Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Understanding Jamf Connect with OpenID Connect Authentication


Jamf Connect allows for simple provisioning of local user accounts and password synchronization with a cloud identity provider (IdP) during an Apple provisioning workflow.

To complete these tasks, Jamf Connect uses the OpenID Connect authentication protocol, which can be configured to support various types of authentication methods (grants) that dictate how the following components communicate:

  • Resource Owner—The end user
  • Client App—Jamf Connect
  • Authentication Server—The cloud IdP

Jamf Connect uses the following OpenID Connect grant types:

  • Authorization Code Grant—Authenticates the user's cloud username and password in exchange for an authorization code, which Jamf Connect sends to your IdP token endpoint.
  • Resource Owner Password Grant (ROPG)—Authenticates the user's cloud username and password directly to your IdP's token endpoint. This authentication method is only used for password synchronization.

The following diagrams show how each authentication grant type is completed:

Authorization Code Grant

This grant type is used when Jamf Connect Login is used to either create a new local account on a computer or log in to an existing local account via cloud authentication.

Resource Owner Password Grant (ROPG)

This grant type is used when Jamf Connect Login or Jamf Connect Verify check that a user's network username and password match their local account.
Note: Google Cloud ID does not support ROPG.

Authorization Code Grant and Resource Owner Password Grant (ROPG)

When Jamf Connect Login and Jamf Connect Verify are used together and configured to sync passwords, both grant types are used for authentication. If configured, Jamf Connect Login can create a local account that has the same password as the user's network password. The user is then prompted to log in with Jamf Connect Verify to enable continuous password syncing.

Additional Information

For additional information about enabling OpenID Connect authentication between Jamf Connect and your cloud IdP, see the Integrating with an Identity Provider in the Jamf Connect Administrator's Guide.

For additional information about OpenID Connect, see the following resource from the OpenID Connect foundation:

Like Comment