Posted on 02-21-2024 01:53 PM
Hey Everyone,
I have been battling this issue for quite some time and have done rigorous testing but have sincerely hit a wall with this issue. My organization is prepping to remove Administrator access from all users on our macOS systems, this requires them all to be converted to a Standard user. (We have a "MakeMeAnAdmin" script in place in JSS we plan to utilize)
MacOS: 14.3.1
Jamf Connect: 2.32.0
We use Jamf Connect with Azure/EntraID so users can authenticate on login, we have the app roles setup for the app registration in Azure with two groups, MacUserAdmin-Entra & MacUserStandard-Entra with the correct roles tied to each (Administrator & Standard)
The Problem:
Whenever a user is moved into the group tied to the STANDARD role in Azure and attempts to login to Jamf Connect on one of our Macs they can enter the O365 email, PW, verify 2FA, but then hit a "Yellow Exclamation Point" box with simply an "Okay" button. Once you click "Okay" you are kicked back to the Jamf Connect login within 10 seconds or so.
If a user is in the ADMINISTRATOR group tied to that role or switched back from the STANDARD they can login just fine and have those administrative privileges. It just seems Jamf Connect hates users in the group tied to the Standard role for some reason.
I can login as another local admin account (bypass Jamf Connect and use local login as another user) and see that the user in fact was converted to Standard via the System Settings Users & Groups section when moved into the group tied to the Standard role but cannot log in.
I tried various configurations for the Jamf Connect Login test profile to try and remediate this issue. I used the Jamf Connect Configuration.app included in the DMG with the latest version of Jamf Connect 2.32.0. I even made one from scratch but ran into more issues to went back to my original and made some edits, even scraping most things away but the issue persisted. Here is my current configuration profile for Jamf Connect Login (excluding some private info) that currently works for all folks to login as an Administrator but fails when they are in the STANDARD group:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowNetworkSelection</key>
<true/>
<key>BackgroundImage</key>
<string>/usr/local/jamf/bin/XXXXXX.jpg</string>
<key>CreateJamfConnectPassword</key>
<true/>
<key>DemobilizeUsers</key>
<true/>
<key>DenyLocal</key>
<true/>
<key>DenyLocalExcluded</key>
<array>
<string>XXXXXXXXXXX</string>
<string>XXXXXXXXXXX</string>
</array>
<key>EnableFDE</key>
<true/>
<key>LocalFallback</key>
<true/>
<key>LoginLogo</key>
<string>/usr/local/jamfconnect/logo.png</string>
<key>LoginWindowMessage</key>
<string>If you need help please submit a ticket via the Support PortalX</string>
<key>Migrate</key>
<true/>
<key>MigrateUsersHide</key>
<array>
<string>XXX</string>
<string>XXX</string>
</array>
<key>OIDCAdmin</key>
<array>
<string>Administrator</string>
</array>
<key>OIDCAdminAttribute</key>
<string>roles</string>
<key>OIDCClientID</key>
<string>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</string>
<key>OIDCNewPassword</key>
<false/>
<key>OIDCProvider</key>
<string>EntraID</string>
<key>OIDCROPGID</key>
<string>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</string>
<key>OIDCRedirectURI</key>
<string>https://127.0.0.1/jamfconnect</string>
<key>OIDCTenant</key>
<string>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</string>
<key>ROPGProvider</key>
<string>Azure_v2</string>
<key>ROPGRedirectURI</key>
<string>https://127.0.0.1/jamfconnect</string>
<key>ROPGTenant</key>
<string>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</string>
<key>OIDCUsePassthroughAuth</key>
<true/>
</dict>
</plist>
I confirmed in the Jamf Connect Configuration.app that the above works via the OIDC test and gives me a token for the test user when in the Administrator or Standard group!
Another thing I tried to ensure it was not Jamf Connect Menu related was unscoping that profile entirely from the test machine and attempting sign in as a test user in the Standard group but that fixed nothing, same yellow exclamation mark.
Next, I moved the user back into the Administrator group and signed in as normal. I pushed a policy with a script to demote the user to Standard and it did. Then when restarting I added the user back to the group in Azure tied to Standard user and the same thing! No progress!
Now I am stuck, not sure where to go from here. Only things I could find related to this on this forum or the MacAdmins slack channel was something related to Jamf Helper (which I believe we do not utilize anywhere) or Swift but unsure how to "downgrade" that and if thats even the cause!
Looking forward to seeing if anyone else has ran into this or can pick out my issue! Questions? Ask away!
Thank You,
Paul
Solved! Go to Solution.
Posted on 02-22-2024 11:52 AM
Do you have a l profile with settings for the default login window installed? I encountered an issue with conflicting permissions which resulted in a similar error with Jamf Connect.
Posted on 02-22-2024 07:55 AM
Looks like you have already dug really deep, but just to ask the obvious what do the logs say? With the blank message, it's probably a blank log event but you may see the server response code.
The device is dropping to a standard account, but it still feels like something is wrong on the Azure configuration with the Jamf Connect App.
JAMF Connect Login (the lock screen)
Command |
Output |
log show --style compact --predicate 'subsystem == "com.jamf.connect.login"' --debug > ~/Desktop/JamfConnect.log |
Outputs all historical logs to a file. |
log show --style compact --predicate 'subsystem == "com.jamf.connect.login"' --debug --last 30m > ~/Desktop/JamfConnect.log |
Output recent logs to a file. This example collects logs from the last 30 minutes. |
log stream --style compact --predicate 'subsystem == "com.jamf.connect.login"' --debug |
Streams current logs in Terminal |
JAMF Connect (Menu Bar)
Command |
Output |
log show --style compact --predicate 'subsystem == "com.jamf.connect"' --debug > ~/Desktop/JamfConnect.log |
Outputs all historical logs to a file. |
log show --style compact --predicate 'subsystem == "com.jamf.connect"' --debug --last 30m > ~/Desktop/JamfConnect.log |
Output recent logs to a file. This example collects logs from the last 30 minutes. |
log stream --style compact --predicate 'subsystem == "com.jamf.connect"' --debug |
Streams current logs in Terminal |
Posted on 02-22-2024 11:52 AM
Do you have a l profile with settings for the default login window installed? I encountered an issue with conflicting permissions which resulted in a similar error with Jamf Connect.
Posted on 02-22-2024 01:40 PM
@AJPinto Ah the legend himself! I have gotten much help from your posts and responses in the past thank you for reaching out! I checked those logs and you are right, blank and not much to go on. I appreciate your insight!
@_gsm I believe you need a gold medal, the stupid Login Banner message configuration profile was causing this! I removed it and now the user can login as standard! YOU GENIUS! This has been driving me INSANE.
Thank you both!
2 weeks ago
If You need to setup Login ConfigProfile, You need to apply it before Jamf Connect Config Profiles and it will work fine.
Interesting bug which is still not fixed...