Strengthen mobile authentication with Google Identity Provider + Jamf

Google’s identity provider solution provides a new, effective and simplified alternative to authenticating users on mobile devices while eliminating the complexity of federation. The workflow is not only efficient but natively integrates with Jamf Trust to simplify the deployment process for administrators while increasing security for end-users.

July 5 2023 by

Michael Managhan

Two hands holding up passports

Same as it ever was

Traditionally, users logged in to Jamf Trust via Okta or Microsoft. If you had a different provider, then you federated through Azure or simply went without. However, ignoring an expanding presence in the once-settled identity provider (IdP) market has grown more difficult.

Over the past few years, admins and users took notice of the steady march of Google Workspace. Bit by bit Google fought to be recognized as a serious competitor in the business collaboration tools market. With strong products, such as Gmail, Google Docs and Google Cloud in their portfolio, Gartner estimates that Google Workspace is growing 1-2% in competitive displacement opportunities. While Microsoft continues to boast impressive revenue increases, which is attributed in part to the increased adoption of Azure, Google’s market capture has been something to take notice of. Signs are pointing to a growing segment of the market looking to cut out Azure and stop federating their IdP.

Enter Jamf

Unsurprisingly, Jamf began hearing from existing and potential customers, requesting direct support of Google Identity within the Jamf Security Cloud.

In response, our product and engineering teams got to work and as a result, we are excited to release native integration with Google Identity Provider. Our goal is to streamline the experience for both users and admins alike.

For example, Google customers will now have a dedicated “Sign in with Google” button. This puts the end user through all Google products' established and familiar flow. Thanks to the refined workflow, Google-first companies no longer have to convince an end user to authenticate through an additional IdP that only exists as an additional step that produces an awkward gap in their experience.

Continuing on to the administrator’s experience, taking advantage of this native integration reduces configuration time. With the previous federated workflow, admins were forced to verify domain ownership by first adding a TXT record for their domain and developing and maintaining complex PowerShell configurations (that are prone to breaking) alongside handling other pain points that may lead to frequent trips to the Jamf support page.

Google Identity Provider is here for Jamf Trust

The native integration between Google and Jamf effectively eliminates complex and needless steps, favoring an efficient workflow instead. In fact, in just the eight easy steps below, admins can be up and running with Google Identity Provider and Jamf solutions. This includes a new activation profile allowing users to log in to Jamf Trust with their Google credentials.

Let’s take a quick look at the requirements before diving into the setup process.

Requirements

We assume that the administrator has access to Jamf Security Cloud and Google Workspace Admin Rights, and is deploying Jamf Trust. This workflow allows end users to authenticate using their Google credentials.

It is available for:

  • iOS Jamf Trust 11.12.0
  • macOS Jamf Trust 2.10
  • Android Jamf Trust 11.24.0 or later.

Note: It is still possible to federate Google credentials through Microsoft Azure AD.

Steps to configure Jamf Trust and Google Identity Provider

1. Sign in to RADAR and navigate to Integrations > Identity Providers.

This is the area where all IdP connections start. You should be familiar with this area if you have deployed Jamf Trust in the past. The good news is there is no need to remove or tinker with any existing IdP configurations. In Fact, you can actually have multiple Google Integrations if you so wish. Just make sure to select the right one when you create your activation profile later.

2. Navigate to the Google identity services section and click Add Connection to create a new IdP connection.

Clearly laid out at the bottom of this page is the Google Identity Service. Once you finish your configuration, the connected Google Workspace will appear here. The picture above assumes this is your first time connecting any IdP to your Radar instance.

3. Enter a name for the new connection.

As stated above, it is possible to have multiple Google Workspaces connected in this area. Make sure to name your connection something concise and memorable!

4. Click Sign in with Google. The connection is added and you are redirected to the Google sign-in screen

5. Sign in using a Google Workspace administrator account that has permission to read groups.

To finish this integration you will need to have access to a Google Workspace administrator account. If you don’t have such an account, you can always pause the connection by leaving this page and pick it back up once you have to correct credentials.

6. Review and approve the required permissions.

The advantage of a native integration is Jamf is able to communicate directly with Google. Jamf automatically asks for all the permissions needed to make a successful deployment. This means no manual file transfer or configuration. Via the power of OAuth, it all just works!

7. Click Continue to complete the authorization process and return to RADAR.

If the process is successful, the new connection appears in the list of Linked organizations with a green checkmark in the Status column and the Google tenant ID that has been authorized for this account.

8. Repeat these steps for any other Google Workspaces you want to use for authentication in this Jamf account.

As stated earlier, if you are a company that leverages multiple Google Workspace, it is possible to have them all added. Note, you will not be able to add multiple Google Workspace to the same activation profile. However, it is possible to choose which workspace to use while setting up the activation profile. If you only have one Google Workspace, then congrats you are now done!

If you are following along and if you made it this far, thank you. You now have all the tools you need to enable your users to log in to Jamf Trust with their Google credentials. We hope you are as excited about using Google and Jamf together as we are! Adding Google Workspace support is Jamf's way of showing a commitment to listening to its users. We always strive to maintain the best Apple management experience on the market. Thank you to everyone who submitted feature requests, we look forward to hearing your feedback!

Jamf Trust provides enterprise-level security and remote access for your mobile devices…

all while protecting end-user privacy. Request a trial to see for yourself!

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.