Guide for SSO with Jamf Setup
Overview
Jamf Setup can be utilized to kick off the sign in process and log in additional applications. The below steps will walk through the configuration of each component. In order to utilize this process your application must have the support the required libraries. (See the Authentication Libraries page for more information)
Step 1: Add Applications to Jamf Pro
Add these applications to Jamf Pro:
- Microsoft Authenticator
- Jamf Setup
- Jamf Reset
- Additional Applications that can be signed in through SSO
Directions on adding applications to Jamf Pro can be found here
Step 2: Integrating with Azure
- App Registration - applications using the Single Login workflow will need to be registered within Azure's App Registrations section. Please refer to the Jamf Setup Configuration Guide for step-by-step instructions. Important items to note or define in this section are Directory/Tenant ID, Application/Client ID, redirect URI, and Roles.
- Roles -defined within the App Registration section and assigned to users and groups within the Enterprise Application Settings section of Azure. For Jamf Setup, these roles are used to help identify the end-user's role within the organization. If multiple roles are available, Jamf Setup will prompt the end-user to select from the list of roles to define their role for that login session. These role values are mapped to an extension attribute in Jamf.
- Enterprise Application Settings - Roles are assigned to Azure AD users and groups within the Enterprise Application Settings of the registered application.
Information on creating app registrations, roles, and access within Azure can be found here
Step 3: Add Necessary Managed App Configurations to Jamf Pro
Managed App Configurations are a way for an MDM to define settings within an application installed on devices. The below configurations are used to configure the applications necessary to complete this SSO workflow with Jamf Setup.
Microsoft Authenticator
A Managed App Config is needed to set the Microsoft Authenticator App into Shared Mode. This configuration can be utilized as is.
<dict>
<key>sharedDeviceMode</key>
<true/>
</dict>
Jamf Setup
An example Managed App Configuration for Jamf Setup is seen below. Some fields are specific to each environment, such as "com.jamf.config.sso.client-id". You can view more information about each key here :
<dict>
<key>com.jamf.config.jamfpro.url</key>
<string>$JPS_URL</string>
<key>com.jamf.config.jamfpro.device-id</key>
<string>$JSSID</string>
<key>com.jamf.config.oauth.authorization-code</key>
<string>$OAUTH_AUTH_CODE</string>
<key>com.jamf.config.reinstall-code</key>
<string>$APP_CONFIG_REINSTALL_CODE</string>
<key>com.jamf.config.setup.extension-attribute.name</key>
<string>insert-name-here</string>
<key>com.jamf.config.setup.extension-attribute.options</key>
<array>
<string>insert-option-one-here</string>
<string>insert-option-two-here</string>
<string>insert-option-three-here</string>
<string>insert-option-four-here</string>
</array>
<key>com.jamf.config.sso.login-type</key>
<string>AZURE</string>
<key>com.jamf.config.sso.client-id</key>
<string>CLIENT_ID_HERE</string>
<key>com.jamf.config.sso.authority-uri</key>
<string>URI_HERE</string>
<key>com.jamf.config.ui.header-image.url</key>
<string>https://resources.jamf.com/images/logos/Jamf-color.png</string>
<key>com.jamf.config.ui.main-page.title</key>
<string>Make a Selection</string>
<key>com.jamf.config.ui.main-page.text</key>
<string>Select the appropriate role below, and then tab Submit to configure your device</string>
<key>com.jamf.config.ui.text.color</key>
<string>#444444</string>
<key>com.jamf.config.ui.main-page.button.text</key>
<string>Submit</string>
<key>com.jamf.config.ui.main-page.button.color</key>
<string>#37BB9A</string>
<key>com.jamf.config.ui.main-page.button.text.color</key>
<string>#F8F8F8</string>
<key>com.jamf.config.ui.success-page.title</key>
<string>Success</string>
<key>com.jamf.config.ui.background.color</key>
<string>#F8F8F8</string>
</dict>
Jamf Reset
An example Managed App Configuration for Jamf Reset is seen below. Some fields are specific to each environment, such as "com.jamf.config.sso.client-id". You can view more information about each key here :
<dict>
<!-- REQUIRED SECTION -->
<key>com.jamf.config.jamfpro.url</key>
<string>$JPS_URL</string>
<key>com.jamf.config.jamfpro.device-id</key>
<string>$JSSID</string>
<key>com.jamf.config.oauth.authorization-code</key>
<string>$OAUTH_AUTH_CODE</string>
<key>com.jamf.config.reinstall-code</key>
<string>$APP_CONFIG_REINSTALL_CODE</string>
<key>com.jamf.config.legacy-compatibility</key>
<false/>
<!-- AZURE SECTION - GET CLIENT ID AND AUTHORITY URI FROM AZURE ADMIN -->
<key>com.jamf.config.sso.login-type</key>
<string>AZURE</string>
<key>com.jamf.config.sso.client-id</key>
<string>YOURS GOES HERE</string>
<key>com.jamf.config.sso.authority-uri</key>
<string><https://login.microsoftonline.comYOURS> GOES HERE</string>
<!-- ENABLES END SHIFT WITHOUT A DEVICE WIPE -->
<key>com.jamf.config.reset.soft-reset</key>
<true/>
<!-- SAME EXTENSION ATTRIBUTE AS SETUP -->
<key>com.jamf.config.setup.extension-attribute.name</key>
<string>Jamf Setup Choice</string>
<!-- BRANDING -->
<key>com.jamf.config.ui.main-page.title</key>
<string>Single Log Out</string>
<key>com.jamf.config.ui.main-page.text</key>
<string>Logging out of Jamf Reset prepares this device for the next employee.</string>
<key>com.jamf.config.reset.error.general.text</key>
<string>Unknown Error. Contact your IT administrator.</string>
<key>com.jamf.config.ui.main-page.button.text</key>
<string>Tap here to end your shift</string>
<key>com.jamf.config.ui.main-page.button.text.color</key>
<string>#F8F8F8</string>
<key>com.jamf.config.ui.main-page.button.color</key>
<string>#E8573F</string>
<key>com.jamf.config.ui.background.color</key>
<string>#F8F8F8</string>
<key>com.jamf.config.ui.text.color</key>
<string>#444444</string>
! Demo mode will only restart the device instead of wiping it
<key>com.jamf.config.demo-mode</key>
<false/> -->
<!-- Timeout will adjust how long the app tries to reach the Jamf Pro Server
before giving up
<key>com.jamf.config.jamfpro.http-timeout</key>
<real>15.0</real>
Step 4: Deploy Applications to devices
Instructions for installing applications through Jamf Pro can be found here
Step 5: Sign into Microsoft Authenticator
Microsoft Authenticator currently needs to be signed in with an Azure admin account on each device. To do this, simply navigate to the Microsoft Authenticator app and use your admin credentials within the app on the device.
Once all settings are properly defined through Managed App config and the apps are installed on the device, the SSO process is ready to be tested. Navigating to the Jamf Setup application there should be a prompt to sign in a user.
Updated 12 months ago
Further explanation for components listed above can be found here: