Hey everyone!
I'm reaching out for guidance on a complex issue I've encountered with integrating Jamf Pro and Microsoft Entra ID for SSO, specifically regarding user attribute mappings and device enrollment processes. Despite a successful setup of Single Sign-On and Cloud Identity Providers for new macOS device enrollments with corporate credentials, I've hit a stumbling block with more detailed configurations.
Core Issues:
User Attribute Mappings: My goal is to map the User Name attribute to the onPremisesSamAccountName (essentially, the UPN without @domain.com) for a more intuitive username representation. Additionally, I aim to map Phone attributes to mobilePhone and Position to jobTitle, enhancing user profile completeness within our system.
Device Enrollment Customization: During the Setup Assistant phase of Automatic Device Enrollment (via ABM), I intend to pre-fill the primary account information with the device owner's details. However, the system defaults to using the UPN/email for the "Account Name" field, rather than the desired username. This deviation from our goal hampers user experience (especially since macOS doesn't like the @ in the username).
Attempts and Roadblocks:
- I've explored various community suggestions and official documentation, including a detailed thread on here: (Azure AD SSO and New Device Setup) and guidance intended for Jamf Connect SSO setups (SAML Token Attribute Mapping for Enrollment Customization), hoping for overlapping solutions.
- Modifying "User Mapping From The SAML Assertion" in Jamf Pro settings to anything aside from "userPrincipalName" seems unfeasible, as changes refuse to save even when the corresponding claim exists in the Entra ID Enterprise app.
- Attempts to adjust the NameID in the Enterprise App to use the SAM username instead of UPN disrupted SSO functionality, contradicting Microsoft's documentation suggesting such customization is supported.
Given these challenges, I'm seeking insights or success stories from anyone who's navigated similar configurations. Jamf support has yet to offer a resolution, leaving me to wonder:
- Is it feasible to utilize anything other than the UPN for the username in this setup, without leveraging Jamf Connect?
- Are there alternative strategies to import other user attributes into Jamf Pro, akin to what's achievable with LDAP?
I'm eager to hear your thoughts, experiences, links or any other recommendations you may have!
Some screenshots:
Some of my tested claims
Error when I try to change the User Mapping
The User mapping settings I want to change from the default info I get from Entra ID
What I'm getting, including the UPN for Username