Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Deploying Jamf Connect

Overview

Jamf Connect allows for simple provisioning of local user accounts from a cloud identity service during an Apple provisioning workflow. This includes multi-factor authentication (MFA).

You can deploy Jamf Connect Sync (formerly NoMAD Pro), Jamf Connect Login (formerly NoMAD Login+), and Jamf Connect Verify to target computers in your environment using your preferred MDM solution.

Requirements

To deploy Jamf Connect, you will need the following components:

  • An MDM solution, such as Jamf Pro
  • Jamf Connect license key configuration profile (provided by your account manager)
  • PLIST files and editor (examples provided by your account manager, in the product DMG, and the documentation)
  • Target computers with macOS 10.12 or later

In addition, you will need to download the Jamf Connect DMG. The DMG includes the PKG files for Jamf Connect Sync, Jamf Connect Login, and Jamf Connect Verify.

Jamf Connect DMG
SHA 256 Checksum: ba5292b65a42f7d8f6634e0fe1af026295c58008611f59166142c0f45222930c

Procedure

  1. Update your cloud identity provider domain in the provided PLIST files: a. Open the PropertyListEditor from the provided compressed archive file. b. Right-click on one of the two PLIST files and "Open With" the PropertyListEditor. c. Update "yourdomain" in the Value column to the cloud identity provider domain of your organization. d. (Optional) Add additional preference keys to further customize the experience for your users. For more information, see the administrator's guide for your Jamf Connect product. e. Repeat for the other PLIST file.
  2. Create a new configuration profile in your MDM solution using the "Custom Settings" option. Upload the PLIST files from step 1 and scope the profile to targeted computers.
  3. Upload the provided license key configuration profile to your MDM solution.
  4. Scope the uploaded profile from step 3 to the same computers targeted in step 2.
  5. Upload the PKG files for Jamf Connect to your preferred MDM solution.
  6. Create a policy to deploy packages from step 5 and scope the policy to targeted computers.

Additional Information

For more information on deploying Jamf Connect and adding preference keys to customize the experience, see the Jamf Connect administrator's guides:

Like Comment
Order by:
SOLVED Posted: by ergo-au

Sorry it it just me or is the No
madPro dmg dead?

Like
SOLVED Posted: by pmeuser

Since the documentation is still somewhat limited at this stage:

I only receive "Unable to load Identity Provider" when trying to auth to Azure AD. Signed plist profile is deployed.

Any ideas where troubleshooting should start? Logs seem not to be very helpful, either:

Timestamp Thread Type Activity PID TTL 2019-02-04 15:32:49.780247+0100 0x295e Default 0x6a13 1362 SecurityAgent: (JamfConnectLogin) [com.jamf.connect:UI] Resetting OIDC settings.
2019-02-04 15:32:49.780296+0100 0x295e Debug 0x6a13 1362 SecurityAgent: (JamfConnectLogin) [com.jamf.connect:UI] Getting Settings for OIDC Provider
2019-02-04 15:32:49.780573+0100 0x295e Debug 0x6a13 1362 SecurityAgent: (JamfConnectLogin) [com.jamf.connect:UI] Done getting Settings for Open Identity Connect Provider
2019-02-04 15:32:49.780623+0100 0x295e Default 0x6a13 1362 SecurityAgent: (JamfConnectLogin) [com.jamf.connect:UI] Loading auth window for OIDC
2019-02-04 15:32:49.780682+0100 0x295e Default 0x6a13 1362 SecurityAgent: (JamfConnectLogin) [com.jamf.connect:UI] Loading OIDC SAML window

Like
SOLVED Posted: by sfarazi

@pmeuser same issue for me "Unable to load Identity Provider" when trying to auth to Azure AD.

Like
SOLVED Posted: by rastogisagar123

@pmeuser is the issue resolved for you?

Like
SOLVED Posted: by daniel_ross

@ergo-au I had to log off and back on to make that work for me.

Like
SOLVED Posted: by Javier.R

@ergo-au I had this issue but it was related to Sophos Application control messing with the DMG.. If I temporarily disable application control the download works fine. I'm thinking a support case with Sophos will be needed.

Like
SOLVED Posted: by zbren

I had the same issue and temporarily disabled Sophos on my computer, logged out of JAMF Nation and back in, then was able to download the Jamf Connect Sync (NoMAD) and successfully open it.

Like
SOLVED Posted: by dvaldez

@pmeuser did you add JAMF connect in your Azure AD portal?

Like
SOLVED Posted: by rastogisagar123

@dvaldez what do you mean by add jamf connect in Azure AD as I am having same issue

Like
SOLVED Posted: by dvaldez

Have you logged into portal.azure.com and clicked on AD and select App registrations? if not you will need to do that step

-Select New Application Registrations - name: JAMF Connect Login - application type: native
-sign on url: https://127.0.0.1/jamfconnect

Like
SOLVED Posted: by phredman

My deployment is grabbing my Azure app, but once the interface loads, and I start entering creds - the device reboots, and continues to cycle. Anyone seen that?

Like
SOLVED Posted: by jarvizu_u

@phredman I just went through a similar issue but with the Okta interface. I had to set the DontShowWelcome key to false and (if using the okta authchange interface) set the OIDCProvider key to be blank.

Like
SOLVED Posted: by phredman


@jarvizu_u interesting. This is what I've got.

Are you suggesting I leave the OIDCProvider blank on this when connecting to the Azure App Registration? We're currently not utilizing Okta at all, although, I'd eventually like to.

Or, are you suggesting I add the DontShowWelcome value?

Like
SOLVED Posted: by ergo-au

For anyone who has been belting their head on a wall with this after DL the 1.0.0 packages sometime in late jan, well the lovely people over at Jamf support have informed me that the package was actually "updated" as the 1st one didn't work. These packages are, wait for it, 1.0.0 as well.
Spun up a new VM, installed verify & login. Drop in your Azure App ID and boom - works
Beer time

Like
SOLVED Posted: by scg

@phredman - Did you get this config to work?

I am having problems with OICDNewPassword = False.

My understanding here is that the AzureAD password needs to be entered again when prompted to verify. It is unable to verify though, keeps saying incorrect password.

Any chance you ran into this, or have any suggestions?

Cheers!

EDIT - It works with our *.onmicrosoft.com accounts... but not with any synchronised accounts... strange!!

Like
SOLVED Posted: by shaquir

Hi @scg Do you mind further elaborating on how you resolved the "incorrect password" issue. In the words of @ergo-au I've been "belting my head" for the pass 3 days trying to get this setup. I haven't heard back from Jamf support.
Any help would be greatly appreciated.
Thanks

Like
SOLVED Posted: by scg

Hi @shaquir

So it looks like your IDP needs to support Resource Owner Credential Grants - which ADFS 2012 R2 and below do not - that's if if you are using federated identities with AzureAD.

If you are using AzureAD and sync your password hashes, you should be OK, or use ADFS 2016.

A bit annoying...

Like
SOLVED Posted: by neil.azzaro

Is it just me or is a link to the "Jamf Connect Sync Native Messaging Handler" for Chrome missing from this article?

For reference, taken from https://docs.jamf.com/jamf-connect/1.0.0/sync/administrator-guide/Browser_Extensions.html:

You must also download the Jamf Connect Sync Native Messaging Handler. This package installs a Google Chrome Native Messaging Handler that works with the Jamf Connect Sync Chrome Extension to open Jamf Connect Sync and the Sign In window.
Like
SOLVED Posted: by shaquir

Thanks @scg We do utilize AzureAD to sync password. Spend some time working with two Jamf techs and no result as of yet. The JCL in 10.13 loops back to the start, this is apparently a known issue. Within 10.14 JCL continuously give a wrong password prompt. These results are consistent when OICDNewPassword = False or True. This seems like a beta level program. I'm not to confident with rolling this out to our environment as is.

Like
SOLVED Posted: by jarvizu_u

@phredman I was suggesting you add in the DontShowWelcome key

My setup is different since I'm using Okta. I believe that's the only case where you need the blank OIDCProvider key.

Like
SOLVED Posted: by junderwood

What does "Open the PropertyListEditor from the provided compressed archive file" mean? I don't see anything named "PropertyListEditor" in the downloaded DMG.

I assume I can just edit this in a text editor... but what are they referring to here?

Like

Jamf wants to hear your feedback around Jamf Pro: LDAP Servers and Reports!