Posted on 06-05-2023 03:30 PM
Basically the title.
Our Jamf Pro environment is setup with Jamf connect via Okta, and our users use their AD short name to login, so changing it to Azure AD would be too much of a change (unless we can change the login username).
As such, we can't leverage as easily AzureAD group membership on the local device.
Is it possible to use a policy + script to create a local group that contains the members of the Azure AD idp group?
Thanks!
Posted on 06-06-2023 03:16 PM
Thanks for your very detailed response Bryant!
That makes perfect sense. I'll have a look into doing that + testing etc.
Cheers,
Nic
Posted on 07-26-2023 08:22 PM
Hi @njh359, what was the response? It looks like the post by Bryant2S has disappeared.
I'm in a similar situation and interested in any tips.
Posted on 07-26-2023 09:46 PM
Hey Deej,
Strange...
So unfortunately it's not a super simple.
I ended up connecting up the azure idp, and then had to put together a few scripts leveraging the Jamf API.
1. To create local groups named after their aad group counterparts
2. To run a jamf API call (https://XXXXX.jamfcloud.com/api/v1/cloud-idp/1001/test-user-membership) to test the logged on users membership of specific groups in aad.
3. If the user was a member i then added them to the relevant group.
As the group membership (in our scenario) can change, i used outset to run script 2/3 on login. So the entire AAD group wasn't actually passed into the local group, just the user.
But it works for us; we're using beyondtrust PMC, so the Azure users/groups option wasn't an option for our mac's.