Posted on 03-22-2023 07:46 AM
Hey all!
We're working on deploying Jamf Connect for our org. In parallel, our security team is working on moving all our MFA for our Okta environment over to WebAuthn with the option of either biometrics or a Yubikey to fulfill it. Does anyone know if Jamf Connect can support WebAuthn methods (or as a bonus, a future state of passwordless with WebAuthn as the only authentication factor)? I've not found any documentation on it, so I'm not hopeful, but wondering if anyone has any experience with this.
Thanks,
Colton
Posted on 04-27-2023 10:48 AM
Were you ever able to find a solve for this?
Posted on 04-27-2023 10:51 AM
Got a reply back from our account rep that the Jamf Connect engineering team "recognizes this as a currently desired feature but doesn't have it roadmapped for development at this time." We're going to end up testing a per-app policy for Jamf Connect in Okta that would exclude it from WebAuth requirements but the Jamf Connect documentation currently discourages per-app policies.
Posted on 08-15-2023 08:22 AM
This is definitely something we would want to implement too and I find it really surprising, and a bit weird, that webauthn doesn't work with JAMF Connect and that it isn't on their roadmap to implement. More and more companies will want to implement phishing resistant MFA policies and so this should be something high up on their roadmap
Posted on 05-14-2024 09:54 AM
I'm surprised this question isn't being asked more, but I'm guessing it's going to start picking up traction as companies start to adhere to stricter authentication policies. In trying to get this working, we've seen our Okta logs calling out the culprit as the embedded browser JC is using during authentication. It seems to be too old to even know what Fido2 or webauthn is. The only current second factor available with this embedded browser is a phone call. Even the latest version of JC (2.35.0) hasn't made any progress on this:
"Note:
Jamf Connect does not currently support hardware-based security keys at the macOS Login Window. Examples of these keys include Personal Identity Verification (PIV), Common Access Card (CAC), and security keys (e.g. Yubikey) in FIDO2, U2F, or smart card mode."
I don't know if it'll get much attention and I'm not holding my breath, but I've put in a feature request to get this looked at. This has to be putting some serious restrictions on the adoption of Jamf Connect across at least a few enterprise customers. Or maybe it's just me?
Posted on 08-05-2024 07:42 AM
The only workaround I have found to enable Yubico key is to disable JC from the login process after configuration Yubico now prompts me for a PIN to sign in.