Before going into some time off, and probably not touching any Jamf Connect related stuff for 2 weeks, let’s have a look at another iDP: IBM Cloud Identity.

This is going to be a shorter post compared to other Jamf Connect related blogs, as I managed to get everything working nicely. I had a small ROPG roadblock but was able to fix it. See below.

Start point:

NOTE: I'll try to you some time here mentioning the fact that when you go through the setup of the OIDC app in IBMCI, you need to configure it as "Public Client (no client secret)". Saving the app following the instruction above by default creates it WITH a secret, and while I was able to deploy Jamf Connect, it actually broke ROPG. Setting the "OIDCNewPassword" key to false to validate the password gave me "incorrect password" when trying to create the user account.

The logs gave me: "ROPG Error: CSIAQ0160E A confidential client attempted to access the token endpoint without authenticating."

Changing the app setup in IBM to Public fixed it.
NOTE: I also had an issue with trying to deploy Jamf Connect Login with IBMCI on a virtual machine. While it works fine with other iDP's, I ran into issues loading the webview of the IBM login screen on a VM. Logs gave me: Logs: SecurityAgent: (JamfConnectLogin) [com.jamf.connect.login:UI] OIDC webview load failed.

This flashes the login screen briefly but then shows the "unable to contact the Identity Provider screen".

However, I assume this is only a VM hickup, as it all works fine on a physical machine.

That said, let’s have a look at how to configure the IBM side of things first, and then the plist we need for Jamf Connect.

First, like always, we’ll need to create an OIDC app in IBM. Go to Applications and click on “Add Application”.

Select “Custom Application” and hit OK.

Give the app a name and give it a Company Name as well (required). You also have to select an owner, which I’ve just set to my IBMid account.

Select Open ID Connect 1.0 as Sign-on Method, add as Application URL and select ALL Grant Types.

But, also, don’t forget to select PUBLIC CLIENT (no client secret) in case you want to use ROPG to validate the password when the end user will create the account. This in view of setting the “OIDCNewPassword” key to false, see below.

Next we’ll add the Redirect URL, which we also set to, and set the Access Token Format to “JWT”.

In order to be able to define who gets an Admin or Standard account on the Mac, I also added the attribute “Group” and linked it to the “groupIds” source, and sent all known user attributes in the ID token.

This allows me to add the “OIDCAdmin” and “OIDCAdminAttribute” keys in my plist later, making all the members of my IBM CI group “admin” an admin on the Mac, see below.

Also, in order to avoid Jamf Connect asking for which source of identity your end users want to authenticate to, set the Access Policy to “specific supported identity sources” and select “Cloud Directory”.

Next, go to API Access, select “Configure API Access” and flip the switch to “Select All – ON”.

Once you’ve saved the app, you can assign users. I just went with “All users” for now.

That’s basically it from an IBM side of things. Just make sure to create an “admin” group in case you want to use the feature to differentiate local admins from standard accounts. In the config below I’m setting that OIDCAdmin key to “admin” (my admin group in IBMCI), and OIDCAdminAttribute to “Group” which I added in the IBM app config above.

Next is just deploying Jamf Connect Login, no need to change anything to the official installer, and configure it with a plist/mobile config.

The mandatory keys are:
– OIDClientID
– OIDCProvider (set it to IBMCI)
– OIDCTenant (set it to the first part of you IBM Cloud Identity, for me it was “ttg” as my IBMIC URL is “”

*** Do not set the OIDCClientSecret key ***
Make sure your IBM app is set as “Public Client (no client secret)

Optional but recommended:

– OIDCROPGID (in case you want to validate the IBMCI password and set it as the local account password)
– OIDCNewPassword (set it to false to validate the password instead of creating a local password)
– OIDCAdmin (your group of users in IBM you want to make admin on the Mac)
– OIDCAdminAttribute (see above, the “Group” attribute I linked to “groupIds” – goes together with the OIDCAdmin key)

The above plist will allow ROPG to validate the password, as well as differentiate admins from standard users on the Mac.

The IBM CI Login window view in Jamf Connect
Second authentication validating the password to set it as the local password.

That’s it! Apart from some ROPG troubleshooting it was actually a smooth ride deploying Jamf Connect Login with IBM Cloud Identity!


– ROPG validation of password: WORKS
– Differentiating Admin from Standard accounts on the Mac based on group membership: WORKS
– Issue with the login webview on a VM, but works fine on a physical machine
– Do not configure an OIDC Client Secret and set the IBM app as “Public Client”

As always, don’t hesitate to leave comment, remark or suggestion below, tell your friends about a blog and if you really like it leave some feedback here.