Help

Jamf Connect - Okta WebAuthn

Trifle4845
New Contributor

Posted on ‎03-22-2023 07:46 AM

Hey all!

We're working on deploying Jamf Connect for our org. In parallel, our security team is working on moving all our MFA for our Okta environment over to WebAuthn with the option of either biometrics or a Yubikey to fulfill it. Does anyone know if Jamf Connect can support WebAuthn methods (or as a bonus, a future state of passwordless with WebAuthn as the only authentication factor)? I've not found any documentation on it, so I'm not hopeful, but wondering if anyone has any experience with this.

Thanks,

Colton

4 REPLIES 4

chrisejbich
New Contributor

Posted on ‎04-27-2023 10:48 AM

Were you ever able to find a solve for this?

0 Kudos

Trifle4845
New Contributor
In response to chrisejbich

Posted on ‎04-27-2023 10:51 AM

Got a reply back from our account rep that the Jamf Connect engineering team "recognizes this as a currently desired feature but doesn't have it roadmapped for development at this time." We're going to end up testing a per-app policy for Jamf Connect in Okta that would exclude it from WebAuth requirements but the Jamf Connect documentation currently discourages per-app policies.

0 Kudos

TheTemplar1307
New Contributor

Posted on ‎08-15-2023 08:22 AM

This is definitely something we would want to implement too and I find it really surprising, and a bit weird, that webauthn doesn't work with JAMF Connect and that it isn't on their roadmap to implement. More and more companies will want to implement phishing resistant MFA policies and so this should be something high up on their roadmap 

mi-buko
New Contributor

a week ago

I'm surprised this question isn't being asked more, but I'm guessing it's going to start picking up traction as companies start to adhere to stricter authentication policies. In trying to get this working, we've seen our Okta logs calling out the culprit as the embedded browser JC is using during authentication. It seems to be too old to even know what Fido2 or webauthn is. The only current second factor available with this embedded browser is a phone call. Even the latest version of JC (2.35.0) hasn't made any progress on this:

 

"Note: 

Jamf Connect does not currently support hardware-based security keys at the macOS Login Window. Examples of these keys include Personal Identity Verification (PIV), Common Access Card (CAC), and security keys (e.g. Yubikey) in FIDO2, U2F, or smart card mode."


I don't know if it'll get much attention and I'm not holding my breath, but I've put in a feature request to get this looked at. This has to be putting some serious restrictions on the adoption of Jamf Connect across at least a few enterprise customers. Or maybe it's just me?

Mi-Buko
0 Kudos