Jamf 10.33 / AzureAD - Can't use Azure AD groups for policies

glpi-ios
Contributor III

Hello,

We have an LDAP server (Active Directory) configured on our JSS.
We will move to Azure AD.
For this, we have configured "Cloud Identity Providers" to integrate with our Azure AD.

Everything seems ok with tests. We can query for groups, users and get "true" for membership


We are trying to scope and limit policies (Self Service) to group memberships from AzureAD (via Cloud Identity Provider). I can search for the group and add it to the Limitations section of the policies.

But when I try to test the policies on computers, the policies are not available when users connect to Self Service using the Azure AD accounts in the target groups.

When we try with Active Directory groups, that works well but not with Azure AD groups.

Do you know if this is normal? Can't scopes with Azure AD groups?

We have Jamf Cloud 10.33.

Thank you for your help

1 ACCEPTED SOLUTION

colorenz
Contributor

Oh i found a PI, maybe you have that problem...
https://account.jamf.com/products/jamf-pro/known-issues 


PI-010002
When Azure is configured as a cloud identity provider, Jamf Pro sometimes fails to correctly handle the directory workflows for Azure groups (e.g., scope limitations).

View solution in original post

20 REPLIES 20

colorenz
Contributor

It works for us but there was a Bug < 10.34 where you can only use < 15 Groups. The Pi was now fixed with 10.34

[PI-009318] Fixed an issue that incorrectly restricted the maximum number of Azure cloud IdP groups configured as limitations or exclusions in scope of an object (e.g., a configuration profile). 
PI-009318 - “Azure AD - Scoping can’t have more than 15 group limitations / exclusions”

 

glpi-ios
Contributor III

Hi @colorenz 

Thank you for your answer.

We only use between 1 and 5 groups in scopes per object.

Do you have an LDAP server also configured in addition to an Azure cloud IdP?

Hey we have swichted from LDAP to Azure cloud IdP only.

 

@glpi-ios , Check you single sign on --> User Mapping section --> Jamf Pro User Mapping 
select username instead of email.

 

 

 

 

Hi @Himanshu_panwar 
Thank you for your help.

In fact, we don't use SSO at the moment.
But indeed, with the SSO activated, it works better.

The goal is to make it work without SSO at first (we will activate it later).

glpi-ios
Contributor III

ok, maybe the problem is there then.
We have both configured. We don't dare to remove the link with Active Directory because we don't know the exact consequences with the access to self service, Jamf Remote and Jamf admin.

colorenz
Contributor

We use the Azure login for the self service with MFA. We do not have Jamf remote and Jamf Admin in use.

glpi-ios
Contributor III

OK. Thank you for your help.
We will continue the tests by trying to remove the link with our Active Directory.

On the other hand, if I understood correctly, for access to JSS with Azure AD groups, it will be necessary to create standard groups and users in JSS with the same name as the groups and users in Azure AD?

On the other hand, if I understood correctly, for access to JSS with Azure AD groups, it will be necessary to create standard groups and users in JSS with the same name as the groups and users in Azure AD?

-> Yes 🙂 

glpi-ios
Contributor III

Thank you very much for your help.

 

We will test all of this.

colorenz
Contributor

Maybe update to 10.34 first. They PI affected a lot components... SSO Login / Scoping / The Computer Management Tab...

glpi-ios
Contributor III

Thanks for the advice

 

We updated our dev instance. We will do this on our production.

colorenz
Contributor

Oh i found a PI, maybe you have that problem...
https://account.jamf.com/products/jamf-pro/known-issues 


PI-010002
When Azure is configured as a cloud identity provider, Jamf Pro sometimes fails to correctly handle the directory workflows for Azure groups (e.g., scope limitations).

glpi-ios
Contributor III

indeed it appears to be exactly the same symptom.

Well, we just have to hope that Jamf fixes this problem in the next releases.

Thank you for taking the time to research, it's super nice

glpi-ios
Contributor III

Hello, 

I have another question.

Is it mandatory to activate SSO to access JSS with an Azure AD account?
Because with SSO, I do it well (by creating the standard groups/users corresponding to the Azure AD groups/users).
But without SSO, this is no longer possible.

It's normal.

Thank you

colorenz
Contributor

Unfortunately, I can't tell you that. We do it that way so that we can also use MFA.

HealthcareMac
New Contributor II

userBSmitty_0-1674746780195.png

A year and 10+ Cloud instance upgrades later and the problem hasn't gone away. Can't use Azure AD groups for limitations. And the hassle of re-creating all Azure AD groups in JAMF is not feasible. 

 

Yes mapping is setup correctly

Yes Testing a user/group shows up correctly

Yes we are only using Cloud Azure AD no on-Prem Connection.

Yes we are targeting all computer specific user (Limitation Azure AD Group) no exclusions and the software does not show up in Self-Service. 

 

 

Has anyone else had any luck? we only use JAMF for macOS not for Iphone/Ipad (Intune only for those) 

Kishan_H
New Contributor II

Hey.

Yes, this is still an issue. I contacted Jamf Support last month and they replied:


"I have checked the PI104479 and it is still opened. Issue was investigated in depth and it would likely require a significant change across the board in how scoping works and is designed. Our developers team is working on finding the best solution for the situation. Unfortunately, we do not have ETR for the issue yet."

 

We're now on Jamf Pro 10.44.1 and yet this issue is still there.

JustDeWon
Contributor III

And yet we are now Jamf Pro 11.0, and the issue still has not been addressed..

HealthcareMac
New Contributor II

This is working now after having Jamf Cloud Ops turn on a tool. Submit a support ticket to have "the Knob" turned on for your cloud instance. This tool allows for Azure AD group limitations to function for user lookup. It is off by default.

 

The scenario we tested for:

Users are given licenses for adobe product in Azure

The install application is configured in JAMF PRO for all users limited to the Azure AD group {xxxxxx}

Application installs, and Uninstall break fix only shows for the limiting group set in scope.

 

Requirements:

Self-service SSO must not be forced {Login Method: Allow users to login | Cannot be set to required}

Additionally, the user must be assigned to the computer in the inventory record as this is what Jamf Pro uses to determine the membership for the scoping.