Help

Grant JAMF Pro admin rights via LDAP group?

JAMFerino
New Contributor

Posted on ‎05-13-2021 02:15 PM

Hi everyone! I'm struggling with getting this to work. Any input/advice would be greatly appreciated.

Goal: Create an LDAP group in AD, add AD users who do not have individual admin user accounts created in JAMF, and grant access in JAMF per the AD group's user memberships.

Issue: Users receiving "access denied" when launching JAMF Pro from SSO.

Steps taken:
-Created LDAP group "JAMFexample"
-Added a test user (a coworker) to the group
-Added the LDAP group to JAMF
-Granted necessary privilege's in JAMF for the test group

Troubleshot:
-Navigating to JAMF Settings>System Settings>LDAP Servers>Mappings and then testing User Mappings, User Group Mappings, and User Group Membership Mappings all give instant successful results.
937678b672b34501807254e4fff97376

If all the tests work, what could be holding me up on this? I can provide any extra info that might be helpful.

Thanks for reading!

Labels:
0 Kudos
Reply
7 REPLIES 7

garybidwell
Contributor III

Posted on ‎05-13-2021 03:49 PM

When you say AD, do you mean you have configure LDAPS to use on-premise Active Directory or Azure AD?

Reply

JAMFerino
New Contributor

Posted on ‎05-13-2021 03:59 PM

Thanks for the reply Gary - we use on-prem AD. We do use Azure AD as well, for some things, but user accounts and this test JAMF group are from Active Directory and our DC's.

Does that answer your question or can I clarify further?

Thanks!

0 Kudos
Reply

garybidwell
Contributor III

Posted on ‎05-13-2021 04:16 PM

OK, just that if you were using Azure AD, then group object names wasn't supported for use for JAMF administration groups (you had to do a work around by creating local groups named matched with the Azure group object ID) - but support for Azure group objects does come in the latest Jamf Pro 10.29

The issue is more likely to be with your SSO setup
What happens if you just add an individual LDAP user? can you log in with a that user and pass through the SSO ok?

0 Kudos
Reply

JAMFerino
New Contributor

Posted on ‎05-13-2021 07:24 PM

Great info, thanks!

Yeah. If I manually create a user, by Settings>System Settings>Jamf Pro User Accounts & Groups>"New" and select "Add LDAP Account" it will successfully import/create the user and the user can sign in via our SSO page.

I have full admin rights to Active Directory and JAMF Pro (and even Azure AD) but not to our SSO setup or IdP etc. But I can get access or info, depending on the need.

0 Kudos
Reply

Ken_Bailey
New Contributor III

Posted on ‎05-14-2021 09:54 AM

Not sure if it matters or not, but is the group setup as a Security Group within AD or Distribution Group? We only leverage Security Groups for access.

0 Kudos
Reply

JAMFerino
New Contributor

Posted on ‎05-14-2021 02:22 PM

It is a security group that I'm using but thank you, that's good to know.

0 Kudos
Reply

user-FSTJIZgVcE
New Contributor

Posted on ‎05-19-2021 07:01 AM

Currently the only option is to allow users either full access or access to one site. Dialog with your fellow IT professionals, gain insight about Apple device ... in this FR: Site admin permissions - Grant a single user/group access to multiple sites. of permissions you want to apply to users, both local to the JSS and LDAP.

0 Kudos
Reply