Posted on 06-19-2023 09:42 AM
Hello,
I'm currently working on a mass deployment of Jamf Connect Login for Azure. The primary goal is to demobilize accounts on a mass scale. However, I am keen on ensuring that this deployment process is as silent and non-disruptive to our users' workflow as possible.
Here's what I have for my current .plist configuration for Jamf Connect Login:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowNetworkSelection</key>
<true/>
<key>CreateNewUserHide</key>
<true/>
<key>CreateJamfConnectPassword</key>
<true/>
<key>LicenseFile</key>
<data>*license key value*</data>
<key>OIDCAdminAttribute</key>
<string>roles</string>
<key>OIDCClientID</key>
<string>*client_id*</string>
<key>OIDCNewPassword</key>
<false/>
<key>OIDCProvider</key>
<string>Azure</string>
<key>OIDCROPGID</key>
<string>*client_id*</string>
<key>OIDCRedirectURI</key>
<string>https://127.0.0.1/jamfconnect</string>
<key>OIDCTenant</key>
<string>*tenant_id*</string>
<key>OIDCUsePassthroughAuth</key>
<true/>
<key>DenyLocal</key>
<true/>
<key>DenyLocalExcluded</key>
<array>
<string>helpdeskv2</string>
</array>
<key>LocalFallback</key>
<true/>
<key>Migrate</key>
<false/>
<key>MigrateUsersHide</key>
<array>
<string>helpdeskv2</string>
<string>jamf_manage</string>
</array>
<key>DemobilizeUsers</key>
<true/>
<key>OIDCAdmin</key>
<array>
<string>Administrator</string>
</array>
<key>CreateAdminUser</key>
<true/>
<key>OIDCIgnoreAdmin</key>
<true/>
</dict>
</plist>
In my testing, I managed to prevent the Jamf Connect login window from popping up every time a user logs in. However, I found that Jamf Connect did not start at all after the login. Is there a way to ensure that Jamf Connect runs silently in the background, without a need for the login prompt, while still functioning as expected?
Also, during my preliminary testing, I noticed that the Jamf Connect Login screen for Azure gets displayed after a system reboot. My concern lies with the possibility of this potentially bewildering users who aren't accustomed to it. Is there a process to get around this screen, while still ensuring all functionalities of Jamf Connect are intact and operating as expected?
06-20-2023 04:45 AM - edited 06-20-2023 04:46 AM
For the run at login you should likely just need to deploy the bundled JamfConnectLaunchAgent.pkg that is found in the resources folder of a JC release, which has a keep alive flag and a run at load flag. You can also just suppress the JC login window until you are ready by bundling a script or command to the deployment policy that just runs the below to reset the screen to the macOS default.
/usr/local/bin/authchanger --reset