2/18/2023 0 Comments Jamf pro okta![]() ![]() Connect also steps in with a browser extension. Users type their passwords into the Connect app, which sends it to the Okta APIs, but at the same time, Connect can also see the password and set it in the local account. This integration uses Okta’s proprietary APIs. The first cloud IdP that Jamf Connect integrated with was Okta (this was prior to the acquisition). Your options here depend on how you’re integrating with your IdP. You either have to sync the password and write it to the local user account, or just let the user set it, and be okay with it being different than the cloud IdP. Jamf Connect can create the the local user account, but what about setting the password? Since we’re talking about a local account, the authentication is happening right there on the machine. This also helps you deal with apps that would previously only work with admin rights. This means that you don’t have to give users admin rights (not even temporarily), and instead, Jamf Connect is dealing with the authorization by adjusting rules in the database. Thanks to Jamf Connect’s integration with the macOS authorization database, it can also be used to gate other sensitive actions, like various settings in Systems Preferences, and sudo commands. Subsequent logins will generally take place using the native login window, but there are a few other places where Jamf Connect comes up. But by the way, at this point, since the user has been strongly-authenticated, you’re also clear to install sensitive data and configurations. What about the password? I’ll get to that later. It does this (along with some other cool stuff that I’ll talk about next) thanks to an integration with the macOS authorization database, a SQLite database that the operating system uses to handle all sorts of tasks. Now that the user is authenticated and authorized, Jamf Connect will create the local user account in macOS. Jamf Connect can ask the user to authenticate, using modern practices like multi-factor authentication, conditional access, and cloud identity providers. Then, Jamf Connect will pop up before the standard native login window. So, you can push Jamf Connect, and use the Await Configuration command to make sure that it gets fully installed while the device is in setup assistant mode-i.e., the device will tell the user to hold on while it sets everything up, and the user can’t mess it up or anything. Here, as I wrote last week, there’s an option to authenticate the user via LDAP, but we want stronger authentication at some point.Īs part of the initial MDM enrollment, you can push a package to the device, using the Install Enterprise App command. If the serial number is part of the Device Enrollment Program, Apple will redirect it to the associated MDM server. When a Mac is turned on and connected to the internet for the first time, it checks in with Apple. The easiest way to understand what Jamf Connect does is to look at the enrollment process step by step. Lastly, this is all happening at a time when identity concepts like conditional access, multi-factor authentication, SAML, and “zero trust” are really spreading.As with Windows, most IT organizations want to avoid giving admin rights to Mac users.Automated MDM enrollments need some help with authentication, because DEP and MDM just don’t have all the modern identity components needed to secure it.DEP) is the way forward, and High Sierra, the T2 chip, and Mojave have killed off imaging. By now you’ve probably heard that macOS provisioning is changing.First, macOS has supported binding with Active Directory for years, but most Mac admins consider this brittle and unreliable, and instead, local user accounts are the way to go.Before we dig in, we should go over some of the identity management trends and issues facing macOS today: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |