Seamless Learning Access Components


Seamless Learning Access Components

Overview

Seamless Learning Access combines two technologies that your application integrates with directly: OIDC sign-in via RapidIdentity, and Managed App Configuration. The sections below describe what each one does in the Seamless Learning Access workflow and how your app participates.

For the conceptual introduction and a list of common partner questions, see the Seamless Learning overview.

Requirements

Seamless Learning Access requires iPadOS 18.7.3 or later on the iPad. iPadOS 26.x or later is recommended.

OIDC with RapidIdentity

RapidIdentity is the OIDC identity provider that powers Seamless Learning Access. The Seamless Learning Access SSO extension on the iPad intercepts your app's OIDC authorization request and forwards it to the district's RapidIdentity tenant, which authenticates the student and returns tokens through the standard system flow.

From your app's perspective, this is a normal OIDC integration. There is no Jamf-specific OIDC dialect. What you build is a standard OIDC client:

  • Recommended flow — Authorization Code with PKCE for public iOS clients.
  • Discovery — Use the RapidIdentity issuer URL provided by Jamf at the time of client registration.
  • Client registration — Client ID, scopes, and any released claims are provisioned together during onboarding.
  • Claims — RapidIdentity releases at minimum a stable subject identifier and a UPN. Additional claims (display name, role, group memberships, and so on) are negotiated as part of client registration and reflect what your app actually needs.

Read more about OpenID Connect on RapidIdentity's site.

📘

Note

Client registration, scopes, and the staging RapidIdentity tenant are coordinated through Jamf's Technology Partner program. Apply at jamf.com/partners/technology-partners or contact your existing Developer Relations representative.

Managed App Configuration

Managed App Configuration is the method an MDM server uses to dynamically configure a managed application over the air. In the Seamless Learning Access workflow, the MDM (Jamf Pro or Jamf School) delivers a payload that tells your app to switch into Seamless Learning Access mode and which tenant to target.

The minimum viable payload is two keys:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>enableLogin</key>
    <true/>
    <key>host</key>
    <string>district.example.edu</string>
</dict>
</plist>
  • enableLogin (boolean) — When true, your app treats Seamless Learning Access as the active sign-in path and initiates the OIDC flow described above. When false, missing, or when the entire Managed App Configuration dictionary is empty, your app falls back to its normal sign-in flow.
  • host (string) — The district's tenant URL. Use this to route the authenticated user into their district's instance of your service after the OIDC sign-in completes. This is what allows a single App Store binary to serve every K-12 district that runs Jamf, without per-customer builds — the OIDC flow authenticates the student, and host tells your app which district context they belong to.

Additional keys may be added to the payload as your application supports them. Publish an AppConfig spec on the AppConfig Community schema so administrators know what your app accepts.

Read more about Managed App Configuration on this developer portal, or Apple's Managed App Configuration command reference.

❗️

Warning

Xcode Simulator is not a full iOS framework and is not eligible for enrollment into an MDM server. If your app is run via Simulator, it will not receive a Managed App Configuration payload. Test on a real device enrolled in Jamf Pro or Jamf School.

Testing your integration

The Jamf Technology Partner program provides:

  • A Jamf Pro instance for authoring Managed App Configuration payloads and pushing them to a test iPad.
  • A staging RapidIdentity tenant for OIDC client registration and end-to-end testing.
  • A review of your AppConfig spec before you ship.

Apply at jamf.com/partners/technology-partners or contact your existing Developer Relations representative.

Publishing your integration

Once your integration passes testing, list it in the Jamf Marketplace so K-12 IT administrators can discover that your app supports Seamless Learning Access. The listing process is covered in Creating your Marketplace Listing.

Include in your listing:

  • A short description of how your app uses Seamless Learning Access.
  • Your published AppConfig spec so administrators can deploy your app correctly on first try.
  • Any optional Managed App Configuration keys your app supports beyond enableLogin and host.

What's next