Hi all!
A while ago I wrote a post on how to add Azure AD as LDAPs provider into Jamf Pro: https://travellingtechguy.blog/integrate-azure-ldap-in-jamf-pro/
This still works and will still be required if you want to add LDAP functionality from Azure into an on-prem Jamf Pro server. However, with the release of Jamf Pro 10.27, JamfCloud now offers an easier alternative: integrating Azure AD as a Cloud Identity provider.
The benefit of this is that it does not require Azure AD Domain Services (AADDS) to be enabled in your Azure AD tenant, which simplifies things and reduces costs as well I presume.
However, if you already have AADDS enabled and configured, you should not switch to the new Cloud Identity Provider integration. Doing so your LDAP server identity and associated user ID’s in Jamf Pro would change, causing ‘the same user’ not to be recognised as the same user account in Jamf Pro. Which would in turn cause problems with scoping if for instance you have LDAP limitation configured.
Important: Do not integrate Jamf Pro with Azure AD as a cloud identity provider if your environment already includes Azure AD Domain Services (AADDS)*** and Microsoft’s Active Directory LDAP configurations. A migration workflow will be available in a future release of Jamf Pro.
*** Small typo in the Jamf pro Admin Guide at the time of writing this post. Admin guide mentions ADFS, but this should be AADDS
That all said, let’s have a quick look at how to integrate Azure AD into Jamf Pro if you have no Azure AD integration configured yet. This is really going to be a walk in the park as the workflow is very straight forward.
Requirements:
- JamfCloud
- No LDAPs integration with Azure AD and AADDS configured yet
- Access to the Azure tenant with appropriate credentials, such as a Global Admin, to manage consent requested by the Jamf Pro Azure AD Connector
Let’s go.
Official guide: https://docs.jamf.com/10.27.0/jamf-pro/release-notes/What’s_New.html
Go to the Jamf Pro settings and click on the Cloud Identity Providers icon. From there you can add a new provider via the “+ New” key:
As you can see there are now 2 options to select from. Apart from the Azure AD provider you can also choose for the Google iDP for which I wrote a post a earlier already: https://travellingtechguy.blog/google-ldap-as-cloud-identity-provider-in-jamf-pro/
If you go for Azure and click next, you will be informed about the fact that the browser will redirect to Microsoft (Azure) to grand admin consent. It’s perfectly normal that the entire page redirects.
Next you’ll be presented with an Azure login webApp in which you need to authenticate with an account that has the privileges to grant Admin Consent for the Jamf Pro Azure AD Connector.
Click on Accept to grant the permission and you will be automatically redirected to your Jamf Cloud instance again. If everything went right you should now see this green ‘Verification Status: Success notification, and the tenant ID of your Azure AD should automatically be populated. The only thing you need to do is to populate the Display Name you want to set for this configuration in the Jamf Pro GUI.
Click save. Congratz, you have successfully added Azure AD in Jamf Pro via the Cloud Identity Provider integration!
Yes, you can for sure configure the mappings and change them according to your needs or custom attributes you have in your Azure AD. For my setup, which is typically the case with test environments, the default settings were just fine.
I can query my users:
My group lookups work:
And I can check group membership as well:
Note: Just like when we integrate LDAPs via AADDS or SSO with Azure in Jamf Pro, you can only map groups by the identifier (OID) value. The name of the group in Jamf Pro must be the same as the group OID value in Azure. This is important when you add Azure AD groups to Jamf Pro for access to the GUI, Self Service or for enrolment authentication.
One final note from the Jamf Pro admin guide / release notes:
Note: When Azure AD with multi-factor authentication enabled is added as the cloud identity provider, authentication workflows in Jamf Pro (e.g., Self Service and user-initiated enrollment) do not work for Azure AD user groups and accounts.
That’s it! Straight forward right? If not, don’t hesitate to reach out with questions!
As always, if you liked the post, hit the like button, tell your friends about it and leave a comment down below!
Brgds,
TTG
Apple ecosystem enthusiast, geek, tech gadget freak, Belgian living in the Netherlands
Senior Enterprise Support Engineer | Jamf
Note: Just like when we integrate LDAPs via AADDS or SSO with Azure in Jamf Pro, you can only map groups by the identifier (OID) value. The name of the group in Jamf Pro must be the same as the group OID value in Azure. This is important when you add Azure AD groups to Jamf Pro for access to the GUI, Self Service or for enrolment authentication.
So what actually does that mean?
I’m asking because I set this up, set an azure group, added it as an admin group in Jamf, have so’s setup and working but my test user still can’t login to Jamf itself despite being in the group and passing through the so successfully
Hi, I have now figured out how to use Azure groups to manage Jamf console access.
The most vital part is when the SSO connector is set up to add in the groups claim which isn’t enabled by default.
Then all you need to do is create a standard group in jamf that is named after the azure jamf-admin groups OID and NOT its name.
Indeed, Azure returns groups in the form of OID (UUID format) and not the friendly group name.
There was a very minor change on group schema… it should be: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups — this was an issue that Jamf helped me with and wanted to spread the news.
Hi Michael, thanks for sharing, but I guess you ate referring to Azure as SSO in Jamf right? Not purely the above Azure iDP integration.
Yes, I should have qualified that. I apologize.
Thanks a lot!
Hi from France. I have a question about using Azure as the Cloud Identity Provider introduced in Jamf Pro 10.27. The integration is done. It looks like I can immediately use an Azure AD user to enroll the Mac with Automated Device Enrollement (and that creates the local account). Also its works to enroll the Mac with User-Initiated Enrollment. It is also functional to authenticate in the Self Service and to use Azure AD groups in policies as limitations. I’m wondering if I’m missing something because it looks like to simple. The only thing I’m thinking of is that I can’t authenticate as an Azure AD user to administer Jamf Pro because I didn’t setup SSO, correct ? But is there something else ? I have an integration of Jamf School with Azure AD but it is not so straightforward, we have the Redirect pane, etc.
… correction. I added the Azure AD group in the Jamf Pro Users & Groups Settings with Auditor privileges and my Azure AD user can now access to the Jamf Pro console. Everything looks like Azure AD is behaving as an LDAP server.
Hi, well by the looks of it you indeed have enabled and tested all possible integrations and functionality of this. Adding Azure as iDP indeed allows you to use you Azure account in a similar way as LDAP.
Hi. That is the reason why I don’t understand the following statement : Single sign-on (SSO) with Azure must be configured in Jamf Pro to use authentication workflows (e.g., user-initiated enrollment and logging in to Jamf Pro). For information on how to configure SSO in Jamf Pro, see Single Sign-On. (https://docs.jamf.com/10.28.0/jamf-pro/administrator-guide/Azure_AD_Integration.html). And there may be something with that also : When Azure AD with multi-factor authentication enabled is added as the cloud identity provider, authentication workflows in Jamf Pro (e.g., Self Service and user-initiated enrollment) do not work for Azure AD user groups and accounts.
But I don’t have the licence for MFA so I can’t observe that.
Do you know if there is being worked on supporting SCIM for jamf ?
LDAP is not something that we will allow as it is quite legacy (at least asking our inrastructure guys) and that there are much better solution then LDAP like SCIM
Do you know anything if that is planned ?
Hi. Do you suggest this integration relies on LDAP ? It does not as far as I know. Even if you can this integration for “LDAP” limitations in the GUI.
No it is not LDAP, I did not suggest that, it uses the Azure API. Within Jamf Pro the workflows you can use with LDAP does however apply to this Azure AD integration as well. https://docs.jamf.com/10.28.0/jamf-pro/administrator-guide/Azure_AD_Integration.html
Hi TTG. I was bouncing on Peder message, not on your article.
Hi Franck! Thanks! Good call btw! It could be that I wrote something which would have made that assumption! Thanks for engaging in this discussion! Always good to have people reading my articles with a sceptic eye and engage in comments and discussion! Thank you!
That’s a question you’d better ask via the Customer Success team, but we typically don’t discuss future functionality regardless of planned or not. Alternatively, you can open a feature request on Jamf Nation.
Sorry – It seems that I just jumped into another question.
So what I am looking for is that when enrolling a mac, the user can lookup the name(without ldap) and the mac then is assigned and fields are mapped , so information from azure is comming into jamf
Is this possible ?
And if enable azure, what happens – does it have any impact of some kind, that I should be aware of before pushing the tricker?
Thank for this article and clarifying the ADFS typo, which was indeed confusing. Would this AAD-JamfCloud integration benefit anyone looking to use Jamf Cloud in an education environment? There doesn’t seem to be any concept of Classes/Rosters/Courses in AAD that would allow to automatically provide the required user information to use with Apple Classroom, Teachers and all the education specific requirements. Is there any chance or are there any plans to have a full compatible integration either with JamfPRO or JamfSchool?
So I setup the connection, but the group mappings somehow stall
In azure we have a dynamic group calls “All users” and the object id of this group I added and also added the All Users as name.
But i I try to lookup something where I know my user is, it does not work ?
What am I missing ? There are only object id and name, so something is not correct since it does not work
Anyone? Still have not the groups working
OK – finally got this working 🙂
But what wonders me, if I look on data in Jamf on users, the azure information are not added?. Shouldn´t this be imported from azure, now the connection is there or do I misunderstand something
Where are you looking exactly? Are you assigning computers to Azure Users? Where those users already in Jamf Pro before you integrated Azure?
I just thought when I setup the IDP, then the mappings from azure would be updated in jamf
I can see when I enroll a new computer, the information is comming over from azure.
But existing clients that are already enrolled, is there any way to trigger the mappings from azure to be updated on the user ?
Hi Peder! Did you previously have LDAP via on-prem AD integrated? Before you integrated with Azure?
Or where did the previous user data come from?
We have no ldap. The information that is in jamf was written from the client username/login info into jamf by scripts
Ok, Jamf Pro settings-> computer management -> inventory collection -> Collect user and location information from LDAP
Enabled?
arhh thanks – just couldn´t find where this should come from and was disabled as we never got ldap enabled. Could maybe also be added to your blog here for admin setting this up without having ldap before
hmm. have tried to run a recon now several times on my machine – but the user info does not update even when this is enabled
arhh thanks – just couldn´t find where this should come from and was disabled as we never got ldap enabled. Could maybe also be added to your blog here for admin setting this up without having ldap before
Think there is a misunderstanding on this 🙂
We only have setup azure as identity manager – and have no ldap. So guess when I do the checkmark on Jamf Pro settings-> computer management -> inventory collection -> Collect user and location information from LDAP it does not work
Would just like to update the user information from azure. Also in case a mac switch to a new user – how is that information being updated from azure.. Looking for some kind of “sync” button
No, no misunderstanding. The Azure integration works just like LDAP and I just tested again to be sure it works.
Manually added a username to a computer in User and Location of the inventory record. Only the username. It did automatically fetch other info, but I deleted the other info like department, full name, etc…
Sudo jamf recon -> all info fetched.
So it works and it works like LDAP does but you mapping need to be correct. username is not the same as username@domain.com etc, upn is not shortname, etc
If I do an new install on the mac the mappings works fine and the user information is updated. So guess it cannot be the mappings that is wrong if it works with a new computer enrollment ?
Any idea what kind of troubleshooting I can try – somehow there seems to be a missing piece
Depends what username gets filled in when you enrol a new device and what you entered manually. If you enroll a new device it will probably fill in “username@domain.com” as username. So the UPN. Is that also what you had filled in manually on the devices? If not, for instance you had only “username” filled in, it may not find that info as it does not see it as the same account.
Grab some screenshots of the user and location details which are not updated, as well as your mappings for iDP and send that over to support to check.
According to support it is only during pre-stage enrollment this information from azure to jamf is transferred – or by using a 3rd party like Mud attributes update
Think it strange that an update cannot be triggered on running clients, but only when enrolling
Just to add:
I am looking for a way to find a way to just trigger update on all running clients to get user information down from azure to jamf user and location
I can of course manually go in on each machine in jamf backend and find the user. But looking for a way this just can happen automatically
I’ll need to replicate again in view of the changes with Azure iDP compared to normal LDAP, but when I tested, it did fetch the details during inventory update.