Guides

Guide for SSO with Jamf Setup

Suggest Edits

Overview

Jamf Setup can be utilized to kick off the sign in process and log in additional applications. The below steps will walk through the configuration of each component. In order to utilize this process your application must have the support the required libraries. (See the Authentication Libraries page for more information)

Step 1: Add Applications to Jamf Pro

Add these applications to Jamf Pro:

  • Microsoft Authenticator
  • Jamf Setup
  • Jamf Reset
  • Additional Applications that can be signed in through SSO

Directions on adding applications to Jamf Pro can be found here

Step 2: Integrating with Entra ID

  • App Registration - applications using the Single Login workflow will need to be registered within Azure's App Registrations section. Please refer to the Jamf Setup Configuration Guide for step-by-step instructions. Important items to note or define in this section are Directory/Tenant ID, Application/Client ID, redirect URI, and Roles.
  • Roles -defined within the App Registration section and assigned to users and groups within the Enterprise Application Settings section of Azure. For Jamf Setup, these roles are used to help identify the end-user's role within the organization. If multiple roles are available, Jamf Setup will prompt the end-user to select from the list of roles to define their role for that login session. These role values are mapped to an extension attribute in Jamf.
  • Enterprise Application Settings - Roles are assigned to Azure AD users and groups within the Enterprise Application Settings of the registered application.

Information on creating app registrations, roles, and access within Azure can be found here

Step 3 (Workflow for Jamf Pro 11.13 or later): Enable Shared Mode in Device Compliance

📘

Complete these steps prior to deploying Jamf Setup, Jamf Reset, or Authenticator. These are required steps before those apps will function properly.

Beginning in Jamf Pro 11.13 it is possible to enable Shared Device mode programmatically, without needing to physically touch each device to enable that setting.

Setup Device Compliance

  • Navigate to Jamf Pro > Settings > Device Compliance
  • Select Shared Devices
    • Define the group of devices to be targeted for Shared Device Mode
    • Set Sovereign Cloud to Global
    • Set Allowed Duration of Inactivity to 120
  • From here you will be redirected to an Entra ID Login page. You must have sufficient privileges to grant Device Compliance Privileges
  • Allow the permissions requested
  • Open Microsoft Endpoint Manager when presented with that option. Keep this tab open as it will be necessary moving forward.
  • Follow these steps to complete the Entra side of the integration
  • Once complete navigate to the saved tab and click Confirm

Once these steps are completed Jamf Pro should display that the registration is approved and enabled.

Step 4: Deploy Applications to devices

  • Create a smart group in Jamf Pro with the critieria “Device Compliance Integration - Registration Status IS Registered”
  • Scope Authenticator, Jamf Setup, and Jamf Reset to that smart group.

Instructions for installing applications through Jamf Pro can be found here

Updated 4 days ago

What’s Next

Further explanation for components listed above can be found here: