Hi all!

I recently published my post on Jamf Unlock and Azure iDP, and got some requests to do the same for Okta.

So hereby a quick overview on how to configure Jamf Unlock with Okta. As most of the configuration and functionality of Jamf Unlock is the same, regardless of the iDP used, I’ll keep this one short however and only focus on the Okta specific configuration.

As a quick recap:

When you configure Jamf Unlock you have the choice of requiring a PIN or not. But even if you don’t configure it to require a PIN, which the iOS app defaults to if specific keys are not set in the app configuration, the authentication window on macOS will still display a text field for ‘PIN’. Like I mentioned in my post on Jamf Unlock and Azure iDP, this can be left empty during authentication when not in use.

The main things we need to do to configure Jamf Unlock are:

  • add an additional redirect URI to your Jamf Connect (access) app in Okta
  • add the keys to enable Jamf Unlock to your working Jamf Connect Menu Bar app plist
  • deploy the Jamf Unlock iOS app with app configuration for Okta

Let’s start with adding the additional redirect URI

As you may know, you can configure Jamf Connect with additional OIDC apps in Okta to define who gets admin rights on the Mac through Jamf Connect Login, and who only has access as standard account. Hence I have 2 OIDC apps in my Okta:

For Jamf Unlock, we only need to add an additional URI to the app you are using for access, not the one which promotes users to admin. Hence I added the additional redirect URI to the access app I have:

jamfunlock://callback/auth

Next we tweak our existing plist for the Jamf Connect Menu Bar app. In my post on Azure I added additional profile with only the Jamf Unlock related keys. Let’s add it to our existing profile this time.

My very basic, existing profile for Jamf Connect Menu Bar with Okta:

I cloned this one and added the keys required for Jamf Unlock:

    <key>Unlock</key>
        <dict>
            <key>EnableUnlock</key>
            <true/>
            <key>RequirePIN</key>
            <true/>
        </dict>

Scope that to you devices and the macOS side of the configuration is done! Apart from pairing the iOS device of course…

Like I mentioned, adding the RequirePIN key or not does not change anything. Well, if you want to use the PIN functionality, of course you need to add it, but removing it will still show a PIN value box on the authentication prompts in macOS. Those can just be left empty when PIN is not in use. Whether or not the PIN is really in use or not is defined by the configuration of the iOS app. See below.

Now, let’s do the final part of our config and deploy the iOS app with app configuration. As mentioned in my post on Azure, the iOS app must be deployed by MDM and must contain the app configuration settings.

For Okta we need to use the following app config:

<dict>
    <key>com.jamf.config.idp.oidc.provider</key>
    <string>Okta</string>
    <key>com.jamf.config.idp.oidc.tenant</key>
    <string>tenant-name</string>
    <key>com.jamf.config.idp.oidc.client-id</key>
    <string>abcdqxanb4Rb4veu0h8</string>
    <key>com.jamf.config.idp.oidc.redirect-uri</key>
    <string>jamfunlock://callback/auth</string>
</dict>
Please note that the 'tenant-name' is something like 'dev-12345' or 'mycompany' and not 'dev-12345.okta.com' or 'mycompany.okta.com'. So just the first part of your Okta URL.

The value for “com.jamf.config.idp.oidc.client-id” is the Client ID of the app where you added the additional redirect URI for Jamf Unlock.

That’s it! Push the app to your iOS device(s) and do the pairing via the Jamf Unlock features in the Jamf Connect Menu Bar App. Make sure that the iOS devices has a passcode and/or Touch ID (Face ID) configured and location services is enabled.

Now, in cause you do want to required a PIN for each authentication, just add the following keys to the app configuration:

    <key>com.jamf.config.pin.required</key>
    <true/>
    <key>com.jamf.config.pin.type</key>
    <string>rotating</string>

For an example on how the PIN functionality works, have a look at my other post: https://travellingtechguy.blog/jamf-unlock-and-azure-idp/

That’s it! As always, if you liked the post, hit the like button, tell your friends about it and leave a comment down below!

Brgds,
TTG