Using Jamf Connect Login with Azure - OIDC Admin

hey all, fixed this by not using the OIDCAdminAttribute field at all. it can do it based on the name of the role alone, and correctly identified me as an admin and as standard user when i changed roles on AAD.

Couple of questions that I will probably find the answer to by testing:
if i change a user's role on AAD but the account already exists, will the role change on the account? - answered this one, it changes on a logout!
does logging in via syspreferences prompts work for Azure Accounts on demand yet?
will users always have to enter their password in the azure prompt and then the JCL prompt, basically always asking for it twice? i know i'll get some user complaints if this is the case, just wondering if im missing something on that

Hi @hdsreid,

Hope you can help me. I'm trying to configure Jamf Connect with Azure at my org. One thing I can't for the life of me figure out is how to add a user to the app in AAD. Everything from MS says just open the app in Enterprise Applications and select Users and Groups from the lefthand pane. That option is not available to me.

I have configured the app to require user assignment but for whatever reason it is not allowing me to assign a user.

Thanks in advance!

@PatrickD hmm, it is now showing me the Users and Groups selection either anymore. Not sure if something changed on the AAD end or what...we never got this running in production fwiw, so I may look into this some more to get ready for the eventual transition

Thanks @hdsreid, glad I'm not the only one. I guess MS have updated their web interface and not their documentation.

@PatrickD that has been the constant struggle with Azure/O365/InTune for me lol. The interesting thing is the option is still there and configured for other Enterprise Apps, just not Jamf Connect Login.

I am not sure if anything changed on the JCL side for configuration, but I may look into reviewing that documentation again this afternoon. As you can see, there wasn't much activity in this thread back then, so I've been waiting as new features have been released for JCL.

@PatrickD just found this:

Under "Default client type", switch the Treat application as a public client setting to Yes. Important: When this setting is set to Yes, the User & groups tab will be hidden, if you navigate to Azure AD > Enterprise applications and select your app. If you need to assign specific users and groups your Jamf Connect app, disable this feature and re-enable it after users and groups are assigned.

So in AAD -> App Registrations -> Jamf Connect Login -> Authentication, under default client type, put the box at no, assign your users and groups, then toggle it back is my understanding of how this works

@hdsreid This was spot on. I was having the same issue with getting the user and groups to appear in AAD.

Thanks @hdsreid, I managed to just run a Powershell script to do what I needed to but at least I can do it through the GUI now as well.

Cheers

@norman.moore @PatrickD glad it was useful!

have either of you tried the PAM plugin for AAD? i cannot seem to get it to work

@hdsreid, I have tried the PAM plugin but found that it was only going to work by using the sudosaml command and not when you want to unlock a preference pane. That meant it wasn't really going to work for our use cases, so I didn't look into it further.

@PatrickD what do you mean by sudosaml? I added the pam plugin to the list, but am never prompted to login to azure for authentication on the sudo

@hdsreid hmm maybe I am mistaken, or this has changed since I last looked at this. From memory, you used to have to execute sudosaml instead of sudo.
Have you modified the following file /etc/pam.d/sudo as mentioned here https://docs.jamf.com/jamf-connect/1.10.0/administrator-guide/Pluggable_Authentication_Module_(PAM).html

Yep, I added the line to the file, but nothing happens. There is a known issue about AAD and PAM, but it doesn't really say what works and what is broken.
additionally, i didnt add any of those PAM specific keys to my config profile. perhaps that is needed as well?

ok i get the login popup for azure now. added those keys and also tested on a HS VM as opposed to Catalina. Figure I might as well try it on Catalina as well now

Doesn't work in catalina. wondering if the switch from bash to zsh messed anything up?

I would find it unlikely that the change in the default shell would cause issues. Surely any scripts/code run in the background would specify the shell in which to run.

Hello, I am having the same issue here. I cant seem to get it to distinguish admin vs standard. All our accounts are being set to standard even if I am an admin. This is what I have configured on the login plst.

<plist version="1.0">
<dict> <key>OIDCClientID</key> <string>Removed on purpose</string> <key>OIDCProvider</key> <string>Azure</string> <key>OIDCROPGID</key> <string>removed on purpose</string> <key>OIDCRedirectURI</key> <string>https://127.0.0.1/jamfconnect</string>
</dict>
</plist>

Also, how do I force so that the password that gets generated on the local machine is the same as AAD?

Hi @richardl9898,
I was able to solve mentioned issues by following https://travellingtechguy.blog/jamf-connect-login-with-azure/ and particularly update from 16/07/19 You need to manually modify App Registration manifest in Azure and then use correct role assignment.

This worked amazing thank you very much