Platform Authentication Across Jamf: A Year of Progress

When we introduced blueprints to Jamf Pro and Jamf School, we introduced more than a feature. It's Jamf's approach to delivering declarative device management (DDM) capabilities — and how we'll continue to ship new ones as Apple's framework evolves.

April 14 2026 by

Mike VanDelinder

.lazy {display:none !important;}

Declarative device management is here.

Apple is changing their platform — DDM is replacing MDM, with legacy capabilities being deprecated along the way. Staying current with new Apple releases means adopting declarative device management, and our approach to delivering those capabilities is through platform services like blueprints.

Platform authentication is what fills that gap.

Why platform authentication is the future

Platform authentication is now shared across all of Jamf's applications and services, and it makes administrator access management more secure in the process. Jamf ID is an improvement over local application credentials. Connecting your own identity provider is better, and routing that connection through the platform rather than configuring it separately in each product means it applies everywhere from the start.

The past year was about closing the distance between that model and where most customers actually were.

Jamf has been building capabilities that live outside the boundary of any single product — Blueprints, compliance benchmarks, the Platform API now in public beta. Delivering those consistently across Jamf Pro, Jamf School, Jamf Security Cloud, Jamf Protect, and the rest of the portfolio required a single connection between a customer's identity infrastructure and Jamf's, rather than a separate integration for each product.

How platform authentication works

Platform authentication is an OIDC-based integration between your organization and Jamf's platform services, configured once in Jamf Account and applied across everything. Jamf Account is where you have always managed your organization's Jamf relationship — from spinning up a Jamf Pro tenant to accessing support and downloads. It is accessible to every customer regardless of which Jamf products they use, and it sits outside any single product as neutral ground for configuration that applies across the portfolio.

Multiple options, One security path

Two authentication options are available for Jamf's applications and services. Every customer has a Jamf ID, created the first time you sign into Jamf Account. It does not depend on an external identity provider, which means any organization can use it regardless of how they manage identity elsewhere.

For customers with Okta, Microsoft Entra or Google Workspace, keep using it. Connecting your identity provider to Jamf's platform means your administrators sign into Jamf the same way they sign into everything else. Your MFA policies apply. Your session controls apply. When someone leaves and you disable their account in your IdP, their federated access to Jamf products is revoked immediately.

One thing worth knowing: Jamf ID is a user-managed credential, not an organizational one. Disabling someone in your IdP cuts off their federated access, but their Jamf ID remains usable unless you explicitly turn it off. In Jamf Pro SSO settings, you can require federated authentication only, which removes that fallback path. Some offboarding cleanup is still a best practice either way.

Connecting via an identity provider also gives you group membership claims. An administrator's group memberships travel in the identity token when they authenticate, and Jamf Pro maps those to roles and privileges. You manage who has access to what in Jamf Pro by managing group membership in your IdP — the same place you manage it for everything else.

The new model is authentication configured once in Jamf Account and shared across every product, whether that means signing in with Jamf ID or federating back to your identity provider where you have one.

Some customers were starting from scratch. Others had built mature integrations and needed the new model to accommodate what they already had.

We built for both.

Here is what we shipped:

**Jamf Account IdP Configuration Improvements** *Jamf Account, June 2025* Google Workspace is now natively supported as an identity provider connection, alongside Okta and Entra ID. Organizations using Google Workspace no longer need to configure a Generic OIDC connection. Administrators can also configure a StateRAMP IdP region for their SSO connection. For Generic OIDC and Okta connections, custom claim mappings are now configurable directly in Jamf Account without access to Auth0. **Option to Disable Jamf ID Login When SSO Is Enabled** *Jamf Pro 11.18.0, June 2025* When OIDC-based SSO through Jamf Account is configured, administrators can uncheck an option in Jamf Pro SSO settings to prevent Jamf ID from being used to sign in. When disabled, only federated authentication through the configured identity provider is accepted. **External Roles and Privileges** *Jamf Account, July 2025* Jamf Account has its own access control model with five pre-configured system roles, custom roles with granular privilege sets, and a default where every new Jamf Account user starts with no privileges until explicitly assigned. **Login History and Authentication Error Debugging** *Jamf Account, Platform, July 2025* The Login History tab gives administrators visibility into authentication events and direct access to the identity token returned by their identity provider. When authentication fails, the error page returns a UUID that support can use to trace the event immediately. **Direct IdP Login URL** *Jamf Pro 11.19.0, July 2025* A URL that routes directly to your identity provider is now shown in Jamf Pro SSO settings. This can be shared with administrators or used in bookmarks and portals to bypass the Jamf Pro login page entirely and land users at their IdP. **Username Claim Support for OIDC SSO** *Jamf Pro 11.20.0, September 2025* Jamf Pro now supports the username claim as a mapping option for OIDC-based SSO through Jamf Account, as an alternative to email-based user mapping. This supports organizations whose administrators are identified by User Principal Name or another attribute rather than email. **Platform Authentication as the Default for New Jamf Pro Instances** *Jamf Pro 11.24.0, January 2026* Every new cloud-hosted Jamf Pro instance defaults to OIDC-based authentication on first access. New organizations start with the right foundation without any additional configuration required. **Federated User Account Type in Jamf Pro** *Jamf Pro 11.24.0, January 2026* A Federated user account type is now available in Jamf Pro for use with OIDC-based SSO through Jamf Account. Federated accounts have no password and cannot be used for local login, Self Service, or enrollments. **Domain Sharing Across Organizations** *Jamf Account, February 2026* School districts, government agencies, and enterprises with subsidiaries that share a corporate email domain across separate Jamf organizations can manage domain ownership with a sharing key, with per-recipient revocation. **Multiple Identity Provider Support for a Single Domain** *Jamf Account, February 2026* Large enterprises where subsidiaries share a domain but each runs its own identity provider can configure a connection chooser at login. Users choose their identity provider when they authenticate. **Single Logout and Back-Channel Logout** *Platform, February 2026* When an administrator logs out of any Jamf product, the session ends everywhere. Your identity provider can also terminate all active Jamf sessions programmatically for immediate response to security events. **Session Duration and Idle Timeout Controls** *Jamf Account, February 2026* Configurable per identity provider. Set how long an authenticated session lasts before requiring re-authentication and how long an inactive session persists before auto-logout. **Jamf Insights Platform Authentication Support** *Jamf Insights, February 2026* Jamf Insights supports both Jamf ID and federated identity provider authentication. **Login and Session Improvements for OIDC SSO in Jamf Pro** *Jamf Pro 11.25.0, March 2026* The Jamf Pro login page retains the last-used identity provider, so users are not prompted to re-enter their email address on each visit. When multiple identity providers are configured, the login page presents a chooser so users can select the right one. **Okta Express Configuration** *Jamf Account, March 2026* Okta admins can configure the Jamf platform integration from within the Okta admin console using a guided express setup, without exchanging endpoints or configuring the integration from scratch in Jamf Account. → [Okta Express Configuration documentation](https://learn.jamf.com/r/en-US/jamf-account-documentation/Okta_Express_Configuration_for_SSO_with_Jamf_Account)

Other notable enhancements

The setup path for new customers has also improved. Enabling Jamf ID authentication from your Jamf Pro dashboard now walks you through the steps without any prior knowledge of the underlying authentication protocols. For customers connecting a federated identity provider, that configuration lives in Jamf Account where you connect your provider, choose which products and instances it applies to, and configure whether Jamf ID, your federated provider, or both are permitted.

Access management is evolving alongside authentication. Today, the connection between an administrator's IdP group memberships and their role inside Jamf Pro is configured at the application layer — Jamf Pro maps claims to roles, and each product manages that configuration on its own. Jamf is moving toward centralized management of those roles and access policies at the platform level, so an administrator's access across all of Jamf's applications and services reflects a single source of truth. That work is underway.

Blueprints, compliance benchmarks, AI Assistant — every capability Jamf has shipped to its platform services in the last year runs on this authentication layer. The Platform API, now in public beta, goes further: a unified set of endpoints providing device data and management capabilities across your entire Jamf environment through a single credential.

If you have been waiting for the right time to make this transition, the gaps from a year ago are largely resolved. If you are already configured, the path forward is to use what is now available.

Platform authentication is the layer that makes everything else accessible.

Reach out to Jamf today to learn more about how to get started.