So JCL is working for me in general...I am presented with the login window, I enter my credentials, and my account is created. The real issue is coming from the OIDCAdmin key and my configuration of that. So just to run down everything I have done:
- Created JCL enterprise app and made manifest with standard/admin group
- Assigned myself as an Admin for the app in AAD
- For OIDCAdmin key in the config profile, I have role as Admin. That is the name of the Admin assignment from before on AAD
- I set OIDCAdminAttribute to the key in the manifest for admin users
With all of those set, I login with that AAD account at the login window, and every time I still appear as a standard user. In Directory Utility, the NetworkUser is set to the correct email. any ideas?
hey all, fixed this by not using the OIDCAdminAttribute field at all. it can do it based on the name of the role alone, and correctly identified me as an admin and as standard user when i changed roles on AAD.
Couple of questions that I will probably find the answer to by testing:
if i change a user's role on AAD but the account already exists, will the role change on the account? - answered this one, it changes on a logout!
does logging in via syspreferences prompts work for Azure Accounts on demand yet?
will users always have to enter their password in the azure prompt and then the JCL prompt, basically always asking for it twice? i know i'll get some user complaints if this is the case, just wondering if im missing something on that
Hope you can help me. I'm trying to configure Jamf Connect with Azure at my org. One thing I can't for the life of me figure out is how to add a user to the app in AAD. Everything from MS says just open the app in Enterprise Applications and select Users and Groups from the lefthand pane. That option is not available to me.
I have configured the app to require user assignment but for whatever reason it is not allowing me to assign a user.
Thanks in advance!
@PatrickD that has been the constant struggle with Azure/O365/InTune for me lol. The interesting thing is the option is still there and configured for other Enterprise Apps, just not Jamf Connect Login.
I am not sure if anything changed on the JCL side for configuration, but I may look into reviewing that documentation again this afternoon. As you can see, there wasn't much activity in this thread back then, so I've been waiting as new features have been released for JCL.
@PatrickD just found this:
Under "Default client type", switch the Treat application as a public client setting to Yes. Important: When this setting is set to Yes, the User & groups tab will be hidden, if you navigate to Azure AD > Enterprise applications and select your app. If you need to assign specific users and groups your Jamf Connect app, disable this feature and re-enable it after users and groups are assigned.
So in AAD -> App Registrations -> Jamf Connect Login -> Authentication, under default client type, put the box at no, assign your users and groups, then toggle it back is my understanding of how this works
@hdsreid hmm maybe I am mistaken, or this has changed since I last looked at this. From memory, you used to have to execute sudosaml instead of sudo.
Have you modified the following file /etc/pam.d/sudo as mentioned here https://docs.jamf.com/jamf-connect/1.10.0/administrator-guide/Pluggable_Authentication_Module_(PAM).html
Hello, I am having the same issue here. I cant seem to get it to distinguish admin vs standard. All our accounts are being set to standard even if I am an admin. This is what I have configured on the login plst.
<dict> <key>OIDCClientID</key> <string>Removed on purpose</string> <key>OIDCProvider</key> <string>Azure</string> <key>OIDCROPGID</key> <string>removed on purpose</string> <key>OIDCRedirectURI</key> <string>https://127.0.0.1/jamfconnect</string>
Also, how do I force so that the password that gets generated on the local machine is the same as AAD?