Sean Barnardo and Matt Wilson from Insight took the stage to speak about the best practices they have learned while implementing ADFS and Jamf Connect in the field. Before diving into the real-life scenarios they presented, let’s go back to basics.
What is ADFS?
Azure Directory Federation Services (ADFS) is a claims-based identity model that enables integration and access to external applications. ADFS helps solve solve third-party authentication challenges through single sign-on (SSO) and ID federation.
There are three ways to leverage Jamf Connect within a hybrid identity environment:
- Federated Integration
- Password Hash Synchronization (PHS)
- Pass-through Authorization (PA)
Federated Integration allows the cloud-identity provider (IdP) to pass authentication to another method, such as on-premises Active Directory Federate Services (ADFS). If Pass-through authorization and Password Hash Synchronization are not configured in your environment, this would be your best bet.
However, if you are able to, Barnardo and Wilson recommended going for one of the other two options. Password Hash Synchronization gives you direct Azure AD authentication. It is an extension of Azure AD Connect and synchronizes the hash of a user’s Azure AD and on-premises AD passwords. Pass-through Authorization also gives you direct access to Azure AD Authentication, and allows users to authenticate with the same password on both Azure AD and on-premise AD.
After outlining the basics, the presenters moved onto some real-life scenarios of ADFS and Jamf Connect in the field. In the first scenario, the client was looking for guidance and best practices surrounding enterprise macOS management. Over time they had scaled their Mac fleet from 30 to 200, with their users ranging from developers to executives. Throughout this growth phase, they were faced with specific challenges that led them to reach out to Insight. The first was the lack of education within the admin and security teams surrounding Password Hash Synchronization. Without this information, they were struggling to decide whether to upgrade their ADFS environment or enable Pass-through authentication. At this point, Insight stepped in to analyze their situation. After an initial assessment of their current infrastructure they were able to recommend Pass-through Authentication. Once this was configured, Jamf Connect was able to successfully authenticate directly to Azure AD — mitigating the need for the customer to upgrade their ADFS environment.
In the second scenario, a current Jamf Pro customer was looking to use Jamf Connect to enable their end users. Their 90 Macs had steadily grown to over 900 and they were looking to enable their end users by provisioning local user accounts and taking advantage of account password synchronization. Their ADFS environment was comprised of AAD, ADFS and AD, and they were also leveraging Password Hash Synchronization. A few challenges appeared right off the bat, with the first being the customer’s understanding of Jamf Connect. Jamf Connect can take advantage of kerberos for apps that support it, but it is not in itself an SSO. They were currently unable to leverage kerberos, since they had different AD and AAD domains. Furthermore, macOS 10.14.4 removed Jamf Connect Verify’s ability to update keychain items on behalf of the user, preventing the customer to leverage Jamf Connect’s keychain functionality.
In order to best help the customer, Insight had to first get a better understanding of their environment as a whole. Once Insight was able to determine that they were using AAD and PHS, they were able to configure Jamf Connect Login and Jamf Connect Verify to give them the desired outcome. This then allowed the customer to:
- Create user accounts based on AAD credentials
- Keep FV, Local User and the Network User in sync
- Leverage Jamf Connect Login’s notification mechanism to inform the user of Mac provisioning process
A key step in both of these situations was getting a clear understanding of the client’s current infrastructure, before looking for a solution.
These real-life situations highlighted two key takeaways:
- If you are only using ADFS and the ADFS environment supports it, then you should use Federated Integration
- If Pass-through Authentication or Password Hash Synchronization are available, then one of these options will provide the best management experience