Hi everyone! I'm struggling with getting this to work. Any input/advice would be greatly appreciated.
Goal: Create an LDAP group in AD, add AD users who do not have individual admin user accounts created in JAMF, and grant access in JAMF per the AD group's user memberships.
Issue: Users receiving "access denied" when launching JAMF Pro from SSO.
-Created LDAP group "JAMFexample"
-Added a test user (a coworker) to the group
-Added the LDAP group to JAMF
-Granted necessary privilege's in JAMF for the test group
-Navigating to JAMF Settings>System Settings>LDAP Servers>Mappings and then testing User Mappings, User Group Mappings, and User Group Membership Mappings all give instant successful results.
If all the tests work, what could be holding me up on this? I can provide any extra info that might be helpful.
Thanks for reading!
OK, just that if you were using Azure AD, then group object names wasn't supported for use for JAMF administration groups (you had to do a work around by creating local groups named matched with the Azure group object ID) - but support for Azure group objects does come in the latest Jamf Pro 10.29
The issue is more likely to be with your SSO setup
What happens if you just add an individual LDAP user? can you log in with a that user and pass through the SSO ok?
Great info, thanks!
Yeah. If I manually create a user, by Settings>System Settings>Jamf Pro User Accounts & Groups>"New" and select "Add LDAP Account" it will successfully import/create the user and the user can sign in via our SSO page.
I have full admin rights to Active Directory and JAMF Pro (and even Azure AD) but not to our SSO setup or IdP etc. But I can get access or info, depending on the need.
Currently the only option is to allow users either full access or access to one site. Dialog with your fellow IT professionals, gain insight about Apple device ... in this FR: Site admin permissions - Grant a single user/group access to multiple sites. of permissions you want to apply to users, both local to the JSS and LDAP.