Active Directory iPad Enrollment

cleverleys
Contributor

Hi all,
I have a conundrum that I think I am confusing myself with more and more!
What I would like to achieve, is for our students to be able to enrol a DEP'd device, using their AD credentials, which I know is possible, from Jamf Marketing Videos.
Our setup is:

Jamf Pro Admins, brought into Jamf VIA LDAP, SSO enabled via ADFS.
Student users, classes and staff / teachers are brought into Jamf Pro via Apple School Manager, populated via a powershell script which pulls information from Active Directory.

I can't think of anyway that students and staff can authenticate via AD, as there is no setting to link them to ADFS or LDAP, could someone point me in the right direction?

Many thanks in advance.

5 REPLIES 5

talkingmoose
Moderator
Moderator

Look into Enrollment Customization found in Jamf Pro under Settings (cog wheel) > Global Management.

  1. Make a new Enrollment Customization and click the Add Pane button. Set the Pane Type to either SSO or LDAP Authentication depending on which you want to use.
  2. After you've saved your Enrollment Customization, edit your iOS PreStage enrollment under Devices > PreStage Enrollments and set the Enrollment Customization Configuration drop down menu to the name of the Enrollment Customization you created under Settings.

During Automated Enrollment, you should see the authentication pane just after the pane notifying the user that the device will be managed by your organization.

Emmert
Valued Contributor

You'll also want to setup mappings in your LDAP config setting. For example, we have Department mapped to Description, and Building mapped to Company. That way we have all of our kids fall into "Grade X" in Jamf department, and "School Name" in Jamf building. This makes it easy to setup smart groups for scoping.

cleverleys
Contributor

@Emmert @talkingmoose thanks both.
I had seen the enrolment customisations which is what I was planning on doing.

However, our students don’t come in via LDAP, they come in via Apple school Manager, so I don’t see how they could authenticate via ldap or SSO....

mickgrant
Contributor III

@cleverleys You need to reverse the setup your using.
Users need to authenticate via LDAP to creates the user within jamf, and have their Apple school manager details synced to that account. From what I have found there isn't a way to update existing JAMF users with LDAP details, but you can update a Jamf user created with LDAP to also have the ROSTER details.
just set up your matching criteria at the bottom of your ASM instance within jamf
64e3bc9444484c4e975b94eacc61b148

cleverleys
Contributor

Hi all and @mickgrant I am still having a huge headache with user matching :-(

Basically, what I am trying to achieve is:

  1. ASM Imports users into Jamf, username once imported is firstname.surname, email is firstname.surname@ouremail.org
  2. Users are then given an iPad, turn it on for the first time, join the wireless and are then presented with our logon screen from LDAP, for which they login and authenticate.
  3. What then happens is a second account is created, username firstname.surname@ouremail.org, email is firstname.surname@ouremail.org.

Am I missing the point of matching here? Should the process be that users authenticate via LDAP and then we manually initiate the import from ASM and match accordingly? Which works!

I have tried all sorts of connotations of user matching with no success!

Thanks everyone.