Jamf Nation Community

Is there any downside to enrolling the fleet first? And then hooking up to Azure AD later down the line?

Are there any other considerations at this point?

So the only reason I can see is if you enabled now with custom enrolment then it will associate the Azure AD account with the device in Jamf Pro so a sort of account and auditing.

You can do this post rollout but its a manual API task instead of automated

And whats the problem with associating the Azure AD account with the device?

There wasn't a problem, it was the only positive item I could think of.

thanks I got the wrong end of the stick there.

Has anyone else got any thoughts on the original post?

Are your currently using LDAP with ADFS? With 10.27, it doesn't appear you can use both LDAP and Azure AD Cloud Identity. See this note in the Jamf Administrator guide:

What is your ultimate goal with Azure AD integration? And what are you doing now with LDAP integration (if anything?) It really won't affect anything you are doing on the client computers related to binding. That will continue to function as before. What 10.27 adds is the ability to use Azure AD similar to what we can use LDAP for now in Jamf Pro (Jamf Pro Users, Scoping to AAD accounts and Groups.)

@RBlount - We are at the beginning so at this point its a case of getting going so trying to see if enrolling devices before or after has any benefits or downsides?

We have not integrated anything yet. Out ultimate goal is to have this as hassle free as possible and replace AD on prem and get modern. We will also at some point down the line purchase Jamf connect.

About LDAP with ADFS - I'll assume you mean do we have it set up already for our Macs with Jamf? If so then no. Or do you mean do we have LDAP setup for our PCs?

thanks

I integrated and it works fine except for group membership. The users and groups do get populated but the group membership shows NA. Any idea on this?

MFA Multifactor Auth could be a blocker if you use user-initiated Enrollment (as we do)
...
When Azure AD with multi-factor authentication enabled is added as the cloud identity provider, authentication workflows in Jamf Pro (e.g., Self Service and user-initiated enrollment) do not work for Azure AD user groups and accounts.
...

@michaelhusar
we wanted to use user-initiated Enrolment, and still waiting to integrate the Azure AD from our AD team, can you please point to a good workflow for user-initiated Enrolment? I can look into the Admin guide, but I'm guessing there is something somewhere that others used and is easier, or your workflow?
thanks in advance.

@pramodmac I do not know whether it is good, but:

1. We only order machines with DEP/ADE

2. We configured Enrollment customization und User initiated Enrollment with the AD/LDAP groups we want to allow Enrollment

3. We use PreStage Enrollment with Account creation-> with Pre-fill account information with device owner’s details so we end up at the Setup Assistant with the AD-account of the enrolling enduser

4. We followed the JNUC https://youtu.be/ep-81id3PvY Many thanks for the great video !

So the user unpacks the machine, connects to internet, authenticates and waits for the setup to be finished
Hope that helps

Btw: We do not bind anymore - we use the SSO Extension (distributed via MDM)

@ michaelhusar, thank you for your response and assistance, I will check the video you shared, much appreciated.

I was considering starting my own thread, but figure I'll try this one first.

I am trying to integrate AAD/ASM authentication for our Macs (running Catalina). We have on-prem Jamf Pro (running 10.28x), and a fully populated AAD tenant, as well as ASM. I have the ASM/AAD sync running successfully, creating users as desired in ASM. All our Macs are enrolled via DEP, but are NOT currently bound to any DS - just using local user accounts. What do I need to do to setup AAD authentication on the Macs themselves? @michaelhusar mentions an SSO extension - what exactly is that, and where do I lay hands on it? Or is that even what I need? Sorry, I've read quite a bit, and watched about half of that video, but it was spending a lot of time on LDAPS instead of Azure/SAML, and it seemed oriented to starting from scratch, which isn't my case. Any guidance greating appreciated!

@dmillertds Just to make sure I understand, you want to connect directly to Azure AD and not a local AD, correct?

If so, what are you goals for authentication? Do you just want to authenticate when the computer is enrolled? Do you want to have the user authenticate against their AAD accounts to create users? Do you want to keep their passwords sync'd between Azure AD and their local macOS account? Do you want them to authenticate against Azure AD each time they login?

If all you want to do is have the user authenticate during enrollment, you can setup SSO in Jamf Pro. For Automated Enrollments, you would need to create an Enrollment Customization (with an SSO pane.)

If you want to have your users log in to their computers with their Azure AD accounts, then you will need to purchase Jamf Connect. This will allow you to replace the existing login screen with an Azure login screen. Users can authenticate using their AAD credentials and create local users based on those AAD credentials. The Jamf Connect menu bar will also allow the users to keep their local password and AAD password in sync.

@RBlount thanks for your reply. The answer is we want to primarily use AAD creds to log into the Macs (i.e., your last paragraph). In all the reading I had done on MacOS/AAD integration (which was quite a bit), I never caught that you couldn't actually log into the Mac itself with those credentials. So that's on me for not parsing the fine print carefully enough (I should know better, especially with Apple - don't EVER assume anything!) It's astounding to me this is still the case in 2021, that you can't use a cloud IdP for MacOS without involving a 3rd party solution! I have had NoMAD/NoMAD Login working for a couple years, with some hiccups - guess we'll have to stick with that. Thanks again for setting me straight.