JAMF Connect

Asifahmed
New Contributor II

I wanted to know few things about Jamf connect.

1. If I use Jamf connect then user will be able to change the password and sync with AD/local mac over internet, I mean if the mac is not in office network either physically or through VPN.?

2. If I use Jamf connect then how many local user accounts will be created on mac after enrollment in JAMF console? Is it 3, one is for by prestage enrollment which is defined there with UID 501, another one is by jamf connect at the time of provisioning with UID 502 and another one is management account , am I correct?

3. Jamf connect creates only standard account at the time of provisioning or admin? If end user put a wrong string at the time of provisioning then what will happen? 

4. Jamf Menu bar app is ok to deploy for existing mac devices those are not deployed with jamf connect at the of provisioning or still I need to deploy Jamf connect app too?

5. Jamf Menu bar app can give notification to end user when the user's AD password is going to be expired?

 

10 REPLIES 10

McAwesome
Contributor III
  1. This may depend on your Identity provider.  I know with Azure, it doesn't matter if they're on your network or not.
  2. It will make the Management Account and any other accounts normally specified.  I would recommend having your prestage skip initial account creation to avoid creating anything more than is needed.
  3. It can do both Admin or Standard depending on how you have it configured.  It can also use groups or roles to give some users standard accounts and others admin accounts.  You'll want to look into the CreateAdminUser, OIDCAdminAttribute, and OIDCAdmin settings for the Login Window. 
  4. The Jamf Menu Bar app is part of the Jamf Connect app, so if you are deploying one you are deploying both.  That said, you don't have to change the login window when you deploy Jamf Connect.
  5. Yes.

There's a lot more detail on some of these questions like the admin related ones in the official documentation.
https://www.jamf.com/resources/product-documentation/jamf-connect-administrators-guide/ 

Asifahmed
New Contributor II

Thanks for helping me to understand it. Helpful :)

 

Asifahmed
New Contributor II

If I skip the account creation(UID 501)  through prestage and I configured the jamf connect to create standard account then there should not be any other admin account to login to the mac, it can create any problem for desk side technician for any mac related troubleshooting?

It might if you both don't use the OIDCAdmin setting and don't create a local admin via the Prestage.  My environment currently takes both approaches. 

All our IT admin accounts are in the Azure role that provides Admin rights.  That way, we can sign in with our accounts on any machine brought to us and do the admin tasks needed.

We also use a Laps solution for a kind of "Break Glass" situation.  We use the "Create a local administrator account before the Setup Assistant" option in our prestages to create the initial Laps account.  From there, we use Joshua Miller's swift based macOSLAPS tool to regularly scramble the password and upload it into Jamf.  This ensures we have a local admin account with a random password that is unique to that specific machine just in case all other options fail.
https://github.com/joshua-d-miller/macOSLAPS 

Asifahmed
New Contributor II

LAPS I know and understands, but when mac is not joined in AD and Jamf Connect create a local standard account then how you will login to the mac with other account, I dont understand the Azure role you are talking about. Please explain me in more detail.

That Laps solution I linked works fine when machines are not bound to domain.

Basically, what that OIDCAdmin setting does is tell Jamf Connect that any user who has the role specified in it will be created as an admin account when they sign in regardless of other settings.  This allows you to make your average user created as a Standard Account while still providing a way for your IT Help Desk or other support staff to be able to sign in as an Administrator without the need for a pre-created local account.

Hugonaut
Valued Contributor II

@Asifahmed 

 

1. Yes

2. Jamf Connect will only create accounts if configured to. It will create accounts linked to iDP so technically 1 (Unless it's a shared machine). Jamf itself creates the prestage/management accounts.

3. Standard or Administrator, you decide when configuring.

4. They are one in the same. You must deploy Jamf Connect & configure whether or not you want the Login Window.

5. Yes

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

Asifahmed
New Contributor II

Thanks for clarifying me. Helpful :)

 

mainelysteve
Valued Contributor II

Just to clarify as it was glossed over, are you using an IDP like Azure, Google, Ping, Okta, etc. or is this an on-premise AD domain?

I am planning to implement Jamf connect, we have AAD integrated with Jamf to replace JIM server. Now I am thinking from where to start.