A new kid in town: Jamf Unlock!
Jamf Unlock is a mobile device app that allows a user to unlock their Mac with a mobile device without using a password. With Jamf Unlock, users complete a setup process to create or generate identity credentials(certificate) on their device, which is then used to pair and establish trust with a Mac. Once the setup is complete, users can easily use the app as an alternate authentication method in the following scenarios:
– Unlocking a Mac
– Prompts to change settings in System Preferences
– Commands executed with root privileges with the
IT administrators can use Jamf Pro to configure authentication settings via managed app configuration, and deploy the app to users in their organisation.
Let’s test it out!
I’ll assume that you already have Jamf Connect (Login) configured in a basic setup. If not I highly recommend do so before attempting to deploy and test Jamf Unlock. The Jamf Connect family of tools and features are truly great in my opinion, but the configuration can sometimes be a bit overwhelming if you set it up for the first time. Both the configuration of the config profile / plist, as well as the iDP side of things, require a very precise config. Initially adding too many features, including adding Jamf Unlock, can make things unnecessarily complex to troubleshoot. Basics first!
That said, I started with a working setup for both Jamf Connect Login 2.x and Jamf Connect Menu Bar App and the first thing to deploy and configure Jamf Unlock was to add the additional redirect URI in my existing Azure app: jamfunlock://callback/auth
Next, I created the additional configuration profile to enable Jamf Unlock in the menu bar app. I didn’t add the keys to my existing menu bar config profile to have more flexibility in disabling it when needed:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Unlock</key> <dict> <key>EnableUnlock</key> <true/> <key>RequirePIN</key> <true/> </dict> </dict> </plist>
The preference domain for this profile is also com.jamf.connect like our normal Menu Bar App plist. Like I said, I preferred to use a separate plist to enable Jamf Unlock, but if you want, you can add this key to your existing JC profile:
That’s all for enabling Jamf Unlock in the Menu Bar app! What do we need next?
- Deploy Jamf Connect 2.4
- Configure and deploy the iOS Jamf Unlock app
Deploying Jamf Connect 2.4 (which includes the Jamf Unlock feature) is nothing more than uploading our new version to your distribution point, and update it via a policy, or manually install it for testing.
The iOS Jamf Unlock app needs to be installed via MDM with app configuration: https://docs.jamf.com/jamf-connect/documentation/Configuring_and_Deploying_Jamf_Apps.html
In Jamf Pro I had my Jamf Unlock app added because I added some licenses via VPP in Apple Business Manager, and the only thing left to configure the entire setup was to choose the deployment type (install automatically in my case) and setup the app configuration. Other settings are as you want/need but the app needs to be deployed via MDM and include app configuration:
For the app configuration you basically only need the dictionary below, but in the above screenshot I added my tenant ID as well because I was troubleshooting some tenant issues. You typically would not need this, unless you have more tenants in use in your environment.
For com.jamf.config.idp.oidc.client-id you need to put the app ID of the Jamf Connect OIDC app you have configured in Azure, just like you have it in the Jamf Connect Login and Menu Bar.
<dict> <key>com.jamf.config.idp.oidc.provider</key> <string>Azure</string> <key>com.jamf.config.idp.oidc.client-id</key> <string>abcd65c-52fe-4b63-8dde-d658abc0aee8</string> <key>com.jamf.config.idp.oidc.redirect-uri</key> <string>jamfunlock://callback/auth</string> </dict>
Note: By default this setup configures the Unlock functionality in a pin-less way. This means that unlocking or authenticating in the Mac will only require the iOS app to be opened and use either FaceID or the iOS passcode to grant access. At the time of writing the documentation states that "Require PIN Authentication" defaults to true, but it actually defaults to False. I'll get that corrected. More about this below.
If you want to enforce FaceID to be used the following key could be added to the app config:
So far for the setup! Let’s test!
After all the above I have the iOS app on my test device:
And Jamf Connect Menu Bar with Unlock functionality added:
The last part of the integration is to enable the Unlock functionality by pairing the iOS device.
First thing to do is to click on ‘pair new device’ on which you will be presented by a QR code you need to scan with the iOS app:
At this point you need to go through the process of scanning the QR code and following the steps in the iOS app. You will get some popups asking for access to network, camera, Bluetooth, etc. Those need to be granted for the pairing to work! Additionally FaceID can be used as well. This is however only to authenticate into the iOS app instead of using the iPhone passcode.
At this point you should have the below in both the iOS as the Jamf Connect Menu Bar app.
NOTE: Make sure both 'Enable Unlock' (JC Menu Bar App) and 'Allow Unlocking" (iOS app) are enabled !
If all went well, you should now be prompted to enter a PIN whenever you need to unlock your Mac, Authenticate in Terminal or Unlock some System Preferences. However, as in default config above, no PIN is required. Just hit enter or click ‘unlock’.
Clicking unlock or hitting enter should trigger a notification (if enabled) on the iOS device. Unlock the iOS app with either FaceID or passcode and Jamf Unlock will send an authentication to the Mac.
Now, as I said, the app defaults to PIN-LESS instead of requiring a PIN. In order to require the user to enter a PIN code on the Mac we need to tweak the App configuration of the iOS app:
To require a PIN, the app configuration would then look like this:
<dict> <key>com.jamf.config.idp.oidc.provider</key> <string>Azure</string> <key>com.jamf.config.idp.oidc.client-id</key> <string>1d884884-12fd-4fba-9bec-71548a60aa76</string> <key>com.jamf.config.idp.oidc.tenant</key> <string>af72a024-546b-4622-80f1-fd66bf369fcc</string> <key>com.jamf.config.idp.oidc.redirect-uri</key> <string>jamfunlock://callback/auth</string> <key>com.jamf.config.pin.required</key> <true/> <key>com.jamf.config.pin.type</key> <string>rotating</string> </dict>
Note: When changing the app config you need to redeploy the app to get them applied.
Now, when we do have the PIN requirement configured as per above, you’ll see that iOS now displays a rotating key, just like any other MFA app:
Now whenever you need to authenticate on the Mac, the PIN currently displayed on the iOS app needs to be entered, for instance:
Done! That’s it basically! Overall not really much to configure if you already have the basic Jamf Connect stuff in place. If not, it will take you a bit longer, but like I mentioned above I’d recommend to get the Menu Bar App working first in a basic setup, and add unlock afterwards.
The only thing I’ve noticed is that sometimes the ‘Enable Unlock’ settings on macOS did not really apply immediately to the Mac although it was enabled and I was just prompted with normal authentication prompts. However, doing the have you tried turning it on and off again approach fixed that.
Overall quite straight forward deployment and it works well! I like it!
That’s it! As always, if you liked the post, hit the like button, tell your friends about it and leave a comment down below!