Upgrading from on-prem LDAP to Azure

amonteith
New Contributor II

Hi,

 

We've recently moved from an on-premises server to the cloud.  We are using on-premises Active Directory for LDAP services and were hoping to move To Azure AD at some point.  We brought this up during the migration to the cloud and the JAMF tech who was assisting with the migration said that there was no path to upgrade from where we were with on-premises AD to where we wanted to be with Azure at that time.

 

Since then, I've been looking around the forums trying to get more information.  In the older documentation (up to v10.29), I can see a blurb that says "To ensure your existing LDAP workflows (e.g., scoping or user accounts and groups) continue to work correctly, you will need to migrate your configuration when the migration assistant is available in a future release of Jamf Pro. Adding the Azure AD integration prior to migration may break your environment."

 

This warning doesn't appear in the documentation after v10.30.  We're in the cloud on v10.32.  Does this mean it's relatively safe to upgrade from on-premises LDAP to Azure without breaking too much?

1 ACCEPTED SOLUTION

cslemp
New Contributor III

The warning is still present in the documentation for 10.33.  It's just farther down the page: https://docs.jamf.com/10.33.0/jamf-pro/administrator-guide/Azure_AD_Integration.html

View solution in original post

12 REPLIES 12

chris_hansen
Contributor

I asked the same question of my success manager in September. We're in a similar condition.

success manager

Thanks for reaching out. Unfortunately, we do not have a migration assistant yet to move from Azure AD with Cloud Identity Providers. Please let me know if you have any further questions.

Me: 

Thank you for letting me know.

Will you contact me when you do have that?

success manager

I hope your day is starting off. Since there is no notification for this, I would suggest checking the release notes. The creation of the migration assistant will be included in that documentation. Let me know if you have any additional questions about this.

So If the migration assistant is not in the release notes, don't try to migrate. My day is starting off.

Just_Jack
Contributor

We've looked into this too.  We're using NoMAD for our AD LDAP services.  From everything I've read, we would need to move over to Jamf Connect to use Azure which NoMAD doesn't do.  If anyone can chime in on if moving to Jamf Connect to use Azure AD is the key?

bwoods
Valued Contributor

@Just_Jack  What exactly are you trying to accomplish? Are you trying to configure Azure for LDAP services in your Jamf Pro server or are you trying to configure Jamf Connect for Identity management and local password syncing?

 

Yes, for both Identity management and local password syncing.

bwoods
Valued Contributor

Then yes, you need to move to Jamf Connect to use cloud IDP, but I would also suggest testing your corporate wifi if you use 802.1x EAP-TLS.

amonteith
New Contributor II

Thanks to @chris_hansen and @Just_Jack for replying.  It's good to know we're not alone but still doesn't explain why the warning disappears from their documentation in v10.30 onwards if it's still an issue.

I've opened a support call on the off chance that there's an answer to this but I'm not going to hold my breath.

cslemp
New Contributor III

The warning is still present in the documentation for 10.33.  It's just farther down the page: https://docs.jamf.com/10.33.0/jamf-pro/administrator-guide/Azure_AD_Integration.html

amonteith
New Contributor II

Thanks for pointing that out, I hadn't spotted it (obviously).  I suppsoe we'll just need to make do with on-prem AD for the time being.

cslemp
New Contributor III

No problem.  I also thought they had removed it originally.  Took a bit of scanning to notice it.

We're in the same boat and getting off our on-prem AD config is getting a bit urgent.  I'd be interested to hear if anyone else has tried to migrate without the migration assistant and what exactly broke and how it was fixed.

rpayne
Contributor II

We have migrated and the only real issue (that we haven't been able to fix), is the users assigned to machines were all done when LDAP was out auth point. We have not found an easy way to migrate those to Azure AD accounts.

chris_hansen
Contributor

Update to doing this. (Or maybe I am the only one that did not see this.)
https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Azure_AD_Integration.html

And more specifically the https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Azure_AD_Integration.html#task-385... which has a migration assistant.

Unfortunately my ad proxy has stopped proxying, so I don't think the assistant can assist until I fix.

But if you have one going, you should be able to jump to the other without rebuilding everything.

chris_hansen
Contributor

There is a migration path for those who have not seen it.

We just moved from a JIM with AD Proxy to Entra ID.

We also use DUO as our MFA, so the SSO was also required

https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Azure_AD_Integration.html#task-385... to enable Entra ID. Bring your Azure Global Admin along and screen share, so. they can log in to Azure when you are redirected.

Second we enabled SSO, and for us the key was to match based on email address rather than username. https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Single_Sign-On.html