Seamless Learning Access Components

Overview

Seamless Learning Access combines two technologies that your application integrates with directly: OIDC sign-in via RapidIdentity, and Managed App Configuration. The sections below describe what each one does in the Seamless Learning Access workflow and how your app participates.

OIDC with RapidIdentity

RapidIdentity is the OIDC identity provider that powers Seamless Learning Access. The Jamf-managed SSO extension on the iPad intercepts your app's OIDC authorization request and forwards it to the district's RapidIdentity tenant, which authenticates the student and returns tokens through the standard system flow. From your app's perspective, this is a normal OIDC integration. There is no Jamf-specific OIDC dialect.

What you build is a standard OIDC client. Authorization Code with PKCE is the recommended flow for public iOS clients. Discovery uses the RapidIdentity issuer URL provided by Jamf at the time of client registration.

Read more about OpenID Connect on RapidIdentity's site

📘

Note

Client registration, scopes, and the staging RapidIdentity tenant are coordinated through Jamf's Technology Partner program. Apply at jamf.com/partners/technology-partners or contact your existing Developer Relations representative.

Managed App Configuration

Managed App Configuration is a method in which an MDM server can dynamically configure managed applications over the air. In the Seamless Learning Access workflow, the MDM server (Jamf Pro or Jamf School) delivers a payload to your app that tells it to switch into Seamless Learning Access mode and which tenant to use.

The minimum viable payload is two keys:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>enableLogin</key>
    <true/>
    <key>host</key>
    <string>district.example.edu</string>
</dict>
</plist>

• enableLogin (boolean) - When true, your app treats Seamless Learning Access as the active sign-in path and initiates the OIDC flow described above. When false, missing, or when the entire Managed App Configuration dictionary is empty, your app falls back to its normal sign-in flow.
• host (string) - The district's tenant URL. Use this to route the user into their district's instance after the OIDC sign-in completes. This is what allows a single App Store binary to serve every K-12 district that runs Jamf, without per-customer builds.

Additional keys may be added to the payload as your application supports them. A spec file published in the AppConfig Community schema tells admins what your app accepts.

Read more about Managed App Configuration on this developer portal, or Apple's Managed App Configuration command reference.

❗️

Warning

Xcode Simulator is not a full iOS framework and is not eligible for enrollment into an MDM server. If your app is run via Simulator, it will not receive a Managed App Configuration payload. Test on a real device enrolled in Jamf Pro or Jamf School.

Testing your integration

The Technology Partner program provides:

• A Jamf Pro instance for authoring Managed App Configuration payloads and pushing them to a test iPad.
• A RapidIdentity staging tenant for OIDC client registration and end-to-end testing.
• A review of your AppConfig spec before you ship.

What's Next

• Seamless Learning Access (Overview)
• Managed App Configuration Best Practices
• Creating your Marketplace Listing
• Technology Partner Program