Guide for SSO with Jamf Setup

Overview

Jamf Setup can be utilized to kick off the sign in process and log in additional applications. The below steps will walk through the configuration of each component. In order to utilize this process your application must have the support the required libraries. (See the Authentication Libraries page for more information)

Step 1: Add Applications to Jamf Pro

Add these applications to Jamf Pro:

  • Microsoft Authenticator
  • Jamf Setup
  • Jamf Reset
  • Additional Applications that can be signed in through SSO

Directions on adding applications to Jamf Pro can be found here

Step 2: Integrating with Azure

  • App Registration - applications using the Single Login workflow will need to be registered within Azure's App Registrations section. Please refer to the Jamf Setup Configuration Guide for step-by-step instructions. Important items to note or define in this section are Directory/Tenant ID, Application/Client ID, redirect URI, and Roles.
  • Roles -defined within the App Registration section and assigned to users and groups within the Enterprise Application Settings section of Azure. For Jamf Setup, these roles are used to help identify the end-user's role within the organization. If multiple roles are available, Jamf Setup will prompt the end-user to select from the list of roles to define their role for that login session. These role values are mapped to an extension attribute in Jamf.
  • Enterprise Application Settings - Roles are assigned to Azure AD users and groups within the Enterprise Application Settings of the registered application.

Information on creating app registrations, roles, and access within Azure can be found here

Step 3: Add Necessary Managed App Configurations to Jamf Pro

Managed App Configurations are a way for an MDM to define settings within an application installed on devices. The below configurations are used to configure the applications necessary to complete this SSO workflow with Jamf Setup.

Microsoft Authenticator

A Managed App Config is needed to set the Microsoft Authenticator App into Shared Mode. This configuration can be utilized as is.

<dict>
    <key>sharedDeviceMode</key>
    <true/>
</dict>

Jamf Setup

An example Managed App Configuration for Jamf Setup is seen below. Some fields are specific to each environment, such as "com.jamf.config.sso.client-id". You can view more information about each key here :

Jamf Setup Configuration

<dict>
    <key>com.jamf.config.jamfpro.url</key>
    <string>$JPS_URL</string>
    <key>com.jamf.config.jamfpro.device-id</key>
    <string>$JSSID</string>
    <key>com.jamf.config.oauth.authorization-code</key>
    <string>$OAUTH_AUTH_CODE</string>
    <key>com.jamf.config.reinstall-code</key>
    <string>$APP_CONFIG_REINSTALL_CODE</string>
    <key>com.jamf.config.setup.extension-attribute.name</key>
    <string>insert-name-here</string>
    <key>com.jamf.config.setup.extension-attribute.options</key>
       <array>
          <string>insert-option-one-here</string>
          <string>insert-option-two-here</string>
          <string>insert-option-three-here</string>
          <string>insert-option-four-here</string>
       </array>
<key>com.jamf.config.sso.login-type</key>
<string>AZURE</string>
<key>com.jamf.config.sso.client-id</key>
<string>CLIENT_ID_HERE</string>
<key>com.jamf.config.sso.authority-uri</key>
<string>URI_HERE</string>
    <key>com.jamf.config.ui.header-image.url</key>
    <string>https://resources.jamf.com/images/logos/Jamf-color.png</string>
    <key>com.jamf.config.ui.main-page.title</key>
    <string>Make a Selection</string>
    <key>com.jamf.config.ui.main-page.text</key>
    <string>Select the appropriate role below, and then tab Submit to configure your device</string>
    <key>com.jamf.config.ui.text.color</key>
    <string>#444444</string>
    <key>com.jamf.config.ui.main-page.button.text</key>
    <string>Submit</string>
    <key>com.jamf.config.ui.main-page.button.color</key>
    <string>#37BB9A</string>
    <key>com.jamf.config.ui.main-page.button.text.color</key>
    <string>#F8F8F8</string>
    <key>com.jamf.config.ui.success-page.title</key>
    <string>Success</string>
    <key>com.jamf.config.ui.background.color</key>
    <string>#F8F8F8</string>
</dict>

Jamf Reset

An example Managed App Configuration for Jamf Reset is seen below. Some fields are specific to each environment, such as "com.jamf.config.sso.client-id". You can view more information about each key here :

Jamf Reset Configuration

<dict>

<!-- REQUIRED SECTION -->

<key>com.jamf.config.jamfpro.url</key>  
     <string>$JPS_URL</string>  
<key>com.jamf.config.jamfpro.device-id</key>  
     <string>$JSSID</string>  
<key>com.jamf.config.oauth.authorization-code</key>  
     <string>$OAUTH_AUTH_CODE</string>  
<key>com.jamf.config.reinstall-code</key>  
     <string>$APP_CONFIG_REINSTALL_CODE</string>  
<key>com.jamf.config.legacy-compatibility</key>  
     <false/>

<!-- AZURE SECTION - GET CLIENT ID AND AUTHORITY URI FROM AZURE ADMIN -->

<key>com.jamf.config.sso.login-type</key>  
<string>AZURE</string>  
<key>com.jamf.config.sso.client-id</key>  
<string>YOURS GOES HERE</string>  
<key>com.jamf.config.sso.authority-uri</key>  
<string><https://login.microsoftonline.comYOURS> GOES HERE</string>

<!-- ENABLES END SHIFT WITHOUT A DEVICE WIPE -->

<key>com.jamf.config.reset.soft-reset</key>  
      <true/>

<!-- SAME EXTENSION ATTRIBUTE AS SETUP -->

<key>com.jamf.config.setup.extension-attribute.name</key>  
      <string>Jamf Setup Choice</string>

<!-- BRANDING -->

<key>com.jamf.config.ui.main-page.title</key>  
      <string>Single Log Out</string>  
<key>com.jamf.config.ui.main-page.text</key>  
      <string>Logging out of Jamf Reset prepares this device for the next employee.</string>  
<key>com.jamf.config.reset.error.general.text</key>  
      <string>Unknown Error. Contact your IT administrator.</string>  
<key>com.jamf.config.ui.main-page.button.text</key>  
      <string>Tap here to end your shift</string>  
<key>com.jamf.config.ui.main-page.button.text.color</key>  
      <string>#F8F8F8</string>  
<key>com.jamf.config.ui.main-page.button.color</key>  
      <string>#E8573F</string>  
<key>com.jamf.config.ui.background.color</key>  
      <string>#F8F8F8</string>  
<key>com.jamf.config.ui.text.color</key>  
      <string>#444444</string>
 
! Demo mode will only restart the device instead of wiping it 
<key>com.jamf.config.demo-mode</key> 
<false/> -->

<!-- Timeout will adjust how long the app tries to reach the Jamf Pro Server
 before giving up 
<key>com.jamf.config.jamfpro.http-timeout</key>
<real>15.0</real>

Step 4: Deploy Applications to devices

Instructions for installing applications through Jamf Pro can be found here

Step 5: Sign into Microsoft Authenticator

Microsoft Authenticator currently needs to be signed in with an Azure admin account on each device. To do this, simply navigate to the Microsoft Authenticator app and use your admin credentials within the app on the device.

Once all settings are properly defined through Managed App config and the apps are installed on the device, the SSO process is ready to be tested. Navigating to the Jamf Setup application there should be a prompt to sign in a user.

Updated 4 months ago

What’s Next

Further explanation for components listed above can be found here: