Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Customizing the Jamf Connect Login Package with Composer

Overview

This article explains how to use Composer to customize the Jamf Connect Login installer packages. Customizing the Jamf Connect Login package allows you to do the following:

  • Change the postinstall script to support either OpenID Connect (OIDC) or Okta authorization
  • Add and configure loginwindow mechanisms
  • Add files to the package, such as scripts and preference files

Requirements

Step 1: Convert Jamf Connect Login to a Package Source in Composer

Use the existing Jamf Connect Login package included in the Jamf Connect DMG to convert it to a PKG package format in Composer:

  1. Drag the Jamf Connect Login installer package to the sidebar in Composer.
  2. Click Convert to Source.

For more information, see the Creating Package Sources section in the Jamf Pro Administrator's Guide

Step 2: Change Privileges of Jamf Connect Login Package Content

After converting the package in Composer, the package privileges may be incorrect. Apply the following privileges to the authchanger, PAM Module, and JamfConnectLogin.bundle to ensure the package will successfully deploy:

PAM Module
/usr/local/lib/pam/pam_saml.so.2

  • Select "root (0)" in the Owner pop-up menu.
  • Select "wheel (0)" in the Group pop-up menu.
  • Mode 444
    • Enable Read for Owner.
    • Enable Read for Group.
    • Enable Read for Everyone.

JamfConnectLogin.bundle
/Library/Security/SecurityAgentPlugins/JamfConnectLogin.bundle

  • Select "root (0)" in the Owner pop-up menu.
  • Select "wheel (0)" in the Group pop-up menu.
  • Mode 755
    • Enable Read, Write, and Execute permissions for Owner.
    • Enable Read and Execute privileges for Group.
    • Enable Read and Execute privileges for Everyone.

Once you have applied the above privileges to the JamfConnectLogin.bundle, click the Action button to the right of the X-column, and select "Apply Permissions to JamfConnectLogin.bundle and All Enclosed Items" in the pop-up menu.

Note: Incorrect privileges applied to the Jamf ConnectLogin.bundle may cause Jamf Connect Login to display a black screen instead of the login window. If Secure Shell (SSH) is enabled on your test computer, you can execute the following command to remove the Jamf Connect Login mechanism.

sudo /usr/local/bin/authchanger -reset

For more information, see the Viewing and Editing the Contents of Package Sources section of in the Jamf Pro Administrator's Guide.

Step 3: Customize the Jamf Connect Login Package

You can customize the Jamf Conect Login package as needed for deployment in your environment. The following customizations are commonly used:

Enable Okta Authentication

Jamf Connect Login includes a postintall script, which runs after the Jamf Connect Login package files are installed on the computer. By default, the postinstall script adds the CheckOIDC mechanism to the loginwindow application, which works with IdPs using OpenID Connect (OIDC) for authorization. If using Okta in your environment, you must use the CheckOkta mechanism. You can add CheckOkta by renaming the Jamf Connect Login package to include "Okta" in its title.

Note: The package name is case sensitive.

Alternatively you can add the following authchanger command to the postinstall script:

/usr/local/bin/authchanger -reset -Okta

For more information about the authchanger, see the Using authchanger with Jamf Connect Knowledge Base article.

Add Files

Composer can build a package to include additional files on the computer. The following files are commonly added to the Jamf Connect Login package to customize the app:

  • Images and logos for Jamf Connect banners
  • End user license agreement (EULA) mechanism and text
  • Scripts to run after the user successfully authenticates to their IdP

Note: Adding files to the package increases the download and installation time for the user. To ensure a good user experience, only add necessary files to a PreStage enrollment package. Non-essential files can be added to a package deployed later via a Jamf Pro policy.

Add a Logo

You can customize the Jamf Connect Login screen with your organization's brand by adding the following preference keys in a .plist file, and then applying the required privileges:

<key>LoginLogo</key>
        <string>/path/to/image/imagename.gif</string>
<key>BackgroundImage</key>
        <string>/path/to/image/backgroundimage.png</string>
  • Select "root (0)" in the Owner pop-up menu.
  • Select "wheel (0)" in the Group pop-up menu.
  • Mode 444
    • Enable Read for Owner.
    • Enable Read for Group.
    • Enable Read for Everyone.

Add the EULA mechanism

You can add an end user license agreement (EULA) mechanism to Jamf Connect Login, which displays a EULA screen that a user must accept before accessing the computer. To add the EULA mechanism, complete the following in Composer:

Edit the postinstall script to include one of the following commands based on your IdP:

OIDC IdPs:

/usr/local/bin/authchanger -reset -OIDC -preAuth JamfConnectLogin:EULA

Okta:

/usr/local/bin/authchanger -reset -Okta -preAuth JamfConnectLogin:EULA

Add a .plist file to the package that includes the following keys:

<key>EULAPath</key>
<string>/path/to/file/eula.rtf</string>
<key>EULATitle</key>
<string>insert-EULA-title-here</string>
<key>EULASubTitle</key>
<string>insert-EULA-subtitle-here<string>
<key>EULAText</key>
<string>insert-EULA-text-here</string>

Apply the following privileges:

  • Select "root (0)" in the Owner pop-up menu.
  • Select "wheel (0)" in the Group pop-up menu.
  • Mode 444
    • Enable Read for Owner.
    • Enable Read for Group.
    • Enable Read for Everyone.

Add the RunScript Mechanism

After authentication, Jamf Connect Login can run scripts included in the package. Complete the following to add the RunScript mechanism to Jamf Connect Login:

Edit the postinstall script to include one of the following commands based on your IdP:

OIDC IdPs:

/usr/local/bin/authchanger -reset -OIDC -preAuth JamfConnectLogin:RunScript,privileged

Okta:

/usr/local/bin/authchanger -reset -Okta -preAuth JamfConnectLogin:RunScript,privileged

Add a bash script to the package, and then apply the following privileges:

  • Select "root (0)" in the Owner pop-up menu.
  • Select "wheel (0)" in the Group pop-up menu.
  • Mode 755
    • Enable Read, Write, and Execute permissions for Owner.
    • Enable Read and Execute privileges for Group.
    • Enable Read and Execute privileges for Everyone.

For more information, see the Adding Scripts to Package Sources section in the Jamf Pro Administrator's Guide.

Add a .plist file to the package that includes the following key:

<key>ScriptPath</key>
        <string>/path/to/script/script.sh</string>

Add the Notify Mechanism

After authentication, Jamf Connect Login can include the Notify mechanism, which allows for a progress bar, customized text, and images to display during the loginwindow application process. Complete the following to add the Notify mechanism to Jamf Connect Login:

Edit the postinstall script to include one of the following commands based on your IdP:

OIDC IdPs:

/usr/local/bin/authchanger -reset -OIDC -preAuth JamfConnectLogin:Notify,privileged

Okta:

/usr/local/bin/authchanger -reset -Okta -preAuth JamfConnectLogin:Notify,privileged

The Notify mechanism is usually managed with a script. The following script is an example that deploys Jamf Connect Login and Jamf Connect Verify with a PreStage enrollment package:

#!/bin/bash

# jamf_dep.sh - a script to deploy Jamf Connect Login and Jamf Connect Verify
# with a prestage enrollment package.

JAMFBIN="/usr/local/bin/jamf"

# Set the Main Title at the top of the window
echo "Command: MainTitle: Welcome to Jamf Connect!" >> /var/tmp/depnotify.log
echo "Command: MainText: Welcome to your new Mac.\\nSit tight as we do some basic setup to get you ready for success.\\nYou can see the status of the setup on the progress bar below." >> /var/tmp/depnotify.log

echo "Status: Installing Jamf" >> /var/tmp/depnotify.log

# Wait until the Jamf Binary is fully downloaded
echo $JAMFBIN
until [ -f $JAMFBIN ]
do
    echo "Status: Waiting for Jamf binary installation" >> /var/tmp/depnotify.log
    sleep 2
done

echo "Status: Jamf Installed" >> /var/tmp/depnotify.log

echo "Status: Passing command and control to Jamf Pro" >> /var/tmp/depnotify.log

$JAMFBIN policy -event JamfConnectLoginInstalled

To quit the Notify mechanism, execute the following command:

echo "Command: Quit" >> /var/tmp/depnotify.log

Additional Information

For additional information about Composer, see Composer in the Jamf Pro Administrator's Guide

For additional information about Jamf Connect Login, see the Jamf Connect Login Administrator's Guide

For additional information about signing certificates, see the following Knowledge Base articles:

Like Comment