Using Jamf Connect Login with Azure - OIDC Admin

hdsreid
Contributor III

So JCL is working for me in general...I am presented with the login window, I enter my credentials, and my account is created. The real issue is coming from the OIDCAdmin key and my configuration of that. So just to run down everything I have done:
- Created JCL enterprise app and made manifest with standard/admin group
- Assigned myself as an Admin for the app in AAD
- For OIDCAdmin key in the config profile, I have role as Admin. That is the name of the Admin assignment from before on AAD
- I set OIDCAdminAttribute to the key in the manifest for admin users

With all of those set, I login with that AAD account at the login window, and every time I still appear as a standard user. In Directory Utility, the NetworkUser is set to the correct email. any ideas?

17 REPLIES 17

hdsreid
Contributor III

hey all, fixed this by not using the OIDCAdminAttribute field at all. it can do it based on the name of the role alone, and correctly identified me as an admin and as standard user when i changed roles on AAD.

Couple of questions that I will probably find the answer to by testing:
if i change a user's role on AAD but the account already exists, will the role change on the account? - answered this one, it changes on a logout!
does logging in via syspreferences prompts work for Azure Accounts on demand yet?
will users always have to enter their password in the azure prompt and then the JCL prompt, basically always asking for it twice? i know i'll get some user complaints if this is the case, just wondering if im missing something on that

PatrickD
Contributor II

Hi @hdsreid,

Hope you can help me. I'm trying to configure Jamf Connect with Azure at my org. One thing I can't for the life of me figure out is how to add a user to the app in AAD. Everything from MS says just open the app in Enterprise Applications and select Users and Groups from the lefthand pane. That option is not available to me.

I have configured the app to require user assignment but for whatever reason it is not allowing me to assign a user.

Thanks in advance!

hdsreid
Contributor III

@PatrickD hmm, it is now showing me the Users and Groups selection either anymore. Not sure if something changed on the AAD end or what...we never got this running in production fwiw, so I may look into this some more to get ready for the eventual transition

PatrickD
Contributor II

Thanks @hdsreid, glad I'm not the only one. I guess MS have updated their web interface and not their documentation.

hdsreid
Contributor III

@PatrickD that has been the constant struggle with Azure/O365/InTune for me lol. The interesting thing is the option is still there and configured for other Enterprise Apps, just not Jamf Connect Login.

I am not sure if anything changed on the JCL side for configuration, but I may look into reviewing that documentation again this afternoon. As you can see, there wasn't much activity in this thread back then, so I've been waiting as new features have been released for JCL.

hdsreid
Contributor III

@PatrickD just found this:

Under "Default client type", switch the Treat application as a public client setting to Yes. Important: When this setting is set to Yes, the User & groups tab will be hidden, if you navigate to Azure AD > Enterprise applications and select your app. If you need to assign specific users and groups your Jamf Connect app, disable this feature and re-enable it after users and groups are assigned.

So in AAD -> App Registrations -> Jamf Connect Login -> Authentication, under default client type, put the box at no, assign your users and groups, then toggle it back is my understanding of how this works

norman_moore
New Contributor II

@hdsreid This was spot on. I was having the same issue with getting the user and groups to appear in AAD.

PatrickD
Contributor II

Thanks @hdsreid, I managed to just run a Powershell script to do what I needed to but at least I can do it through the GUI now as well.

Cheers

hdsreid
Contributor III

@norman.moore @PatrickD glad it was useful!

have either of you tried the PAM plugin for AAD? i cannot seem to get it to work

PatrickD
Contributor II

@hdsreid, I have tried the PAM plugin but found that it was only going to work by using the sudosaml command and not when you want to unlock a preference pane. That meant it wasn't really going to work for our use cases, so I didn't look into it further.

hdsreid
Contributor III

@PatrickD what do you mean by sudosaml? I added the pam plugin to the list, but am never prompted to login to azure for authentication on the sudo

PatrickD
Contributor II

@hdsreid hmm maybe I am mistaken, or this has changed since I last looked at this. From memory, you used to have to execute sudosaml instead of sudo.
Have you modified the following file /etc/pam.d/sudo as mentioned here https://docs.jamf.com/jamf-connect/1.10.0/administrator-guide/Pluggable_Authentication_Module_(PAM).html

hdsreid
Contributor III

Yep, I added the line to the file, but nothing happens. There is a known issue about AAD and PAM, but it doesn't really say what works and what is broken.
additionally, i didnt add any of those PAM specific keys to my config profile. perhaps that is needed as well?

hdsreid
Contributor III

ok i get the login popup for azure now. added those keys and also tested on a HS VM as opposed to Catalina. Figure I might as well try it on Catalina as well now

Doesn't work in catalina. wondering if the switch from bash to zsh messed anything up?

PatrickD
Contributor II

I would find it unlikely that the change in the default shell would cause issues. Surely any scripts/code run in the background would specify the shell in which to run.

richardl9898
New Contributor

Hello, I am having the same issue here. I cant seem to get it to distinguish admin vs standard. All our accounts are being set to standard even if I am an admin. This is what I have configured on the login plst.

<plist version="1.0">
<dict> <key>OIDCClientID</key> <string>Removed on purpose</string> <key>OIDCProvider</key> <string>Azure</string> <key>OIDCROPGID</key> <string>removed on purpose</string> <key>OIDCRedirectURI</key> <string>https://127.0.0.1/jamfconnect</string>
</dict>
</plist>

Also, how do I force so that the password that gets generated on the local machine is the same as AAD?

tadeas_kinkor-P
New Contributor II

Hi @richardl9898,
I was able to solve mentioned issues by following https://travellingtechguy.blog/jamf-connect-login-with-azure/ and particularly update from 16/07/19 You need to manually modify App Registration manifest in Azure and then use correct role assignment.