Update: don’t try this on a VM, doesn’t work for me!

Hi there! It’s been a while since Jamf added ‘Enrollment Customization’ already, so it had to be done: a post on customising the enrollment experience of users enrolling devices in Jamf Pro with Jamf Connect Login!

GOAL: This setup will prompt the user to authenticate against the iDP in order to get access to enroll the device. Jamf Pro will then pass the user information to Jamf Connect Login.

Just after the Setup Assistant, the user will be prompted by a new Jamf Connect Login window, different from the normal OIDC webapp, to validate the password once more. Jamf Connect Login will then do an ROPG call against the iDP to validate and set the local account password.

This enhances the overall user experience and integrates nicely in the Enrollment Customization feature of macOS Automatic MDM enrollment.

First of all, some requirements:

  • Jamf Pro 10.17 (preferably 10.18 to customise the SAML claims)
  • macOS 10.15 or higher
  • Automated MDM enrollement (ABM/ASM)
  • Cloud Distribution Point (JCDS, Akamai, AWS,…)
  • Jamf Connect 1.12.0 or higher (Jamf Connect Login 1.7.0)
  • Single Sign On configured in Jamf Pro

The reason for the need of a Cloud Distribution Point, is the fact that Jamf Connect Login needs to be installed as an enrollment package, in order to be on the system during the Setup Assistant.

Note: Jamf Pro 10.17 is ok, but I'm testing with 10.18 and the latest version of Jamf Connect 1.16 (Jamf Connect Login 1.9.0) in view of bug fixes.

Configure Single Sing-On in Jamf Pro

As mentioned above, one of the requirements for Enrollment Customization with Jamf Connect is to configure your iDP as SSO in Jamf Pro. I’ll be using Azure here, but in order to keep this post within limits, I’ll refer you to the following link to configure Azure SSO in Jamf Pro. First make sure that your SSO with Azure is working fine, before continuing the setup below.

Configure Enrollment Customization

Once your Single Sign On is sorted, we need to configure Enrollment Customization in the Jamf Pro Settings -> Global Management.

Here you’ll give the Custom Enrollment settings a name and description as you like. The name will be what you’ll select in the pre-stage later, so choose something handy.

The most important part however is the actual PreStage Pane, where you have the choice between a text window, LDAP authentication and Single Sign On Authentication.

In view of the purpose of this post, linking this custom enrollment to Jamf Connect, we need to choose Single Sign On Authentication. Hence the need to setup SSO in Jamf Pro first…

If you want, you can limit the enrolment access to a specific group (Yes, only one ☝️ ) or leave it to Any identity provider user.

NOTE: Just like for SSO access in Jamf Pro, the user needs to be assigned to the Jamf Pro 'Enterprise App' in Azure AD !

Next, switch the Enable Jamf Pro to pass user information to Jamf Connect to ON.

And last but not least, the Attribute Mappings. This is where things can become a bit tricky, depending on how your Azure AD SAML attributes have been configured for SSO!

By default Jamf Pro will look for 2 attributes: ‘NameID‘ and ‘realname‘. The NameID attribute is most likely already going to be configured, but important to check is the ‘Name identifier format’ and ‘Source attribute’.

Go to Enterprise apps > Jamf Pro > Single Sing-on > User Attributes & Claims:

Click on ‘Unique User Identifier (Name ID):

… and check the ‘identifier format’ > Email address.

In most cases the UserPrinciPalName will match the email address of the user in Azure. However, this is not always the case. If for one reason or another SSO has been configured with NameID set to something else, and or UPN differs from email address etc… the good news is that Jamf Pro 10.18 can be configured to use another claim to fetch the Azure Username / UPN which Jamf Connect needs.

Check the additional claims in Azure for a matching attribute, if needed add an additional claim and match it to the correct value. For instance create a claim ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/something and match it to the UPN.

More in on how to customise claims issued in the SAML tokens here.

Now, the second attribute which Jamf Pro will be looking for is ‘realname’. By default this is not included in the claims, and need to be added:

Note, that I created the claim with a name with nothing more than ‘realname’ and not ”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/realname‘. This as it turns out that Jamf Pro is really looking for the exact claim ‘realname’.

If I would have put the name to ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/realname, I would just have to define this full path as a custom attribute in Jamf Pro:

In my setup I just created it as ‘realname’ in Azure, so that I could just leave the Jamf Pro attributes default, meaning ‘Empty‘. Hence Jamf pro will be looking for the default ‘NameID‘ and ‘realname‘ attributes.

Now, before we finish our settings for the enrollment customization, there is one more thing you can do: add a text pane.

This allows you to interact with the end user and provide some additional information about the enrollment process or EULA.

Note: The text pane does not support HTML, but is does support Markdown

Create a pre-stage including usage of the enrollment customization

Now, the final step to put this all together is creating or tweaking our pre-stage. In the General tab you’ll find the dropdown to select the Custom Enrollment config to use in this prestage, so yes you can have different setups for each prestage:

For Jamf Connect Login, we’ll skip user creation…

… don’t forget to select the config profile (see below), which you scoped to all computers, or an adequate Smart/Static Group…

… and of course our ‘Enrollment package’ to install Jamf Connect Login during Setup Assistant!

Plist for Jamf Connect Login in this setup
NOTE: Because of the different flow of actions compared to a standard Jamf Connect Login setup, you need to make sure to add the ROPGProvider and ROPGTenant keys. In a standard, pure Azure setup, the OIDCROPGID key is enough. Here we need to tell Jamf Connect how to do the ROPG call.

--> without those I got an error saying "can't authenticate, try again".

Also, depending your Azure (and ADFS) environment, you might need to use the Azure_v2 end-points, or authenticate against ADFS. See Jamf Connect Hybrid setups here.

That’s it! If all went well you should see the following behaviour when enrolling new devices:

  • The normal remote management screen:
  • Our custom Text pane:
  • The custom Azure Authentication kicking in:
  • The Remote Management screen again, downloading the MDM profile (after being granted access through the iDP authentication):
  • And depending the options you skip in the prestage, the Setup Assistant continues and configures the Mac:

NOW! With a normal Jamf Connect Login setup, you would be presented with the OIDC webapp login window here, but thanks to the integration with the custom enrollment, Jamf Connect Login now only presents a window to validate the password. Here the user needs to validate the password once more to be able to create the local account:

That’s it! To be honest, I really like it! What about you? Let me know!

Oh yeah, one more thing... I was recently asked if this setup changes anything in view of the creation of Secure and Bootstrap Tokens in Catalina...

Well, the answer is NO! Although the user is authentication to the iDP during the Setup Assistant, we are still skipping user creation in the prestage settings. Hence Standard accounts created by Jamf Connect (where the actual creation of the account is still done AFTER the Setup Assistant), does NOT get a Secure Token and Bootstrap does NOT get enabled. Admin accounts created this way do get a Secure Token but Bootstrap will still be disabled.

As always, if you liked the post, hit the like button, tell your friends about it and leave a comment down below!

Brgds,
TTG