Grant JAMF Pro admin rights via LDAP group?

JAMFerino
New Contributor

Hi everyone! I'm struggling with getting this to work. Any input/advice would be greatly appreciated.

Goal: Create an LDAP group in AD, add AD users who do not have individual admin user accounts created in JAMF, and grant access in JAMF per the AD group's user memberships.

Issue: Users receiving "access denied" when launching JAMF Pro from SSO.

Steps taken:
-Created LDAP group "JAMFexample"
-Added a test user (a coworker) to the group
-Added the LDAP group to JAMF
-Granted necessary privilege's in JAMF for the test group

Troubleshot:
-Navigating to JAMF Settings>System Settings>LDAP Servers>Mappings and then testing User Mappings, User Group Mappings, and User Group Membership Mappings all give instant successful results.
937678b672b34501807254e4fff97376

If all the tests work, what could be holding me up on this? I can provide any extra info that might be helpful.

Thanks for reading!

7 REPLIES 7

garybidwell
Contributor II

When you say AD, do you mean you have configure LDAPS to use on-premise Active Directory or Azure AD?

JAMFerino
New Contributor

Thanks for the reply Gary - we use on-prem AD. We do use Azure AD as well, for some things, but user accounts and this test JAMF group are from Active Directory and our DC's.

Does that answer your question or can I clarify further?

Thanks!

garybidwell
Contributor II

OK, just that if you were using Azure AD, then group object names wasn't supported for use for JAMF administration groups (you had to do a work around by creating local groups named matched with the Azure group object ID) - but support for Azure group objects does come in the latest Jamf Pro 10.29

The issue is more likely to be with your SSO setup
What happens if you just add an individual LDAP user? can you log in with a that user and pass through the SSO ok?

JAMFerino
New Contributor

Great info, thanks!

Yeah. If I manually create a user, by Settings>System Settings>Jamf Pro User Accounts & Groups>"New" and select "Add LDAP Account" it will successfully import/create the user and the user can sign in via our SSO page.

I have full admin rights to Active Directory and JAMF Pro (and even Azure AD) but not to our SSO setup or IdP etc. But I can get access or info, depending on the need.

Ken_Bailey
New Contributor III

Not sure if it matters or not, but is the group setup as a Security Group within AD or Distribution Group? We only leverage Security Groups for access.

JAMFerino
New Contributor

It is a security group that I'm using but thank you, that's good to know.

user-FSTJIZgVcE
New Contributor

Currently the only option is to allow users either full access or access to one site. Dialog with your fellow IT professionals, gain insight about Apple device ... in this FR: Site admin permissions - Grant a single user/group access to multiple sites. of permissions you want to apply to users, both local to the JSS and LDAP.