- Article
In this tutorial, you will learn how to integrate Jamf Pro with Azure Active Directory (Azure AD). When you integrate Jamf Pro with Azure AD, you can:
- Use Azure AD to control who has access to Jamf Pro.
- Automatically sign in your users to Jamf Pro with their Azure AD accounts.
- Manage your accounts in one central location: the Azure portal.
Prerequisites
To get started, you need the following items:
- An Azure AD subscription. If you don't have a subscription, you can get onefree account.
- A Jamf Pro subscription that is activated with single sign-on (SSO).
Script description
In this tutorial, you configure and test Azure AD SSO in a test environment.
- Jamf Pro supportsSP startedandStarted IdPSSO.
Add Jamf Pro from gallery
To configure Jamf Pro integration with Azure AD, you need to add Jamf Pro from the collection to the list of managed SaaS applications.
- Sign in to the Azure portal using either a work or school account or your personal Microsoft account.
- In the left pane, select itAzure Active Directoryservice.
- I'm going to youCorporate Applicationsand then selectAll Applications.
- To add a new application, selectNew application.
- In theAdd from collectionsection, enterJamf Proin the search box.
- ChooseJamf Profrom the results panel and then add the application. Wait a few seconds for the app to be added to your tenant.
Alternatively, you can also use theEnterprise App Configuration Wizard. In this guide, you can add an application to your tenant, add users/groups to the application, assign roles, as well as walk through the SSO configuration.Learn more about Microsoft 365 guides.
Configure and test SSO to Azure AD for Jamf Pro
Configure and test Azure AD SSO with Jamf Pro using a test user named B.Simon. For SSO to work, you must create a login relationship between an Azure AD user and the associated user in Jamf Pro.
In this section, you configure and test Azure AD SSO with Jamf Pro.
- Configure SSO in Azure ADso your users can use this feature.
- Create a test Azure AD userto test Azure AD SSO with the B.Simon account.
- Assign the Azure AD test userso that B.Simon can use SSO to Azure AD.
- Configure SSO in Jamf Proto configure application-side SSO settings.
- Create a Jamf Pro trial userhave a counterpart of B.Simon in Jamf Pro linked to the user's Azure AD representation.
- Test the SSO configurationto verify that the configuration works.
Configure SSO in Azure AD
In this section, you enable Azure AD SSO in the Azure portal.
In the Azure portal, atJamf Proapp integration page, find itThey managesection and selectSingle Sign-On.
In theSelect a single login methodpage, selectSAML.
In theSet up Single Sign-On with SAMLpage, select the pencil icon forBasic SAML configurationto edit the settings.
In theBasic SAML configurationsection if you want to configure the application toStarted IdPmode, enter the values for the following fields:
(Video) Azure Active Directory Single Sign-On Configuration Demoone. In theIdentifiertext box, enter a URL that uses the following formula:
https://.jamfcloud.com/saml/metadata si. In theResponse URLtext box, enter a URL that uses the following formula:
https://.jamfcloud.com/saml/SSO ChooseSet additional URLs. If you want to configure the application toSP startedoperation, atLogin URLtext box, enter a URL that uses the following formula:
https://.jamfcloud.com Note
These values are not real. Update these values with the actual ID, response URL, and connection URL. You will get the actual id value fromSingle Sign-Onsection in the Jamf Pro portal, which is explained later in the tutorial. You can extract the actual subdomain value from the identifier value and use that subdomain information as the connection URL and response URL. You can also refer to the types shown in theBasic SAML configurationsection in the Azure portal.
In theSet up Single Sign-On with SAMLpage, go toSAML signing certificatesection, select itcopybutton to copyApplication federation metadata URLand then save it to your computer.
Create a test Azure AD user
In this section, you create a test user in the Azure portal named B.Simon.
- In the left pane in the Azure portal, selectAzure Active Directory, selectUsersand then selectAll users.
- ChooseNew userat the top of the screen.
- In theUserproperties, follow these steps:
- In theNamefield, enter
B.Simon. - In theUsernamefield, type [name]@[company domain].[extension]. For example,
B.Simon@contoso.com. - Choose itShow the codecheck box, and then note the value that appears in thePasswordbox.
- ChooseCreate.
- In theNamefield, enter
Assign the Azure AD test user
In this section, you grant B.Simon access to Jamf Pro.
- In the Azure portal, selectCorporate Applicationsand then selectAll applications.
- In the application list, selectJamf Pro.
- On the app's overview page, find itThey managesection and selectUsers and groups.
- ChooseAdd user, then selectUsers and groupsin theAdd Jobdialog box.
- In theUsers and groupsdialog box, selectB.Simonfrom the Users list, and then select itChoosebutton at the bottom of the screen.
- If you expect users to be assigned a role, you can select it from theSelect a roledrop down list. If no role is configured for this application, the "Default Access" role appears selected.
- In theAdd Jobdialog box, select itAssignbutton.
Configure SSO in Jamf Pro
To automate configuration in Jamf Pro, install itMy apps Browser extension Secure loginchoosingInstall the extension.
After adding the extension to the browser, selectSet up Jamf Pro. When the Jamf Pro app opens, provide your administrator credentials to log in. The browser extension will automatically configure the application and automate steps 3 to 7.
To set up Jamf Pro manually, open a new browser window and log in to the Jamf Pro company website as an administrator. Then follow the steps below.
(Video) Single Sign On (SSO) - How it Works!Choose itSettings iconfrom the top right corner of the page.
ChooseSingle Sign-On.
In theSingle Sign-Onpage, follow the steps below.
one. ChooseProcessing.
si. Choose itEnable single sign-on authenticationcontrol box.
do. ChooseBlueas a choice ofIdentity Providerdrop down menu.
Hey. Copy itENTITY IDvalue and paste it inID (Entity ID)field atBasic SAML configurationsection in the Azure portal.
Note
Use the value in
m. ChooseMetadata URLfromSource of identity provider metadatadrop down menu. In the field that appears, paste itApplication federation metadata urlvalue that you copied from the Azure portal.
eat (Optional) Edit the token expiration value or select "Disable SAML token expiration".
(Video) Single Sign On | What it is How it works Why you need itOn the same page, scroll down toUser mappingUnity. Then follow the steps below.
one. Choose itName IDoption forIdentity provider user mapping. By default, this option is set toName ID, but you can set a custom attribute.
si. Choosee-mailForJamf Pro User Mapping. Jamf Pro maps the SAML attributes sent by the IdP first to users and then to groups. When a user tries to access Jamf Pro, Jamf Pro obtains information about the user from the identity provider and matches it with all Jamf Pro user accounts. If the incoming user account is not found, then Jamf Pro attempts to match it with the group name.
do. Paste the price
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsin theIDENTITY PROVIDER ATTRIBUTE GROUP NAMEfield.Hey. On the same page, scroll down toSecuritysection and selectAllow users to bypass Single Sign-On authentication. As a result, users will not be redirected to the Identity Provider login page for authentication and can login directly to Jamf Pro. When a user tries to access Jamf Pro through the Identity Provider, IdP-initiated SSO authentication and authorization occurs.
m. ChooseSave.
Create a Jamf Pro trial user
In order for Azure AD users to sign in to Jamf Pro, they must sign in to Jamf Pro. Provisioning in Jamf Pro is a manual task.
To create a user account, follow these steps:
Log in to the Jamf Pro company website as an administrator.
Choose itSettingsicon in the upper right corner of the page.
ChooseJamf Pro user accounts and groups.
ChooseYoung.
(Video) Azure AD Joined SSO Access to AD Joined Resources!ChooseCreate a standard account.
In theNew accountdialog box, perform the following steps:
one. In theUSERNAMEfield, enter
Britta Simon, the test user's full name.si. Select the options forACCESS LEVEL,PRIVILEGE SET, andACCESS STATUSwhich is according to your organization.
do. In theFULL NAMEfield, enter
Britta Simon.Hey. In theEMAIL ADRESSfield, enter the email address of Britta Simon's account.
m. In thePASSWORDfield, enter the user's password.
eat In theVERIFY PASSWORDretype the user's password.
G. ChooseSave.
Test the SSO configuration
In this section, you test the Azure AD single sign-on configuration with the following options.
SP started:
Click onTry this appin the Azure portal. This will redirect to the Jamf Pro Sign on URL where you can start the login flow.
Go directly to the Jamf Pro Sign-on URL and start the login flow from there.
(Video) SSO for Azure AD on Apple Platforms
Started IDP:
- Click onTry this appin the Azure portal and you should automatically sign in to the Jamf Pro you configured SSO for
You can also use Microsoft My Apps to test the app in any mode. When you click on the Jamf Pro tile under My Apps, if it is set to SP mode, you will be redirected to the app icon on the page to start the login flow, and if it is set to IDP mode, you should automatically login to Jamf Pro for which you have create the SSO. For more information about My Apps, seeIntroduction to My Apps.
Next steps
After configuring Jamf Pro, you can enforce Session Control, which protects your organization's sensitive data from exploration and intrusion in real time. Session control extends from conditional access.Learn how to enforce session control with Microsoft Defender for Cloud Apps.
FAQs
How do I connect Jamf to Azure AD? ›
- Click the Azure Active Directory in the left sidebar.
- Click App registrations, and then select your Jamf Connect app registration.
- Click Manifest.
- In the manifest, find "appRoles": [] , and then add your role entries to the manifest. ...
- Click Save.
- In the Azure portal, select Edit in the Basic SAML Configuration section on the Set up single sign-on pane.
- Select Save.
- In the SAML Certificates section, select Download for Certificate (Raw) to download the SAML signing certificate and save it to be used later.
Jamf Connect provides support for Microsoft Azure AD. Integrating Microsoft Azure AD with Jamf Connect involves the following steps: Register Jamf Connect Login with Microsoft Azure. Assign users and designate user roles.
How to implement SSO with Active Directory? ›Single sign-on (SSO) solutions allow users to login to multiple applications with just one set of credentials, eliminating the hassle and risk of managing different combinations of usernames and passwords. To enable single sign-on with Active Directory, you'll need to use ADFS or a third-party tool.
Does Jamf Connect work with Active Directory? ›Jamf Connect uses standards-based technologies to connect to Active Directory or single sign-on (SSO).
How to connect jamf to ldap? ›- Log in to Jamf Pro.
- In the top-right corner of the page, click Settings .
- Click System Settings.
- Click LDAP Servers .
- Click New .
- Select Configure Manually and click Next.
- Use the Connection pane to configure how Jamf Pro connects to the LDAP server.
Azure Active Directory Seamless single sign-on (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don't need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames.
Can Azure AD be used for SSO? ›With Azure AD, users can conveniently access all their apps with SSO from any location, on any device, from a centralized and branded portal for a simplified user experience and better productivity.
Can Active Directory be used for SSO? ›Microsoft Active Directory Federation Services is a platform that can handle single sign-on for many applications outside of the firewall. This platform is flexible for your needs, and it can be a strong solution.
Does Microsoft use Jamf? ›Microsoft Intune supports integrating your Jamf Pro deployment to bring device compliance and Conditional Access policies to your macOS devices.
How do I add MDM to Azure AD? ›
Go to Azure Portal and login, if need be or navigate to Azure Active Directory -> Mobility (MDM and MAM) -> Add Application. Select On-Premises MDM (in case of MDM On-Premises) or ManageEngine MDM (in case of MDM Cloud) and then click on Add.
What is the difference between Intune and AAD? ›AADDS and Intune are completely unrelated. AADDS, like on-prem AD, is a directory service like provides identity and authentication services. GPOs exist as well but I'd never call GPOs true management or administration of devices. Intune is a management system to configure and control the state of a device.
What is the difference between SSO and AD integration? ›AD and SSO are very different; one is an on-prem directory service — the authoritative source of identities, the other a cloud-based, web app identity extension point solution that federates the identities from a core directory to web applications.
What SSO protocols are supported by Azure AD? ›Azure AD supports many standardized protocols for authentication and authorization, such as SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Federation. Azure AD also supports password vaulting and automated sign-in capabilities for apps that only support forms-based authentication.
What is the difference between SSO and Active Directory? ›With SSO, a user logs in once, and gains access to all systems without being prompted to log in again at each of them. Active Directory (AD) is a directory service that provides a central location for network administration and security.
How to connect Active Directory with Azure Active Directory? ›- Select. ...
- Select Azure Active Directory, and then select Connect directory.
- Select a directory from the dropdown menu, and then select Connect. ...
- Select Sign out. ...
- Confirm that the process is complete.
| macOS | Linux | |
|---|---|---|
| Recommended | Safari | |
| Minimum Supported | Chrome | Chrome |
| Firefox |
Overview. Jamf Now is a simple-to-use, cloud-based MDM solution to manage Apple devices at work. Jamf Now makes complex tasks simple... Jamf Pro is a comprehensive mobile device management tool for IT pros to manage, deploy and secure their Macs, iPads, iPhones and Apple TVs.
What port does Jamf Pro use for LDAP? ›This port is specified in the LDAP server's configuration in Jamf Pro. The most common configurations are port 389 for LDAP and port 636 for LDAPS.
How to connect SSO to LDAP? ›- Log into Harness, mouseover Continuous Security, and then click Access Management.
- From the resulting Access Management page, click Authentication Settings.
- From the Authentication Settings page, click Add SSO Providers, then click LDAP.
How to sync Active Directory with LDAP? ›
Navigate to Administration Services | Applications menu item. Click on the Authentication Profiles button. Select the Default Authentication Profile. Select the LDAP Directory Connector (Active Directory and Domino) option in the Domain Authentication Mechanisms drop-down.
What is the difference between Azure AD and Azure SSO? ›Azure AD is designed to manage access to cloud-based applications and servers using modern authentication protocols such as SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Federation. Azure AD Single Sign-On (SSO) is an Azure AD feature that allows users to conveniently log into SaaS applications.
Does Azure AD SSO use SAML? ›Azure AD: Enterprise cloud IdP that provides SSO and Multi-factor authentication for SAML apps. It synchronizes, maintains, and manages identity information for users while providing authentication services to relying applications.
What is the difference between SSO and federated SSO? ›The key difference between SSO and FIM is while SSO is designed to authenticate a single credential across various systems within one organization, federated identity management systems offer single access to a number of applications across various enterprises.
What are the different types of SSO in Azure? ›Single sign-on options
Choosing an SSO method depends on how the application is configured for authentication. Cloud applications can use federation-based options, such as OpenID Connect, OAuth, and SAML. The application can also use password-based SSO, linked-based SSO, or SSO can be disabled.
Azure AD licensing - SSO for pre-integrated enterprise applications is free. However, the number of objects in your directory and the features you wish to deploy may require more licenses.
Does Microsoft have an SSO solution? ›Single sign-on with Azure AD
Enabling SSO with Azure Active Directory (Azure AD) means users can sign-in once to access their Microsoft apps and other cloud, SaaS, and on-premises apps with the same credential.
Because the SSO Client installer for Windows is an MSI file, you can use an Active Directory Group Policy to automatically install it when users log on to your domain from a Windows computer.
What is the difference between Active Directory SSO and LDAP? ›What is the difference between SSO and LDAP? SSO is a convenient authentication method that allows users to access multiple applications and systems using just one login. LDAP is the protocol or communication process that will enable users to access a network resource through a directory service.
What is the difference between ADFS and Azure AD SSO? ›Both Microsoft tools share SSO-like properties, and they each need to work in tandem with on-prem Active Directory (although Azure AD could possibly be used without). The key difference is that AAD is an identity and access management (IAM) solution while AD FS is a security token service (STS).
What is the difference between Jamf and Intune? ›
Comparison Results: Based on the parameters we compared, Jamf Pro received higher product ratings. Its ease of deployment, its solid set of features, and its service and support all top Microsoft Intune's offerings.
Can Jamf Pro be used from Windows? ›The Jamf Pro Installer for Windows installs Apache Tomcat and the Jamf Pro web app. To run the Jamf Pro Installer for Windows, copy it to the server. Then open the installer and follow the onscreen instructions. Note: The installer must be run as an administrator.
Why use Jamf Pro? ›Managing iOS devices
Under Devices, Jamf Pro provides a range of tools that help with device configuration, provisioning, user grouping and staging. Administrators can configure policy and device restrictions related to Wi-Fi, passcode and encryption under Configuration Profiles (Figure 2).
A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor.
What is the difference between MAM and MDM in Azure AD? ›The difference between MDM, MAM, EMM, and UEM
MDM is a way of securing mobile devices such as smartphones and tablets, whereas MAM secures the applications on those devices that are used to access organizational data, such as Outlook, SharePoint, and OneDrive.
To bulk enroll devices for your Azure AD tenant, you create a provisioning package with the Windows Configuration Designer (WCD) app. Applying the provisioning package to corporate-owned devices joins the devices to your Azure AD tenant and enrolls them for Intune management.
What is the difference between Azure AD and Active Directory? ›Azure AD provides managed identities to run other workloads in the cloud. The lifecycle of these identities is managed by Azure AD and is tied to the resource provider and it can't be used for other purposes to gain backdoor access. Active Directory doesn't natively support mobile devices without third-party solutions.
What is the difference between aad tenant and directory? ›According to the documentation, a tenant is a container within Azure associated with a company or group of people, and a directory is a container; all directories are mutually exclusive, i.e. what you do in one directory does not affect any other.
What is the difference between AAD managed identity and service principal? ›Managed Identity is suitable for scenarios where a single resource needs to access another Azure resource, while Service Principal is suitable for more complex scenarios where multiple resources need to access multiple Azure resources.
What is required for SSO integration? ›For SSO implementation to happen, you will need to get these different user directories on the same page. This can be done through various third-party vendors that have developed a single point of integration to use across all of your different platforms.
What is the difference between API and SSO? ›
SSO vs API summary
SSO streamlines your user experience when accessing other applications. It's a set of Single Sign-On credentials associated with each user. API is all about data automation. It keeps your data in sync and automates pulling data out of a system to generate reports.
SSO works based upon a trust relationship set up between an application, known as the service provider, and an identity provider, like OneLogin. This trust relationship is often based upon a certificate that is exchanged between the identity provider and the service provider.
What protocol is most used for standard SSO cloud application integrations? ›SAML. Security Assertion Markup Language, or SAML, is an open-standard identity management protocol commonly used for single sign-on (SSO), which allows users to share the same credentials across different services and applications.
Does Azure SSO require MFA? ›Yes. Azure AD Multi-Factor Authentication is required at sign-in.
Which protocols are not supported by Azure AD? ›Azure AD uses protocols such as SAML and OAuth. 2.0. It does not support NTLM, Kerberos or LDAP (Lightweight Directory Access Protocol).
What is the difference between authentication and SSO? ›Authentication: process of an entity (the Principal) proving its identity to another entity (the System). Single Sign On (SSO): characteristic of an authentication mechanism that relates to the user's identity being used to provide access across multiple Service Providers.
What are the two types of Active Directory domain Services user accounts? ›Active Directory has two forms of common security principals: user accounts and computer accounts. These accounts represent a physical entity that is either a person or a computer. A user account also can be used as a dedicated service account for some applications.
How do I add a Mac device to Azure AD? ›The Active Directory connector allows the Mac to access basic account information on a Windows server running Windows 2000 or later. It is not possible to join a Mac device to Azure AD. But it is possible is to enroll your devices using Intune, which might be the best option for your scenario.
How do I connect Apple School Manager to Azure AD? ›Configure Apple School Manager to support provisioning with Azure AD. In Apple School Manager, sign in with an account that has the role of Administrator, Site Manager, or People Manager. Click Settings at the bottom of the sidebar click Data Source below Organization Settings, then click Connect to Data Source.
How do I connect to Azure AD device? ›Open Settings, and then select Accounts. Select Access work or school, and then select Connect. On the Set up a work or school account screen, select Join this device to Azure Active Directory.
Can a single Microsoft account be used to manage multiple Azure subscriptions? ›
Users are those accounts that sign in to Azure to create, manage, and use resources. A user may have access to multiple subscriptions, but a user is only associated with a single tenant. Subscriptions are the agreements with Microsoft to use cloud services, including Azure.
Can I use Azure Active Directory for Mac? ›The short answer is yes — you can bind Mac to Azure.
What devices can be joined to Azure AD? ›You can configure Azure AD join for all Windows 11 and Windows 10 devices except for Home editions. The goal of Azure AD joined devices is to simplify: Windows deployments of work-owned devices. Access to organizational apps and resources from any Windows device.
Do you need a license to join a device to Azure AD? ›User is in MDM scope: If you have an Azure AD Premium subscription, MDM enrollment is automated along with Azure AD join. All scoped users must have an appropriate license for your MDM.
How do I connect to Azure AD with service principal? ›- Sign in to Azure AD PowerShell with an admin account. ...
- Create a self signed certificate. ...
- Load the certificate. ...
- Create the Azure Active Directory Application. ...
- Create the Service Principal and connect it to the Application.
| Azure AD Registered | Description |
|---|---|
| Operating Systems | Windows 10 or newer, iOS, Android, macOS, Ubuntu 20.04/22.04 LTS |
| Provisioning | Windows 10 or newer – Settings |
| iOS/Android – Company Portal or Microsoft Authenticator app | |
| macOS – Company Portal |
- Sign in to the Azure portal.
- In Azure Active Directory, select App registrations in the left-hand navigation menu.
- Select All applications to view a list of all your applications. ...
- Select the application to which you want to assign an app role.
- Select API permissions > Add a permission.
- From the portal menu, select Azure Active Directory.
- From the left navigation, select App registrations > New registration.
- In the Register an application page, enter a Name for your app registration.
- Select Register.
Enable collection synchronization for the Azure service
Select the cloud management service for the Azure AD tenant where you created the group. Then in the ribbon, select Properties. Switch to the Collection Synchronization tab, and select the option to Enable Azure Directory Group Sync. Select OK to save the setting.
Install Azure AD Connect
You can find the download for Azure AD Connect on Microsoft Download Center. Steps to complete before you start to install Azure AD Connect. If you have a single forest AD then this is the recommended option to use. User sign in with the same password using password synchronization.