Creating a Jamf Connect Configuration Profile with Conditional Access Settings

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

With the scopes from your Jamf Connect application registrations in place, creating a new Jamf Connect configuration profile prevents unexpected authorization errors and preserves MFA enforcement for users during authentication.

Requirements

  • Access to your organization's Microsoft Entra ID admin console.

  • An application registration with a custom API.

  • An application registration that calls the custom scope.

  • A Conditional Access exclusion policy for MFA exemption.

  • The Jamf Connect Configuration app installed on your computer. To obtain an installer PKG, go to Jamf Account > Products > Jamf Connect.

  1. Open the Jamf Connect Configuration app.
  2. In the Identity Provider tab, configure the following settings:
    1. Set Identity Provider to Entra ID.
    2. Set OIDC Client ID to the application ID of the Jamf Connect - OIDC Endpoint application.
    3. Set ROPG Client ID to the application ID of the Jamf Connect - OIDC Endpoint application.
    4. Set Tenant to the UUID of your Entra ID tenant. This value appears in the App registrations tab of either Jamf Connect application in Entra ID.
    5. Set OIDC Redirect URI to https://127.0.0.1/jamfconnect.
    6. Set OpenID Connect Scopes to api://[APPLICATION ID]/jamfconnect+openid+email+profile, substituting [APPLICATION ID] with the scope value copied in the Creating an Application Registration with a Custom API task.
      Note:

      If you have an MFA policy that you want enforced for Jamf Connect login, skip this step.

  3. (Optional) Add the administrator value from your Jamf Connect - OIDC Endpoint application to Admin Roles and set Admin Attribute to roles.
  4. In the Connect tab, configure the following settings:
    1. Verify that ROPG Client ID has auto-populated based on your Identity Provider tab settings.
    2. Set ROPG Tenant to the UUID of your Entra ID tenant.
    3. Set ROPG Scopes to api://[APPLICATION ID]/jamfconnect+openid+email+profile.
  5. Test your OIDC configuration with MFA required:
    1. Navigate to your Microsoft Entra ID admin console.
    2. Click Entra ID > Sign-in logs.
    3. Verify that the authentication requirement shows Multi-factor authentication.
  6. To test ROPG, add the configuration file to a non-production test machine:
    1. Save the Self Service+ configuration as a .mobileconfig file.
    2. Manually install the .mobileconfig file in System Preferences on the test machine.
    3. For environments using Jamf Connect 2.45.1 or earlier, install the JamfConnect.pkg in the software installer distribution image from Jamf Account. For environments using Jamf Connect 3.0 or later, install Self Service+ from Jamf Account.
    4. Log in to Jamf Connect or Self Service+.
    5. Navigate to your Microsoft Entra ID admin console.
    6. Click Entra ID > Sign-in logs.
    7. Verify that the authentication requirement shows Single-factor authentication.

The Basic info tab in your Entra ID admin console should confirm that no policies were applied to the related login. Jamf Connect now checks the password in the background and reduces the chance of a user's login session being marked as a risk.