Posted on 05-01-2020 09:46 AM
I have a conundrum that I think I am confusing myself with more and more!
What I would like to achieve, is for our students to be able to enrol a DEP'd device, using their AD credentials, which I know is possible, from Jamf Marketing Videos.
Our setup is:
Jamf Pro Admins, brought into Jamf VIA LDAP, SSO enabled via ADFS.
Student users, classes and staff / teachers are brought into Jamf Pro via Apple School Manager, populated via a powershell script which pulls information from Active Directory.
I can't think of anyway that students and staff can authenticate via AD, as there is no setting to link them to ADFS or LDAP, could someone point me in the right direction?
Many thanks in advance.
Posted on 05-01-2020 10:48 AM
Look into Enrollment Customization found in Jamf Pro under Settings (cog wheel) > Global Management.
During Automated Enrollment, you should see the authentication pane just after the pane notifying the user that the device will be managed by your organization.
Posted on 05-01-2020 12:08 PM
You'll also want to setup mappings in your LDAP config setting. For example, we have Department mapped to Description, and Building mapped to Company. That way we have all of our kids fall into "Grade X" in Jamf department, and "School Name" in Jamf building. This makes it easy to setup smart groups for scoping.
Posted on 05-01-2020 01:15 PM
@Emmert @talkingmoose thanks both.
I had seen the enrolment customisations which is what I was planning on doing.
However, our students don’t come in via LDAP, they come in via Apple school Manager, so I don’t see how they could authenticate via ldap or SSO....
Posted on 05-04-2020 08:12 PM
@cleverleys You need to reverse the setup your using.
Users need to authenticate via LDAP to creates the user within jamf, and have their Apple school manager details synced to that account. From what I have found there isn't a way to update existing JAMF users with LDAP details, but you can update a Jamf user created with LDAP to also have the ROSTER details.
just set up your matching criteria at the bottom of your ASM instance within jamf
Posted on 07-02-2020 09:39 AM
Hi all and @mickgrant I am still having a huge headache with user matching :-(
Basically, what I am trying to achieve is:
Am I missing the point of matching here? Should the process be that users authenticate via LDAP and then we manually initiate the import from ASM and match accordingly? Which works!
I have tried all sorts of connotations of user matching with no success!