Jamf Pro local accounts microsoft 365 accounts

LNVD
New Contributor

 

Hello,

I am currently working on integrating macOS local accounts with Azure AD accounts. Is this feasible?

I'm having difficulty locating the appropriate documentation to guide me through the setup process.

Additionally, we are exploring Jamf Pro as part of our trial phase. We require the capability to enable users to reset their Microsoft account password, ensuring it synchronizes with the local macOS account.

 

Any help would be much appreciated.

2 REPLIES 2

AJPinto
Honored Contributor III

MacOS and Windows have massively different concepts of identity management. I would suggest forgetting everything you understand about how Windows identity management works. 

 

Without any 3rd party tools, Apple has two solutions and JAMF has a 3rd party solution.

  1. Kerberos SSO extension. This allows a user to log in to their AD account after logging in to their local macOS account. This tool will keep the local account PW synced with the AD password, and prompt the user to update the local account password as needed. This tool has no concept of on demand account creation, and does not support Azure/Entra accounts as it was designed specifically for on Prem AD environments. 
  2. Platform SSO. This tool does everything the Kerberos SSO extension does, plus the ability to create accounts on demand (MacOS 14+) and assign user group's off of IDP (Azure/Entra) group membership. Speak with Microsoft to see what their current support is of this feature as I think it's still in preview.
  3. Warning: In 2023/2024, do not consider domain binding macOS. Apple is actively moving people away from domain binding, and no longer developer macOS with domain binding in mind.
  4. JAMF has a tool called JAMF Connect, that can be configured to use Azure. This tool supports on demand account creation, password syncing as well as ticket management. 

 

JAMF Pro is a MDM platform, it will configure all the stuff mentioned above. However, JAMF Pro itself will not enable any IDP integrations. Platform SSO is the function that would be closest to what you are asking for, not counting JAMF Connect which is what we use. Depending on your Licensing level with Microsoft, Platform SSO is likely an additional cost. JAMF Connect is an add on item to JAMF Pro, but we find it worth it.

 

https://www.apple.com/za/business/docs/site/Kerberos_Single_Sign_on_Extension_User_Guide.pdf

https://support.apple.com/guide/deployment/platform-sso-for-macos-dep7bbb05313/web

https://developer.apple.com/documentation/authenticationservices/platform_single_sign-on_sso?languag...

moriahitadmin
New Contributor III

Ideal way would be using jamf connect and migrate account option. 

"Allows existing local accounts to be connected to a network account.

This setting is typically used when you want a user's existing local account to have the same username and password as the user's network account."