Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Deploying Jamf Connect

Disclaimer: This article is no longer being updated. For information about Jamf Connect deployment and app versioning, see the Jamf Connect Administrator's Guide.

Overview

Jamf Connect is a collection of apps allowing for simple provisioning of local user accounts and password synchronization from a cloud identity provider (IdP) during an Apple provisioning workflow. This includes multi-factor authentication (MFA).

Jamf Connect includes the following apps with their own unique versions, which you can deploy to target computers in your environment using your preferred MDM solution:

  • Jamf Connect Login
  • Jamf Connect Sync
  • Jamf Connect Verify

Requirements

To deploy Jamf Connect, you will need the following components:

  • Jamf Connect DMG To download the DMG, log in to Jamf Nation and go to the following: https://www.jamf.com/jamf-nation/my/products.
  • A Jamf Connect license key configuration profile (provided by your account manager)
  • PLIST files and a text editor (example PLISTs provided by your account manager, in the product DMG, and the documentation)
  • An MDM solution, such as Jamf Pro
  • Target computers with macOS 10.12 or later

Procedure

The following procedure provides general instructions for deploying any Jamf Connect app with an MDM solution. For app specific workflows, see the Jamf Connect Administrator's Guide

  1. Update your cloud IdP domain in the provided PLIST files: a. Open an example PLIST file from one of the provided locations or create your own with your preferred text editor. b. Specify your Otka authentication domain with the "AuthServer" key, or specify your OpenID Connect (OIDC) provider credentials for the required preference keys. Note: If using OIDC for authorization, you must have your Jamf Connect Client ID for configuration, which can be found in your IdP's administrator console, portal, or similar tool. c. (Optional) Add additional preference keys to further customize the experience for your users. For more information, see the administrator's guide for your Jamf Connect product.
  2. Create a new configuration profile in your MDM solution. If using Jamf Pro, use the "Custom Settings" payload. For more information about custom configuration profiles, see the Deploying Custom Configuration Profiles using Jamf Pro Knowledge Base article.
  3. Upload the provided license key configuration profile to your MDM solution.
  4. Scope the uploaded profile from step 3 to the same computers targeted in step 2.
  5. Upload the PKG files for Jamf Connect to your preferred MDM solution.
  6. Create a policy to deploy packages from step 5 and scope the policy to targeted computers.

Additional Information

For additional information, see the Jamf Connect Administrator's Guide

Like Comment
Order by:
SOLVED Posted: by ergo-au

Sorry it it just me or is the No
madPro dmg dead?

Like
SOLVED Posted: by pmeuser

Since the documentation is still somewhat limited at this stage:

I only receive "Unable to load Identity Provider" when trying to auth to Azure AD. Signed plist profile is deployed.

Any ideas where troubleshooting should start? Logs seem not to be very helpful, either:

Timestamp Thread Type Activity PID TTL 2019-02-04 15:32:49.780247+0100 0x295e Default 0x6a13 1362 SecurityAgent: (JamfConnectLogin) [com.jamf.connect:UI] Resetting OIDC settings.
2019-02-04 15:32:49.780296+0100 0x295e Debug 0x6a13 1362 SecurityAgent: (JamfConnectLogin) [com.jamf.connect:UI] Getting Settings for OIDC Provider
2019-02-04 15:32:49.780573+0100 0x295e Debug 0x6a13 1362 SecurityAgent: (JamfConnectLogin) [com.jamf.connect:UI] Done getting Settings for Open Identity Connect Provider
2019-02-04 15:32:49.780623+0100 0x295e Default 0x6a13 1362 SecurityAgent: (JamfConnectLogin) [com.jamf.connect:UI] Loading auth window for OIDC
2019-02-04 15:32:49.780682+0100 0x295e Default 0x6a13 1362 SecurityAgent: (JamfConnectLogin) [com.jamf.connect:UI] Loading OIDC SAML window

Like
SOLVED Posted: by sfarazi

@pmeuser same issue for me "Unable to load Identity Provider" when trying to auth to Azure AD.

Like
SOLVED Posted: by rastogisagar123

@pmeuser is the issue resolved for you?

Like
SOLVED Posted: by daniel_ross

@ergo-au I had to log off and back on to make that work for me.

Like
SOLVED Posted: by Javier.R

@ergo-au I had this issue but it was related to Sophos Application control messing with the DMG.. If I temporarily disable application control the download works fine. I'm thinking a support case with Sophos will be needed.

Like
SOLVED Posted: by zbren

I had the same issue and temporarily disabled Sophos on my computer, logged out of JAMF Nation and back in, then was able to download the Jamf Connect Sync (NoMAD) and successfully open it.

Like
SOLVED Posted: by dvaldez

@pmeuser did you add JAMF connect in your Azure AD portal?

Like
SOLVED Posted: by rastogisagar123

@dvaldez what do you mean by add jamf connect in Azure AD as I am having same issue

Like
SOLVED Posted: by dvaldez

Have you logged into portal.azure.com and clicked on AD and select App registrations? if not you will need to do that step

-Select New Application Registrations - name: JAMF Connect Login - application type: native
-sign on url: https://127.0.0.1/jamfconnect

Like
SOLVED Posted: by phredman

My deployment is grabbing my Azure app, but once the interface loads, and I start entering creds - the device reboots, and continues to cycle. Anyone seen that?

Like
SOLVED Posted: by jarvizu_u

@phredman I just went through a similar issue but with the Okta interface. I had to set the DontShowWelcome key to false and (if using the okta authchange interface) set the OIDCProvider key to be blank.

Like
SOLVED Posted: by phredman


@jarvizu_u interesting. This is what I've got.

Are you suggesting I leave the OIDCProvider blank on this when connecting to the Azure App Registration? We're currently not utilizing Okta at all, although, I'd eventually like to.

Or, are you suggesting I add the DontShowWelcome value?

Like
SOLVED Posted: by ergo-au

For anyone who has been belting their head on a wall with this after DL the 1.0.0 packages sometime in late jan, well the lovely people over at Jamf support have informed me that the package was actually "updated" as the 1st one didn't work. These packages are, wait for it, 1.0.0 as well.
Spun up a new VM, installed verify & login. Drop in your Azure App ID and boom - works
Beer time

Like
SOLVED Posted: by scg

@phredman - Did you get this config to work?

I am having problems with OICDNewPassword = False.

My understanding here is that the AzureAD password needs to be entered again when prompted to verify. It is unable to verify though, keeps saying incorrect password.

Any chance you ran into this, or have any suggestions?

Cheers!

EDIT - It works with our *.onmicrosoft.com accounts... but not with any synchronised accounts... strange!!

Like
SOLVED Posted: by shaquir

Hi @scg Do you mind further elaborating on how you resolved the "incorrect password" issue. In the words of @ergo-au I've been "belting my head" for the pass 3 days trying to get this setup. I haven't heard back from Jamf support.
Any help would be greatly appreciated.
Thanks

Like
SOLVED Posted: by scg

Hi @shaquir

So it looks like your IDP needs to support Resource Owner Credential Grants - which ADFS 2012 R2 and below do not - that's if if you are using federated identities with AzureAD.

If you are using AzureAD and sync your password hashes, you should be OK, or use ADFS 2016.

A bit annoying...

Like
SOLVED Posted: by neil.azzaro

Is it just me or is a link to the "Jamf Connect Sync Native Messaging Handler" for Chrome missing from this article?

For reference, taken from https://docs.jamf.com/jamf-connect/1.0.0/sync/administrator-guide/Browser_Extensions.html:

You must also download the Jamf Connect Sync Native Messaging Handler. This package installs a Google Chrome Native Messaging Handler that works with the Jamf Connect Sync Chrome Extension to open Jamf Connect Sync and the Sign In window.
Like
SOLVED Posted: by shaquir

Thanks @scg We do utilize AzureAD to sync password. Spend some time working with two Jamf techs and no result as of yet. The JCL in 10.13 loops back to the start, this is apparently a known issue. Within 10.14 JCL continuously give a wrong password prompt. These results are consistent when OICDNewPassword = False or True. This seems like a beta level program. I'm not to confident with rolling this out to our environment as is.

Like
SOLVED Posted: by jarvizu_u

@phredman I was suggesting you add in the DontShowWelcome key

My setup is different since I'm using Okta. I believe that's the only case where you need the blank OIDCProvider key.

Like
SOLVED Posted: by junderwood

What does "Open the PropertyListEditor from the provided compressed archive file" mean? I don't see anything named "PropertyListEditor" in the downloaded DMG.

I assume I can just edit this in a text editor... but what are they referring to here?

Like
SOLVED Posted: by phredman

I ended up figuring things out - it was because I didn't go to configuration profiles, and "Skip User Creation." Once unchecked, everything started working as intended.

Like
SOLVED Posted: by adriandupre

Anyone get Okta working yet?
I've got our tenant domain in the config .plist, but just get dumped out to Okta's main login page -- after some muddling around entering our domain, acknowledging a 400 error, then logging in, I get a small browser window with all my Okta app icons, but nothing close to a Mac OS login...

(FWIW, using Jamf Connect login only...)

Like
SOLVED Posted: by frederick.abeloos

@adriandupre Have you changed to Authchanger to Okta? This to use the Okta API instead of OIDC, which is preferred.

/usr/local/bin/ authchanger -reset -Okta

https://docs.jamf.com/jamf-connect/1.1.0/login/administrator-guide/Configuration_for_Okta.html

Like
SOLVED Posted: by bmcdade

After doing an update from 1.0.1 to the 1.1.0 it seems you still need to do that authchanger -reset -Okta even if you already have it installed. It seems that doing the installer resets this on a active config. Not cool.

Like
SOLVED Posted: by frederick.abeloos

The installer assumes you will use Azure and is hardcoded to do the authchanger in the postinstall of the pkg.

So yes, you need to run the authchanger after installing the new version to flip it back to Okta.

The way I do it is to deploy the official installer to a temporary folder, run it from there, and do the authchanger change via a postinstall of your custom pkg. Sign it if you want to deploy via prestage.

Like
SOLVED Posted: by bmcdade

Just started to try and test the Jamf Connect Sync for Okta, however the bundled version says it's a Trial, and unlicensed and then just quits. Little hard to test that. Is there something I'm doing wrong for this?

Like
SOLVED Posted: by dvaldez

@bmcdade there is a mobileconfig license file that you shouldve rec'd from your rep to push to your devices. check with the rep i had the same issue

Like
SOLVED Posted: by bmcdade

@dvaldez . Thanks for the info. I just realized that the sync will not work for us anyways since Okta is controlled from our LDAP server, and we can't send any password updates back thru Okta. I spent so much time on this not realizing no one can even change their password in Okta.

Like
SOLVED Posted: by dswitmer

What happened to the trial DMG?

Like
JAMFBadge
SOLVED Posted: by david.engum

@dswitmer Jamf now has a new trial site through which you can trial.

Like
SOLVED Posted: by dswitmer

thanks!

Like
SOLVED Posted: by duke.le

@bmcdade - This is an OKTA profile setting and not a limitation. We allow some users to change their passwords in OKTA that then pushes the password change to the LDAP server.

Like