In this tutorial, you'll learn how to integrate Jamf Pro with Azure Active Directory (Azure AD). When you integrate Jamf Pro with Azure AD, you can:
- Use Azure AD to control who has access to Jamf Pro.
- Your users are automatically signed in to Jamf Pro using their Azure AD accounts.
- Manage your account in one central place - the Azure Portal.
To get started, you need the following items:
- Azure AD subscription. If you don't have a subscription, you can get onefree account.
- A Jamf Pro subscription with single sign-on (SSO) enabled.
In this tutorial, you will set up and test Azure AD SSO in a test environment.
- Acknowledge Jamf ProInitiated by SPyesStart IdPsign in.
Add Jamf Pro from the library
To configure Jamf Pro integration in Azure AD, you need to add Jamf Pro from the collection to the list of managed SaaS applications.
- Sign in to the Azure portal with your work or school account or your personal Microsoft account.
- In the left pane, select itAzure Active DirectoryServe.
- I canbusiness applicationthen chooseall applications.
- To add a new application, select thenew application.
- hereadd from collectionsection, enterjamf forin the search box.
- choosejamf forFrom the resulting window, then Add Application. Wait a few seconds for the application to be added to your tenant.
Alternatively, you can useEnterprise Application Setup Wizard.In this guide, you can add applications to your tenant, add users/groups to applications, assign roles, and complete SSO setup.Learn more about Microsoft 365 participants.
Configure and test single sign-on to Azure AD for Jamf Pro
Set up and test Azure AD SSO with Jamf Pro using a test user named B.Simon. For SSO to work properly, you must create a login relationship between the user in Azure AD and the associated user in Jamf Pro.
In this section, you will configure and test Azure AD SSO using Jamf Pro.
- Configure SSO in Azure ADThis will allow your users to use this functionality.
- Create a test Azure AD userTest Azure AD SSO with B.Simon account.
- Assign an Azure AD test userThis allows B.Simon to use SSO to Azure AD.
- Configure SSO in Jamf ProConfigure application-side SSO settings.
- Create a Jamf Pro trial userThere is a B.Simon counterpart in Jamf Pro that links to the user's Azure AD representation.
- Test the SSO configurationVerify that the configuration is valid.
Configure SSO in Azure AD
In this section, you will enable Azure AD SSO in the Azure portal.
In the Azure portal atjamf forApp Integrations page, look for itthey managesection and selectsingle connection.
for himChoose a single sign-on methodpage, selectSAML.
for himConfigure single sign-on using SAMLpage, select the pencil iconBasic SAML configurationEdit configuration.
for himBasic SAML configurationsection, if you want to configure the applicationStart IdPmode, enter values for the following fields:
arrive. hereidentifiertext box, enter the URL using the following formula:
West. hereResponse URLtext box, enter the URL using the following formula:
chooseSet additional URLs.If you want to configure your application toInitiated by SPoperation, inLogin URLtext box, enter the URL using the following formula:
These values are not real. Update these values with the actual ID, Response URL, and Connection URL. You will get the value of its actual IDsingle connectionsection in the Jamf Pro portal, which is explained later in this tutorial. You can extract the actual subdomain value from the identifier value and use that subdomain information as the connection URL and response URL. You can also refer to the types shown inBasic SAML configurationsection in the Azure portal.
for himConfigure single sign-on using SAMLpage, go toSAML Signing Certificatesection, select itcopycopy buttonApp syndication metadata URLThen save it to your computer.
Create a test Azure AD user
In this section, you will create a test user named B.Simon in the Azure portal.
- In the left pane of the Azure portal, selectAzure Active Directory, chooseuserthen chooseall users.
- choosenew userat the top of the screen.
- hereuserproperties, follow these steps:
- hereNamefield, enter
- hereusernamefield, type [name]@[company domain].[extension]. For example,
- select itdisplay codecheckbox, then make a note of thepasswordBox.
- hereNamefield, enter
Assign an Azure AD test user
In this section, you give B.Simon access to Jamf Pro.
- In the Azure portal, selectbusiness applicationthen chooseall applications.
- In the list of applications, choosejamf for.
- On the app's overview page, look for thisthey managesection and selectusers and groups.
- chooseAdd user, and selectusers and groupsin itadd workdialog box.
- hereusers and groupsdialog box, selectB. Simonfrom the user list, then select itchoosebutton at the bottom of the screen.
- If you wish to assign a role to a user, you can do so in thechoose a roledrop-down list. If no roles are configured for this application, you will see the default access role selected.
- hereadd workdialog, select itdistributebutton.
Configure SSO in Jamf Pro
For automatic configuration in Jamf Pro, install thisMy App Secure Login Browser Extensionchooseinstall extension.
After adding the extension to your browser, selectJamf Pro configuration.When the Jamf Pro application opens, provide your administrator credentials to log in. The browser extension will automatically configure the application and perform steps 3-7 automatically.
To set up Jamf Pro manually, open a new web browser window and log in to your company's Jamf Pro website as an administrator. Then follow the steps below.
select itsettings iconfrom the top right corner of the page.
for himsingle connectionpage, follow the steps below.
West. select itEnable single sign-on authenticationcontrol box
C. chooseblueas his choiceidentity providerCollapsible menu.
Hey. copy itentity numbervalue and paste it inID (Entity ID)field inBasic SAML configurationsection in the Azure portal.
value in use
Fields to fill in the login URL and reply URLBasic SAML configurationsection in the Azure portal.
mine. chooseMetadata URLfromSources of Identity Provider MetadataCollapsible menu. In the field that appears, paste thisApp syndication metadata URLValues copied from the Azure portal.
F. (Optional) Edit the Token Expiration value or select Disable SAML Token Expiration.
On the same page, scroll down touser mappingUnite. Then follow the steps below.
arrive. select itID card nameoptionsIdentity Provider User Mapping.By default, this option is set toID card name, but you can set custom properties.
West. choosee-mailforJamf Pro User Mapping. Jamf Pro maps the SAML attributes sent by the IdP first to users and then to groups. When a user tries to log into Jamf Pro, Jamf Pro gets information about the user from the identity provider and compares it to all Jamf Pro user accounts. If an incoming user account is not found, Jamf Pro tries to match it to a group name.
C. Paste the value
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsin itIdentity provider attribute group nameCampo.
Hey. On the same page, scroll down toSafetysection and selectAllow users to bypass single sign-on authentication.So instead of being redirected to the identity provider's login page for authentication, the user can log in directly to Jamf Pro. IdP-initiated SSO authentication and authorization occurs when a user attempts to access Jamf Pro through an identity provider.
Create a Jamf Pro trial user
Before Azure AD users can log into Jamf Pro, they must be configured in Jamf Pro. Configuration in Jamf Pro is a manual task.
To create a user account, follow these steps:
Log in to the Jamf Pro corporate website as an administrator.
select itset upicon in the upper right corner of the page.
chooseJamf Pro User Accounts and Groups.
chooseCreate a standard account.
for himnew accountdialog box, perform the following steps:
arrive. hereusernamefield, enter
Britta Simon, the full name of the test user.
West. select optionaccess permission,privilege set, yaccess statusagree with your organization.
Catfull namefield, enter
Hey. insideemail addressfield, enter the email address for Britta Simon's account.
mine. herepasswordfield, enter the user's password.
F Stoweverify passwordRe-enter the user password.
Test the SSO configuration
In this section, you will test your Azure AD single sign-on setup using the following options.
clicktry this appin the Azure portal. This will redirect you to the Jamf Pro login URL where you can start the login process.
Go directly to the Jamf Pro login URL and start the login process from there.
- clicktry this appIn the Azure Portal, you should be automatically logged into the Jamf Pro for which you configured SSO
You can also test applications in any mode using Microsoft My Apps. When you click on the Jamf Pro tile in my app, if it's set to SP mode, you'll be redirected to the app's login page to start the login process, and if it's set to IDP mode, you should be automatically logged in Jamf Pro you set up SSO for. For more information about my application, seeAbout my application.
Once you set up Jamf Pro, you can implement Session Control, which protects your organization's sensitive data from leaks and leaks in real time. Session control extends from conditional access.Learn how to enforce session control for cloud applications with Microsoft Defender.