Jamf Connect and Azure Conditional Access MFA

nick-at-artsed
New Contributor III

Does anyone know a way to exclude Jamf Connect from MFA in Azure Conditional Access?

I have created a web redirect URI to make Azure see the app registration in conditional access but when I add this as an exclusion users are still asked for MFA.

Thanks!

9 REPLIES 9

jaellington
New Contributor III

We want to try treating the connector IP address range as a trusted location, but have not been able to find the range that Jamf connector is using. I can see individual Jamf connection IP addresses in the Azure sign-in logs, but it would be nice to have the CIDR address

nick-at-artsed
New Contributor III

That would certainly be a workable solution

jaellington
New Contributor III

@nick-at-artsed Jamf support couldn't give me the IP addresses that the connector is using for Azure, but after going through the Azure failed sign-in logs, I put all of the IP addresses that were labeled as Jamf Azure AD Connector into a named location in Azure AD and and marked them as trusted. I then exempted that named location from our conditional access policy. So far, so good.
I'm not sure what range of IPs the Jamf connector is using, so I may have to keep adding to the named location. We'll see how it goes.

@jaellington any chance you'd be willing to share the list you've come up with? 🙂

 

@raymondap   so far:

 
 
54.208.14.206/32
 
54.208.84.215/32
 

jameschuong
New Contributor II

Running into the same issue here. Where do you whitelist the IP's in Azure?

nick-at-artsed
New Contributor III

This eventually worked for us without the need for whitelisting IP's we just have a policy that applies to a group of users / all cloud apps / Jamf Connect excluded / require MFA

jaellington
New Contributor III

@jameschuong   Apologies for the delay in replying.  Hopefully you already have your answer, but if not:

You can create an IP range location in Azure AD by going to Security  - Named Locations.  Then you can click on '+ IP ranges location', give it a name (something like Jamf Pro Connector), and add the IP addresses.  Then go back to your CA policy and click on Conditions.  Then in the Locations tab, add your new Named Location to the Exclude list.

We did this about 8 months ago, and have had no issues with it so far.

user-viIrFqlrWm
New Contributor

Just found the list of IP address that JAMF is using. It doesn't match any of the IPs mentioned above, but it does include the ones that I'm seeing currently in sign in logs. Also, for anyone wanting to know how to whitelist IP addresses for conditional access policies, you need to create a named location. Just go to Security > Named Locations once you are in active directory. You will then add the named location as an exclusion under the Grants of the conditional access policy that is requiring MFA

https://learn.jamf.com/bundle/technical-articles/page/IP_Address_Changelog_for_Outbound_Traffic_from...