Jamf Connect with OKTA and role problems. Can't get users to become admin.

julienvs
New Contributor III

Hi all,

I’m trying to do something super simple but I’m obviously missing something: I’m deploying Jamf Connect with OKTA. I have two apps (Access + Admin). My user is in these two apps and I thus expect the user to be an admin on the mac (at user creation) but the user keeps getting the standard role.
Is there anything wrong in the PLIST below?
Why is my new user not getting the admin role?Thanks 

 

 

 

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>AllowNetworkSelection</key>
	<true/>
	<key>AuthServer</key>
	<string>clienst_instance.okta.com</string>
	<key>CreateJamfConnectPassword</key>
	<true/>
	<key>EnableFDE</key>
	<true/>
	<key>EnableFDERecoveryKey</key>
	<true/>
	<key>Migrate</key>
	<true/>
	<key>MigrateUsersHide</key>
	<array>
		<string>ladmin</string>
	</array>
	<key>OIDCAccessClientID</key>
	<string>app1</string>
	<key>OIDCAdminClientID</key>
	<string>app2</string>
	<key>OIDCProvider</key>
	<string>Okta</string>
	<key>OIDCRedirectURI</key>
	<string>https://127.0.0.1/jamfconnect</string>
</dict>
</plist>

 

 

 

 

1 ACCEPTED SOLUTION
8 REPLIES 8

talkingmoose
Honored Contributor II

For the  OIDCAccessClientID and OIDCAdminClientID keys in your plist, you need the Client IDs of the apps you created in Okta not the names. A Client ID will look something like 0oabtovodgiI1Anjh357.

Hi @talkingmoose ,

Thanks for your reply.

I do have the correct client ID's but I've replaced them in this code snipped for privacy reasons.

mikevandelinder
New Contributor III

After logging in to the user account, take a look at the Connect login logs by going to "/private/tmp/jamf_login.log", or, in Terminal run "log show --style compact --predicate 'subsystem == "com.jamf.connect.login"' --debug --last 30m > ~/Desktop/JamfConnectLogin.log"

In the log files you're looking for mentions of messages similar to the following:

OIDC lookup working...
Processing Okta ID Token
OIDC lookup completed.
Found managed preference in com.jamf.connect.login: OIDCAdminClientID
OIDC lookup working...
OIDC lookup completed.
User granted standard access by OIDC lookup

 

Hi @mikevandelinder ,

Good tip. I should have looked there sooner.

I do find:

...
Found managed preference in com.jamf.connect.login: OIDCAccessClientID
...
Found managed preference in com.jamf.connect.login: OIDCAdminClientID
OIDC lookup working...
OIDC lookup completed.
User granted standard access by OIDC lookup

 

So based on the logs:

  • Is it correct to say it does find me in both the Access app and the Admin app?
  • It should give me admin access, right?

 

Julien

if it is coming back saying "standard" access, I would suspect the lookup isn't finding the user to be a member of the Admin client app group - any way to confirm via Okta?

Argh, I misinterpreted the logs then, I thought it did find the user in the Admin app.

The configuration is good and I re-copied everything to make sure but I'll try re-creating the admin app and see if it makes a difference.

Maybe reinstalling the machine might help too.

 

Thanks, this is already taking me a step further.

 

Julien

Exactly! Thanks 🙂