Configuring a Conditional Access Jamf MFA Policy

Jamf Connect Documentation

Solution

Application

Jamf Connect

Content Type

Technical Documentation

Utilities & Services

ft:locale

en-US

While this policy will eliminate the need for MFA for devices with Jamf Connect's Zero Trust Network Access enabled, it will enable multi-factor authentication for the specified cloud apps for devices that are not using the service.

Therefore, if you already have one or more Conditional Access policies that enforce MFA, update them to exclude Zero Trust Network Access IP addresses as described below, rather than creating a new Conditional Access policy.

In Azure AD, navigate to Security > Conditional Access.
Click Named Locations, then New Location.
Give the profile a memorable Name (for example, "Jamf Trusted IPs").
Make sure the IP ranges are selected.
Check the Mark as trusted location box.
In the IP ranges area, add the Cloud Internet Gateway IP addresses for Zero Trust Network Access in CIDR notation. For more information, see Zero Trust Network Access Cloud Internet Gateways.
Note:
Add the suffix /32 to each IP address.
Click Create.
Back in the Conditional Access panel, click Policies in the left-hand menu.
Click New policy.
Enter a memorable Name (for example, "Jamf MFA").
Click Assignments, then pick the users to which this policy should apply.
Note:
Jamf recommends that you start with a set of test users first.
Click Cloud apps or actions, then include the apps for which Zero Trust Network Access should use to access.
Note:
Jamf recommends that you test your configuration with a specific cloud app first, before applying this setting to all apps.
Click Conditions, then click Locations.
Click Yes for Configure.
Under Include, select Any Location.
Under Exclude, select Selected Locations and choose the Jamf IPs location that you created above.
Under Access Controls > Grant, select Require multi-factor authentication.
Click Select.
For Enable Policy, select Report Only or On if you are ready to enforce the policy.