Overview: When enabling Single Sign-On in Jamf Pro, admins are given the option to enable SSO for User Initiated Enrollment and the ability to limit UIE to a single group. If an admin does not want to make a specific group for UIE or an admin wishes to simplify UIE for users to force an enrolled device to hit a specific site, Jamf Pro Users and Groups may be used as an alternative.
Scenario: Administrator wants to limit UIE to specific groups and not allow all users to enroll a machine. Administrator wants multiple groups to be able to access UIE.
Workflow:
- User enrolls a device either through User Initiated Enrollment or Automated Device Enrollment with an Enrollment Customization and a single sign-on pane to gate access to the Jamf Pro server.
- Jamf Pro receives SAML token from identity provider to access the Jamf Pro server. Jamf Pro sees the token does not contain the group membership attribute that would give access to enroll a device.
- Jamf Pro then checks Users and Groups for access to the Jamf Pro server. Group membership matches a group in the SAML token.
- User proceeds to enroll the device with the limitations of the Jamf Pro Users and Groups access permissions.
Procedure:
- Set up Single Sign-On and limit to a group that does not exist
- Examine the SAML token for Jamf Pro SSO to make sure groups are included in the claim attributes
- Create groups in Jamf Pro Users and Groups that match the corresponding group names in the SAML token
Step One: Set up Single Sign-On and limit enrollment
Follow the instructions at https://docs.jamf.com/jamf-pro/administrator-guide/Single_Sign-On.html to set up Single Sign-On for your identity provider in Jamf Pro. On the bottom of the page in Jamf Pro → Settings → Single Sign-On, modify the Single Sign-On Options for Jamf Pro under the section “Enable Single Sign-On for User-Initiated Enrollment”.
In the section marked “Only this group”, add the name of a group that will not ever exist in your identity provider, in this case, a group named “thisgroupdoesntexist”.
Save the settings and continue.
Optional: If you are using Enrollment Customization for automated device enrollment, you can limit access to one, non-existant group as well. Navigate to Settings → Enrollment Customizations, select the name of your enrollment customization, and edit the pane that contains Single Sign-On:
In the “Configure Enrollment Access For:” section, select “Only this group” and enter the name of a group that does not exist in your identity provider.
Save the settings and continue.
Reference: https://docs.jamf.com/jamf-pro/administrator-guide/Enrollment_Customization_Settings.html
Step Two: Examine the SAML token for Jamf Pro SSO
Use a SAML inspector tool like the SAML Message Decoder - https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm - in a web browser like Google Chrome or Microsoft Edge. Sign into the Jamf Pro server administration page and capture the SAML token used for the login.
A SAML identity token is an XML formatted text file. A section named <AttributeStatement> will contain “claims” or attributes of the user including, if enabled, groups to which the user belongs. The group claim will look something like the sample below:
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
<AttributeValue>The Crazy Ones</AttributeValue>
<AttributeValue>The Misfits</AttributeValue>
<AttributeValue>The Rebels</AttributeValue>
<AttributeValue>The Troublemakers</AttributeValue>
<AttributeValue>The Round Pegs in Square Holes</AttributeValue>
</Attribute>The string between the <AttributeValue> tags is the name of a group that user belongs to. (Note: In pure Azure environments, the group name may correspond to the UUID of the group’s identifier in Azure (e. g. 5d6b6bb7-de71-4623-b4af-96380a352509) instead of the actual sAMAccountName.) An attribute with groups may contain one single group or multiple groups depending on how the SAML application is configured in the identity provider.
Validate that the SAML token is passing a group membership as part of the claims, and record the group name or names for access to the next step.
Step Three: Create groups in Jamf Pro Users and Groups
Navigate to Settings → System Settings → Jamf Pro User Accounts & Groups. Create a new account group.
(Note: If you have LDAP configured on your Jamf Pro server and if the source of the name of the group is the same for LDAP as the group names in the token, you can make either an LDAP group or a Standard group. The name of the group is what will be pattern matched to the list of groups in the SAML token.)
Set Display Name of the group to the group name in the SAML token who should receive access to enroll a device. Set Access Level to either Full or Site depending on the administrator’s needs. For example, if a group should enroll devices directly into a site instead of being shown a selection of sites, select Site Access and pick the appropriate site.
Set the Privilege Set to at minimum “Enrollment Only.” Administrators may wish to customize the Privileges as they see fit.
Save and test your configuration by visiting the User Initiated Enrollment page for your Jamf Pro server.
Reference: https://docs.jamf.com/jamf-pro/administrator-guide/Jamf_Pro_User_Accounts_and_Groups.html
Reference: https://docs.jamf.com/10.27.0/jamf-pro/administrator-guide/User-Initiated_Enrollment_Settings.html
Contributors and thanks: Adam Bjerke and James Trousdale
