Jamf Connect problems with Azure AD

robbo007
New Contributor III

Hi all,
I've followed this training video (https://trainingcatalog.jamf.com/deploy-jamf-connect-with-azure/315013) and setup Azure Ad with the Jamfconnect enterprise app / app registration etc. I've tested authentication with the Jamf Connect configurator app and I get a successful token back with my Azure AD user.

I've setup a configuration profile with the jamf connect license key and the plists I created with my AD emprise app settings.

I've setup a policy yo deploy the jamfconnect.pkg to the client. I've deployed the configurations profiles to the client. Client has the profiles and the jamfconnect package installed and is enrolled in Jamf Pro.

I get no logon window for Microsoft AD when I reboot the mac. I can only logon locally with my mac user.

Any ideas where it's failing?

Thanks,

6 REPLIES 6

Tribruin
Valued Contributor
Valued Contributor

Are you seeing the FileVault login screen instead of the actual macOS Login screen by chance? If you enter your password at the FV screen do you get the Jamf Connect Login screen afterwards

if that is not working, login to your Mac and run the following command:

sudo /usr/local/bin/authchanger -reset -JamfConnect

That should enable the JamfConnect Login window.

robbo007
New Contributor III

Ok so running that command I now get the jamf login screen. Wohoo! Something else has gone wrong as you can see. I'm going to re-create the configuration profile as I've been messing around with different configurations and maybe I broke it and thats why its erroring out.

Will I have to stick this command in my deployment policy for future macs? acd886cafa1a4683b53f381e796e79f7

Tribruin
Valued Contributor
Valued Contributor

You shouldn't have to run that command if you are just doing a standard package install, the post-install script should run it automatically. Make sure your configuration profiles are installed on the computer BEFORE you install the JamfConnect package. Authchanger will read the com.jamf.connect.login preferences to properly setup your IdP.

robbo007
New Contributor III

Right, after recreating everything and checking for typos its now working :) The only thing that not working properly is it not getting the roles Admin from Azure AD. I've updated the manifest in Azure with the amendments from the Jamf Connect user guide. My test user is in the admin group in the enterprise application. When goto the mac, users I see the AD user created but as Standard and not admin.

Any ideas? Is my plist good?

b7187980ac3d42cb9cd7e0ce104d5bb1

Tribruin
Valued Contributor
Valued Contributor

Looks like you need to add the following entry:

<key>OIDCAdminAttribute</key>
 <string>roles</string>

That key is required for Azure AD, in addition to the OIDCAdmin key listing the role(s) that should be created as Admins.

Edit to add:

Also, want to make sure you have assigned the proper roles to Users & Groups in the Enterprise Application:

6f570d77336d434ea2306640c25485ab

robbo007
New Contributor III

Thanks all working now :) A great help. I gather there is no way to force password rsync in the background instead of each login prompting the user to verify their password when logging in.