Posted on 02-11-2021 08:12 AM
Hi all,
I've followed this training video (https://trainingcatalog.jamf.com/deploy-jamf-connect-with-azure/315013) and setup Azure Ad with the Jamfconnect enterprise app / app registration etc. I've tested authentication with the Jamf Connect configurator app and I get a successful token back with my Azure AD user.
I've setup a configuration profile with the jamf connect license key and the plists I created with my AD emprise app settings.
I've setup a policy yo deploy the jamfconnect.pkg to the client. I've deployed the configurations profiles to the client. Client has the profiles and the jamfconnect package installed and is enrolled in Jamf Pro.
I get no logon window for Microsoft AD when I reboot the mac. I can only logon locally with my mac user.
Any ideas where it's failing?
Thanks,
Posted on 02-11-2021 08:34 AM
Are you seeing the FileVault login screen instead of the actual macOS Login screen by chance? If you enter your password at the FV screen do you get the Jamf Connect Login screen afterwards
if that is not working, login to your Mac and run the following command:
sudo /usr/local/bin/authchanger -reset -JamfConnect
That should enable the JamfConnect Login window.
Posted on 02-11-2021 09:36 AM
Ok so running that command I now get the jamf login screen. Wohoo! Something else has gone wrong as you can see. I'm going to re-create the configuration profile as I've been messing around with different configurations and maybe I broke it and thats why its erroring out.
Will I have to stick this command in my deployment policy for future macs?
Posted on 02-11-2021 09:55 AM
You shouldn't have to run that command if you are just doing a standard package install, the post-install script should run it automatically. Make sure your configuration profiles are installed on the computer BEFORE you install the JamfConnect package. Authchanger will read the com.jamf.connect.login preferences to properly setup your IdP.
Posted on 02-12-2021 04:40 AM
Right, after recreating everything and checking for typos its now working :) The only thing that not working properly is it not getting the roles Admin from Azure AD. I've updated the manifest in Azure with the amendments from the Jamf Connect user guide. My test user is in the admin group in the enterprise application. When goto the mac, users I see the AD user created but as Standard and not admin.
Any ideas? Is my plist good?
Posted on 02-12-2021 06:03 AM
Looks like you need to add the following entry:
<key>OIDCAdminAttribute</key>
<string>roles</string>
That key is required for Azure AD, in addition to the OIDCAdmin
key listing the role(s) that should be created as Admins.
Edit to add:
Also, want to make sure you have assigned the proper roles to Users & Groups in the Enterprise Application:
Posted on 02-18-2021 01:23 AM
Thanks all working now :) A great help. I gather there is no way to force password rsync in the background instead of each login prompting the user to verify their password when logging in.