Jamf Nation Community

The requirement for company domain email addresses is today. The 2FA change is required by April 20th. Good luck if you've already used your work email for any other Apple ID.

looks like when you start set up of 2FA, there is a 3 day waiting period to continue the process for security, so heads up on that.

Is anyone using a shared (institutional) Apple ID to connect the JSS with GSX? You would have to login every 30 days to prevent the account from being disabled in GSX, but maybe a good time to consider a change.

Is there lag time between the request for a app password and being able to log in (if you know)? Is the app name specific or can it be a nickname?

I ask because I just tried to update to an app password and it failed with an internal 500 error.

Heads up, if you're work email is already associated with an existing apple id you will be need to either create a new work email or disassociate the apple id from your work email. The GSX Apple ID cannot be associated to any other account.

UPDATE: To disassociate an account from your work email you can log in to appleid.apple.com and under Apple ID and Primary Address click edit and change the primary address to a new address. Once you do that you can create a new Apple ID with your corporate account. Of course if your corporate account is associated with DEP, VPP, etc you will most likely will still have to get a new corporate email account for GSX.

Allen

So, I will need to create a new work/GSX/Apple ID to connect GSX and JSS?

Hello,

Re: GSX lookup
I reached out to our JAMF rep and this was the response I got:
“Thank you for reaching out. We received the same notice, and were concerned as well as to what it may mean for our connection. We have been working with Apple on impact, and have made some progress. In short, you are right. API access will continue to work without two-factor authentication. However, we are tracking a change coming in August that will require a certificate-based authentication with the API. We hope that will all be backend work, but are uncertain right now if you will need to generate a certificate using Apple’s portal or the JSS at that time. So we are good for now, but there may be changes later in the year that will impact us all. We fully plan to have full support with GSX moving forward, and are on top of researching what it means currently.”

Re: Work email already tied to different AppleID
Not sure this will work for everyone, but we're a Google Apps shop. A feature of Google Apps is accounts can have aliases. My work email, jbroccardo@company was already used for an Apple ID, but I was able to create an alias, jkb@company, that I made my primary email for my account I used to access GSX.

Anyone who has gone through this - I created an alias, a new Apple ID, and still am not seeing "Generate an App-Specific Password and follow the steps on your screen."

Do you have to set up 2 step verification and then you get this?

Answered my own question after I read the apple article a little better, yes, you need to enable 2 step first. There's no 3 day waiting period on this alias account at least.

@CasperSally are you following the instructions at the below site to setup 2 Step on your AppleID account?

Frequently asked questions about two-step verification for Apple ID

Once you've enabled 2 Step on your AppleID, when logging into GSX it will send you a 4 digit code on your phone to enter into the screen.

Is this implemented yet?
I have 2FA set up on my GSX account and the JSS is still importing info fine.

Hi Everyone -

If you have two step authentication enabled for the Apple ID associated with your GSX account the JSS will still be able to communicate with GSX. We are using the GSX API which is not impacted by this change.

@jake - my account was setup as GSX lookup account and worked for years until this was announced.

I went ahead and enabled 2 step on it, it's still not working. I get GSX lookup was not successful.

any ideas?

@john.miller posted the new requirements for GSX API access here. I asked for some clarification and this is the response I got:

Its not user based, its Sold to based. Once a specific sold to (e.g. your sold to ) is onboarded, you can use your apple ID to authenticate via API. Of course you’ll need to consume the NEW GENERATION WSDL as well. More information can be found in https://gsxwsut.apple.com/apidocs/ut/html/WSFaq.html imder the FAQ’s certificates section. You’ll need a static IP Address for this to work.