Posted on 12-02-2022 07:20 AM
I wanted to know few things about Jamf connect.
1. If I use Jamf connect then user will be able to change the password and sync with AD/local mac over internet, I mean if the mac is not in office network either physically or through VPN.?
2. If I use Jamf connect then how many local user accounts will be created on mac after enrollment in JAMF console? Is it 3, one is for by prestage enrollment which is defined there with UID 501, another one is by jamf connect at the time of provisioning with UID 502 and another one is management account , am I correct?
3. Jamf connect creates only standard account at the time of provisioning or admin? If end user put a wrong string at the time of provisioning then what will happen?
4. Jamf Menu bar app is ok to deploy for existing mac devices those are not deployed with jamf connect at the of provisioning or still I need to deploy Jamf connect app too?
5. Jamf Menu bar app can give notification to end user when the user's AD password is going to be expired?
Posted on 12-02-2022 08:19 AM
There's a lot more detail on some of these questions like the admin related ones in the official documentation.
https://www.jamf.com/resources/product-documentation/jamf-connect-administrators-guide/
Posted on 12-02-2022 08:43 AM
Thanks for helping me to understand it. Helpful :)
Posted on 12-02-2022 08:59 AM
If I skip the account creation(UID 501) through prestage and I configured the jamf connect to create standard account then there should not be any other admin account to login to the mac, it can create any problem for desk side technician for any mac related troubleshooting?
Posted on 12-02-2022 09:08 AM
It might if you both don't use the OIDCAdmin setting and don't create a local admin via the Prestage. My environment currently takes both approaches.
All our IT admin accounts are in the Azure role that provides Admin rights. That way, we can sign in with our accounts on any machine brought to us and do the admin tasks needed.
We also use a Laps solution for a kind of "Break Glass" situation. We use the "Create a local administrator account before the Setup Assistant" option in our prestages to create the initial Laps account. From there, we use Joshua Miller's swift based macOSLAPS tool to regularly scramble the password and upload it into Jamf. This ensures we have a local admin account with a random password that is unique to that specific machine just in case all other options fail.
https://github.com/joshua-d-miller/macOSLAPS
Posted on 12-02-2022 09:29 AM
LAPS I know and understands, but when mac is not joined in AD and Jamf Connect create a local standard account then how you will login to the mac with other account, I dont understand the Azure role you are talking about. Please explain me in more detail.
Posted on 12-02-2022 09:32 AM
That Laps solution I linked works fine when machines are not bound to domain.
Basically, what that OIDCAdmin setting does is tell Jamf Connect that any user who has the role specified in it will be created as an admin account when they sign in regardless of other settings. This allows you to make your average user created as a Standard Account while still providing a way for your IT Help Desk or other support staff to be able to sign in as an Administrator without the need for a pre-created local account.
Posted on 12-02-2022 08:21 AM
1. Yes
2. Jamf Connect will only create accounts if configured to. It will create accounts linked to iDP so technically 1 (Unless it's a shared machine). Jamf itself creates the prestage/management accounts.
3. Standard or Administrator, you decide when configuring.
4. They are one in the same. You must deploy Jamf Connect & configure whether or not you want the Login Window.
5. Yes
Posted on 12-02-2022 08:42 AM
Thanks for clarifying me. Helpful :)
Posted on 12-02-2022 09:18 AM
Just to clarify as it was glossed over, are you using an IDP like Azure, Google, Ping, Okta, etc. or is this an on-premise AD domain?
Posted on 12-02-2022 09:23 AM
I am planning to implement Jamf connect, we have AAD integrated with Jamf to replace JIM server. Now I am thinking from where to start.