Help

Azure/EntraID password cache during enrollment

Go to solution
ScottEKendall
New Contributor III

a month ago

our users have to authenticate about 3 times during enrollment.

1st to authenticate / start enrollment

2nd time to create local account

3rd time to authenticate to Zscaler

We use Entra as our iDP and everything is setup fine in JAMF Connect as existing users are able to authenticate to Azure without issue.  Is there a way to have the Mac store the SSO credentials so it can be passed to other apps during enrollment?  We are using Device Compliance...finally got rid of Conditional access..TIA

 

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
AJPinto
Esteemed Contributor

a month ago

  1. There is no way to pass your enrollment credentials to anything. 
  2. If you are using Jamf Connect, the user must enter their IDP credentials.
    1. If you are using macOS's activation assistant you can precan the user name, but the user must still create a password on the device.
  3. You should be able to pass a ticket to zscalar from PSSO or Jamf Connect for SSO. We use MFA and just prefill the UPN for security reasons make the user provide their password.
    1. Reach out to Zscaler, they have a fairly competent Mac support team. I'd wager they have the configuration profile handy to make SSO work.

 

There is no way to get this to less than 2 log ins without disabling authentication for device enrollment. 

 

View solution in original post

0 Kudos
Reply
2 REPLIES 2

Go to solution
AJPinto
Esteemed Contributor

a month ago

  1. There is no way to pass your enrollment credentials to anything. 
  2. If you are using Jamf Connect, the user must enter their IDP credentials.
    1. If you are using macOS's activation assistant you can precan the user name, but the user must still create a password on the device.
  3. You should be able to pass a ticket to zscalar from PSSO or Jamf Connect for SSO. We use MFA and just prefill the UPN for security reasons make the user provide their password.
    1. Reach out to Zscaler, they have a fairly competent Mac support team. I'd wager they have the configuration profile handy to make SSO work.

 

There is no way to get this to less than 2 log ins without disabling authentication for device enrollment. 

 

0 Kudos
Reply

Go to solution
ScottEKendall
New Contributor III

a month ago

thanks for the reply...make sense for what I am trying to do...I am also playing with the pSSO for Entra, maybe I can make some headway with that...

0 Kudos
Reply