMAccountName (which is being mapped to EntraID (OnPremisesSamAccountName). I have configured the SSO and Cloud IdP Entra Mappings for the migrated devices so that during enrolment the device populates the User and Location inventory with all the user info. As most devices will migrate initially this is currently more important than the workflow for new device enrolments. We are migrating Macs using Jamf Migrate tool as an FYI.

However, so the issue we face is with new enrolments in that they take the email/UPN as the local account name firstname.surname. Due to MFA being used we can’t use the custom attributes OIDCShortname in the connect.login profile. It’s not being delivered in the token and we have enabled the JC app registered in Entra to use the AD policy mapping the attributes and enabled the Acceptmappedclaims in the JC App registration manifest.

I can get the email to be added to the user and location in inventory by grabbing the displayname string from the connect.state plist using ‘Jamf recon $email’ but due to the mappings in Jamf setup for the bulk of devices searching against the shortname/onpremisesamaccountname it will not populate the rest of the entries.

We are using Jamf Connect Notify during ADE enrolment for new devices and was wondering if sticking a registration window somewhere in this process can be done? I know registration window can be done with DEPNotify but can’t see any info online specific for Jamf connect notify. To be honest I’d rather not rely on the user inputting info just incase they do it wrong too.

So wondering if anyone can recommend away to do the registration or an alternative way to get the OnPremisesSamAccountName during enrolment.

The purpose of doing this is not only to fill in the inventory for the user and location in Jamf but also so we can inject to the local device to add local account alias’s and use in other profiles to improve the user experience some what.

All suggestions welcome! Thanks in advance. 

Chris

0 Kudos
Reply
1 REPLY 1

cenforce
New Contributor III

Posted on ‎12-26-2023 12:54 AM

Hi Chris,

Considering your MFA constraints and the need to capture OnPremisesSamAccountName during enrolment for both migrated and new devices, leveraging Jamf Connect Notify might indeed be a viable approach. While there may not be extensive documentation specifically for Jamf Connect Notify in this context, you could explore scripting within Notify's custom triggers or combining it with DEPNotify to create a seamless registration window. This could automate the process, reducing the risk of user error. Best of luck, and I hope you find a solution that fits your requirements!

jamf man
Reply