Help

Azure AD Integration with Jamf Pro (macOS)

infrase2020
New Contributor III

Posted on ‎08-08-2023 03:14 AM

Hi,

We are in the process of setting up Jamf Pro and added our Azure tenant as a cloud IDP. 

Jamf Connect has been setup so we are able to sign into the device with our AAD credentials and the account is synced with a local account on the device. This is working as expected. 

I am slightly confused as the User and Location information is missing from the device inventory, should this not be pulling the information from our Azure cloud IDP? 

Also is it possible to target applications/policies and configuration profiles with AAD groups?

Apologies if this is a simple answer however we are new to Jamf coming from a Windows background so slightly confused at the moment!

TIA.

Labels:
0 Kudos
11 REPLIES 11

jamf-42
Valued Contributor II

Posted on ‎08-08-2023 03:41 AM

you need to look at mappings.. https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Testing_Attribute_Mappings.html

0 Kudos

DBrowning
Valued Contributor II

‎08-08-2023 05:48 AM - edited ‎08-08-2023 05:48 AM

You'll want to make sure this is checked in your Inventory Collection Settings:  

DBrowning_0-1691498874610.png

 

0 Kudos

stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎08-08-2023 07:23 AM

And you also need to make sure that the "Username" field is filled in on the device record. Otherwise the Directory Service information will not be pulled. The integration needs to have some data to query Azure AD with to pull back the user info. The Username field is not populated by default on Computer devices. You need to pull that info and send it up to Jamf Pro so that it gets populated.

You can see some ideas on how to pull that info from Jamf Connect in this post.

0 Kudos

Coltrane
New Contributor II

Posted on ‎08-10-2023 11:45 PM

https://www.youtube.com/watch?v=ht-iHol95oQ

0 Kudos

MacJunior
Contributor III

Posted on ‎09-13-2023 04:10 AM

I'm curious about @infrase2020 question 

Also is it possible to target applications/policies and configuration profiles with AAD groups?

how can I scope a profile/policy using Azure AD groups? i did the integration but can't see any groups from AAD synced with Jamf !!

 

0 Kudos

stevewood
Honored Contributor II
Honored Contributor II
In response to MacJunior

Posted on ‎09-13-2023 07:21 AM

You would need to use the AAD group as a Limitation in the scoping tabs. On the Target tab you would scope to a Smart Group that included either all of your devices or a subset, and then utilize the "Directory Service User Groups" tab under the Limitations. This would then scope to that subset of devices, BUT limit it's "visibility" to members of that AAD group.

Make sense?

0 Kudos

infrase2020
New Contributor III
In response to stevewood

Posted on ‎09-13-2023 08:04 AM

Hi Steve,

 

We have setup a test profile as per your instructions however the users are not appearing in the scope after adding all devices and then limiting to an AAD user group with 1 member. Have you tested this in your environment? How often does Jamf check AAD for group membership updates? 

 

0 Kudos

stevewood
Honored Contributor II
Honored Contributor II
In response to infrase2020

Posted on ‎09-13-2023 08:21 AM

If you are deploying a User Level configuration profile, the user in that AAD group needs to be MDM enabled on that device. This Jamf Nation post discusses that.

Also, the logged in user on the device needs to match the user name identified on the device record in Jamf Pro. https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Scope.html

 

0 Kudos

MacJunior
Contributor III
In response to stevewood

Posted on ‎09-14-2023 07:35 AM

Hmm I have a policy, I targeted a subset of computers, in the limitation tab, i found the AAD group I want " which has 3 members" added in there and saved, the policy is not working as if I didn't scope it to anyone ! 

I suppose to see the package in that policy installed on those 3 members part of that AAD group, right? what did go wrong @stevewood ?

0 Kudos

MacJunior
Contributor III

Posted on ‎09-16-2023 02:11 AM

I opened up a ticket with Jamf and after taking back and forth this was their last reply : 

Screenshot 2023-09-16 at 11.09.38.png

0 Kudos

trull_sengar
New Contributor III

Posted on ‎04-05-2024 05:11 AM

Hi,

 

I had the same issue and I fixed that using an enrollment customization.

In Jamf, go to Settings > Global > Enrollment Customizations

Here I used the PreStage Panes and selected the SSO one. That basically shows a SSO windows right after the start of the enrollment (when you see the "Remote Management" screen on Setup Assistant) where the end user can login using the Entra ID login (which will need to be repeated in Jamf Connect to create the user account).
This enrollment customization syncs the user's Entra ID data in Jamf and fills the User and Location info.

 

Hope it helps!

0 Kudos