Jamf Nation Community

julienvs · ‎08-31-2021

Hi all,

I’m trying to do something super simple but I’m obviously missing something: I’m deploying Jamf Connect with OKTA. I have two apps (Access + Admin). My user is in these two apps and I thus expect the user to be an admin on the mac (at user creation) but the user keeps getting the standard role.
Is there anything wrong in the PLIST below?
Why is my new user not getting the admin role?Thanks

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>AllowNetworkSelection</key>
	<true/>
	<key>AuthServer</key>
	<string>clienst_instance.okta.com</string>
	<key>CreateJamfConnectPassword</key>
	<true/>
	<key>EnableFDE</key>
	<true/>
	<key>EnableFDERecoveryKey</key>
	<true/>
	<key>Migrate</key>
	<true/>
	<key>MigrateUsersHide</key>
	<array>
		<string>ladmin</string>
	</array>
	<key>OIDCAccessClientID</key>
	<string>app1</string>
	<key>OIDCAdminClientID</key>
	<string>app2</string>
	<key>OIDCProvider</key>
	<string>Okta</string>
	<key>OIDCRedirectURI</key>
	<string>https://127.0.0.1/jamfconnect</string>
</dict>
</plist>

mikevandelinder · ‎09-03-2021

FYI: https://community.jamf.com/t5/jamf-connect/jamf-connect-2-4-4-release/m-p/245960/highlight/true#M110...

View solution in original post

talkingmoose · ‎08-31-2021

For the OIDCAccessClientID and OIDCAdminClientID keys in your plist, you need the Client IDs of the apps you created in Okta not the names. A Client ID will look something like 0oabtovodgiI1Anjh357.

julienvs · ‎08-31-2021

Hi @talkingmoose ,

Thanks for your reply.

I do have the correct client ID's but I've replaced them in this code snipped for privacy reasons.

mikevandelinder · ‎08-31-2021

After logging in to the user account, take a look at the Connect login logs by going to "/private/tmp/jamf_login.log", or, in Terminal run "log show --style compact --predicate 'subsystem == "com.jamf.connect.login"' --debug --last 30m > ~/Desktop/JamfConnectLogin.log"

https://docs.jamf.com/jamf-connect/documentation/Jamf_Connect_Logs.html

In the log files you're looking for mentions of messages similar to the following:

OIDC lookup working...
Processing Okta ID Token
OIDC lookup completed.
Found managed preference in com.jamf.connect.login: OIDCAdminClientID
OIDC lookup working...
OIDC lookup completed.
User granted standard access by OIDC lookup

julienvs · ‎08-31-2021

Hi @mikevandelinder ,

Good tip. I should have looked there sooner.

I do find:

...
Found managed preference in com.jamf.connect.login: OIDCAccessClientID
...
Found managed preference in com.jamf.connect.login: OIDCAdminClientID
OIDC lookup working...
OIDC lookup completed.
User granted standard access by OIDC lookup

So based on the logs:

Is it correct to say it does find me in both the Access app and the Admin app?
It should give me admin access, right?

Julien

mikevandelinder · ‎09-01-2021

if it is coming back saying "standard" access, I would suspect the lookup isn't finding the user to be a member of the Admin client app group - any way to confirm via Okta?

julienvs · ‎09-02-2021

Argh, I misinterpreted the logs then, I thought it did find the user in the Admin app.

The configuration is good and I re-copied everything to make sure but I'll try re-creating the admin app and see if it makes a difference.

Maybe reinstalling the machine might help too.

Thanks, this is already taking me a step further.

Julien

mikevandelinder · ‎09-03-2021

FYI: https://community.jamf.com/t5/jamf-connect/jamf-connect-2-4-4-release/m-p/245960/highlight/true#M110...

julienvs · ‎09-09-2021

Exactly! Thanks 🙂

Jamf Nation Community

Jamf Connect with OKTA and role problems. Can't get users to become admin.