EMS + jamf connect (jamf connect Login)

Microsoft & jamf announced in 2018 a partner ship to bring the best sides from jamf to Microsoft (TEAMWORK). I have a lot of customers asking for a single MDM portal and already use Intune in their envoirment. This will make you Jizz In My Pants by Lonely Island.

For a intro please see this video

The minimum license requirements: Enterprise Mobility + Security E3 – and jamf connect:

  • Multi-factor authentication
  • Conditional access
  • Mobile device management(Intune)
  • Azure Active Directory Plan 1

This collaboration opens up for a lot of features inside the Enterprise mobility security license and sets the cloud provider as the authority(instead of local account).

My goal with this post is to use make the connection between Azure AD and macOS with jamf connect login, will make a new blog post about jamf connect verify.

Toolbox:

  • macOS minimum version 10.12
  • jamf connect login – download (30 days license) – includes jamf connect Login, Jamf connect Verify, jamf connect Sync
  • notepad++ (Windows)
  • Demo tenant with minimum EMS E3 license

Final result should look like this

On your macOS that is already enrolled inside Intune with DEP, install the jamf connect pkg(we can make it more streamlined and deploy it as a .intunemac file inside client apps(line of business application).

Now we are gonna make an application inside portal.azure.com as follows:

Application type: Native
Redirect Https://127.0.0.1/jamfconnect

Next go into Enterprise Applications in the Azure Portal, and find the Enterprise application that have the same name my case “jamf connect login”.

Home -> Enterprise applications – All applications -> jamf connect login – Properties
You will need this Application ID
User Assignment required -> No

Here you make manifest inside your App registration you can assign the application to certain Groups and users in your tenant. But in this case the users will be local administrators and then manipulate with Apple Developer Mobile Device Management Protocols for settings you wish to lock down and push out with Intune Configuration Profiles.

Next for demo show we install the jamf connect login.pkg file on our macOS. This .pkg file we can wrap to .intunemac using the intune app wrapping tool mac(can only be used on mac). Hopefully we will soon see the possibility to apply the .intunemac file at the enrollment(Awaiting package).

Now create Device Configuration profile inside Intune (see the jamf article).

<plist version="1.0">
    <dict>
        <key>PayloadEnabled</key>
        <true/>
        <key>PayloadDisplayName</key>
        <string>Jamf Connect Login Azure Settings</string>
        <key>PayloadScope</key>
        <string>System</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadRemovalDisallowed</key>
        <true/>
        <key>PayloadDescription</key>
        <string></string>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadEnabled</key>
                <true/>
                <key>OIDCProvider</key>
                <string>Azure</string>
                <key>PayloadIdentifier</key>
                <string>9578F08E-D5AC-4A1F-86D9-51DF57541295</string>
                <key>PayloadDescription</key>
                <string>Jamf Connect Login Azure Settings</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>OIDCROPGID</key>
                <string>9fcc52c7-ee36-4889-8517-c5fed2c78083</string>
                <key>PayloadType</key>
                <string>com.jamf.connect.login</string>
                <key>PayloadUUID</key>
                <string>9578F08E-D5AC-4A1F-86D9-51DF57541295</string>
                <key>OIDCNewPassword</key>
                <false/>
                <key>OIDCRedirectURI</key>
                <string>https://127.0.0.1/jamfconnect</string>
                <key>PayloadDisplayName</key>
                <string>Jamf Connect Login Azure Settings</string>
                <key>PayloadOrganization</key>
                <string>Jamf Connect Login</string>
                <key>OIDCClientID</key>
                <string>9fcc52c7-ee36-4889-8517-c5fed2c78083</string>
            </dict>
        </array>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadOrganization</key>
        <string>Jamf Connect</string>
        <key>PayloadIdentifier</key>
        <string>7B7E2B17-F245-45FA-A913-8469A73BA5D6</string>
        <key>PayloadUUID</key>
        <string>7B7E2B17-F245-45FA-A913-8469A73BA5D6</string>
    </dict>
</plist>

Replace the OIDCClienID & OIDCROPGID string with your Enterprise Application ID. Save the file as a com.jamf.connect.login.xml and before saving add following to the top

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

Upload the com.jamf.connect.login.xml file inside your intune

Assign the Configuration Profile.

Go for a test drive restart the macOS.

Credit

  • https://travellingtechguy.eu/jamf-connect-login-with-azure/
  • https://docs.jamf.com/jamf-connect/1.0.1/login/administrator-guide/Overview.html

Share

You may also like...