Modernize your directory-based workflows with Jamf and Entra ID.

Explore the security and management benefits of integrating your cloud-based identity with your MDM solution. If you want to migrate from traditional LDAP integrations and introduce Entra ID, join us as we explore this brave new world.

May 21 2024 by

Neil Martin

Microsoft + Jamf partnership secure and manages your Apple fleet

Connecting Jamf Pro to traditional directory services based on LDAP has been a cornerstone of device management workflows for many years. Integrating both services offers:

  • User on-device authentication during enrollment, with devices automatically associating with them in inventory
  • Attributes like full name, email address and department automatically populate within inventory records.
  • Granular deployment of apps, policies and configuration profiles with specific user or group targets

As enterprises and users increasingly adopt mobile devices for work, cloud identity providers step into the fold to address the challenges of maintaining security postures across distributed workforces.

Active Directory and Azure vs Entra ID: what’s the difference?

Where Active Directory (AD) and Azure AD Domain Services (AD DS) communicate using the traditional LDAP protocol, Jamf works with your Entra ID tenant using the Microsoft Graph API to read data from it instead. Some key advantages include:

  • Enhanced security: hosting/maintaining an on-premises LDAP service is not required. Neither is allowing access to it over the internet.
  • Simplified infrastructure: complex LDAP proxy solutions, such as the Jamf Infrastructure Manager (JIM), are unnecessary.
  • A lower total cost of ownership: avoid the extra licensing costs associated with Azure AD DS, which was previously the only way to integrate Jamf with Entra ID as a directory service.
  • Quick and easy setup: efficiently set up integration from anywhere with its easy-to-use, wizard-driven GUI.
  • Secure by design: using the Jamf Cloud Connector web application to interface with Entra ID ensures usage of your tenant data is limited only to the allowed client/application.

Integration pitfalls to watch out for

A fresh setup and integration should not have too much to consider and is fully documented. However, the username attribute mapping can be crucial.

By default, the Entra ID cloud identity provider maps the user name in Jamf Pro to their userPrincipalName (UPN) attribute in Entra ID. This attribute looks like an email address (i.e., whereas a user name should only contain what we see before the @ symbol (UPN prefix).

For mobile devices, this shouldn't cause issues. On computers, it interferes with some deployments that target individual users or groups, specifically policies that use the login or check-in triggers. When these triggers run, Jamf Pro compares the logged-in user on the Mac with the Entra ID user name. If the Entra ID user name is "" and the logged-in user name is "username," we have a mismatch ("username" by itself does not exist in Entra ID and group membership lookups fail), so the policy does not run.

To account for this, when setting up the cloud identity integration, change the user name user attribute mapping from userPrincipalName to mailNickname, which is normally the UPN prefix in most environments.

Pro tip: Microsoft has a great writeup where administrators can learn more about userPrincipalName and mailNickname attribute calculations.

If you have a hybrid environment with on-premises Active Directory in the mix, it is important that the user name in the integration maps with the on-prem AD user name, especially if you have other services that rely on AD user names specifically (e.g. printing to LPD queues).

In Active Directory, this is the attribute sAMAccountName (Pre-Windows 2000 logon name). In some environments, it's different from the UPN prefix or mailNickname attribute. In these cases, change the user name user attribute mapping to onpremisessamaccountname - this attribute is in any Entra ID user record that syncs from on-prem AD and always matches their AD user name.

Migration stations

For instances with existing LDAP integrations in place, Jamf’s Learning Hub features technical documentation to guide administrators after integrating with Entra ID as a cloud identifier with Jamf Pro.

As you test attribute mappings, you may find that the User Name attribute has a conflict. Remember to try mailNickname or onpremisessamaccountname instead, depending on your environment, as these are a likely match for the user name attribute used in the previous LDAP integration.

SSO, let's go!

With the cloud identity provider integration complete, connecting Jamf Pro to Entra ID for Single Sign On is like adding cheese to your macaroni: a match made in heaven! SSO levels up user authentication during device enrollment by signing into Self Service. With modern authentication flows, you can take advantage of technologies like Multi-Factor Authentication (MFA) and Conditional Access.

When setting up SSO, it's important that user names match with the cloud identity provider integration. If you've changed attribute mappings to those above, consider the following steps:

  1. In the Entra ID Jamf Pro Enterprise Application, add a new claim for the attribute that the cloud identity provider integration maps to the user name (user.mailNickname or user.onpremisessamaccountname).
  2. In Jamf Pro, under Settings —> System —> Single sign-on, set Identity Provider User Mapping to Custom Attribute and enter the attribute used above.
  3. Set Jamf Pro User Mapping to Username.
  4. Under Settings —> System —> Cloud identity providers, edit your Cloud Identity Provider configuration and ensure the user mapping from the SAML assertion is changed to the same attribute used in the previous steps.

What next?

Now that your integration is complete, it's time to take advantage of all the powerful functionality Jamf Pro has to offer:

Get more out of Microsoft on Apple with Jamf.