Configuring Jamf Connect with AD FS

Jamf Connect Documentation

Solution

Application

Jamf Connect

Content Type

Technical Documentation

Utilities & Services

ft:locale

en-US

Requirements

A Jamf Connect registered app in Microsoft Entra ID. For instructions, see Jamf Connect Identity Provider Integrations.
A Jamf Connect application in AD FS . For instructions, see the AD FS OpenID Connect/OAuth concepts documentation from Microsoft.
Microsoft Entra ID Connect
Windows Server 2016 (includes AD FS 4.0) or later

Confirm that your Microsoft Entra ID and AD FS environments are successfully configured and enabled for OpenID Connect authentication protocols.

Add the following preference keys to your login window configuration profile:


Setting	Description
Identity Provider `OIDCProvider`	Specifies Microsoft Entra ID as your cloud IdP to use for authentication. `<key>OIDCProvider</key> <string>Azure</string>`
Client ID `OIDCClientID`	The client ID of the registered app in your IdP used to authenticate the user. `<key>OIDCClientID</key> <string>8zcc52c7-ee36-4889-8517-lkjslkjoe23</string>`
Create a Separate Local Password `OIDCNewPassword`	Prompts users to re-enter their network password, which also becomes the local account password. This ensures a user's network and local password are synced during user creation. `<key>OIDCNewPassword</key> <false/>`
Identity Provider (Hybrid ID) `ROPGProvider`	Specifies where Jamf Connect should attempt to sync passwords. Set this value to "Custom", which allows Jamf Connect to use AD FS. `<key>ROPGProvider</key> <string>Custom</string>`
Client ID (Password Verification) `OIDCROPGID`	The client ID of your Jamf Connect AD FS application. `<key>OIDCROPGID</key> <string>86f07d1c-0ae4-437d-9fde-fcf165a5a965</string>`
Redirect URI (Hybrid ID) `ROPGRedirectURI`	The redirect URI used by the created application in AD FS. `<key>ROPGRedirectURI</key> <string>https://127.0.0.1/jamfconnect</string>`
Discovery URL (Hybrid ID) `ROPGDiscoveryURL`	Specifies your OpenID Connect discovery endpoint. This value contains your AD FS domain combined with the following: "/adfs/.well-known/openid-configuration" `<key>ROPGDiscoveryURL</key> <string>https://adfs.jamfconnect.com/adfs/.well-known/openid-configuration</string>`

Add the following IdPSettings dictionary keys to your Self Service+ configuration profile:


Setting	Description
Identity Provider `Provider`	Specifies where Jamf Connect should attempt to sync passwords. Set this value to "Custom", which allows Jamf Connect to use AD FS. `<key>Provider</key> <string>Custom</key>`
Discovery URL `DiscoveryURL`	Specifies your OpenID Connect discovery endpoint. This value contains your AD FS domain combined with the following: "/adfs/.well-known/openid-configuration" `<key>DiscoveryURL</key> <string>https://adfs.jamfconnect.com/adfs/.well-known/openid-configuration</string>`
Client ID `ROPGID`	The client ID of your Jamf Connect AD FS application. `<key>ROPGID</key> <string>86f07d1c-0ae4-437d-9fde-fcf165a5a965</string>`

Test your configuration profiles with Jamf Connect Configuration or a test computer to confirm authentication is correctly configured.
Save your configuration profiles.

You can now deploy the configuration profiles with an MDM solution.