Okta

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

Jamf Connect supports an integration with Okta Identity Engine or Okta Classic Engine as your cloud identity provider (IdP). With the integration, Jamf Connect and Okta can communicate and provide several essential services:

  • Sync local and network passwords

  • Create local accounts and assign roles

Additional features are available depending on your desired configuration:

  • App-level authentication policies specific to Jamf Connect

  • Tenant-level authentication policies applied to all applications, including Jamf Connect

  • Group membership restriction on the creation of secondary accounts in macOS to prevent the creation of additional macOS local user accounts

Jamf Connect will provide these features in all of the configurations below:

  • On-demand local macOS account creation
  • Syncs between local macOS password with Okta password
  • Role or Group-based assignment of local macOS standard or administrator account privileges
  • Role or Group-based permission to create additional user accounts on macOS after one account has been created. This prevents creation of additional user accounts in case machine level configuration profiles may need push certificates or other configurations intended for a 1:1 issued use case.
Many features are dependent on your Jamf Connect configuration type and which Okta tenant is being used in your organization. The following table provides a compatibility matrix of how certain features can be accessed:
Okta Engine TypeIdentity Provider in Jamf ConnectAdditional featuresAuthentication policy
Okta Classic EngineOkta Okta

  • Group membership restriction on the creation of secondary accounts in macOS

  • User assignment to a specific app is not required for password syncing

Authentication is defined at the tenant level
Okta OpenID Connect (OIDC) OktaOIDC

  • Web-based login interface similar to other Okta experiences

  • User assignment can provide local access and password syncing for specific apps in Okta

  • Authentication is defined at the application level

  • To enforce multifactor authentication, two applications will be necessary.

Okta Identity Engine Okta Okta

  • Group membership restriction on the creation of secondary accounts in macOS

  • User assignment to a specific app is not required for password syncing

  • Authentication is defined by global session policies

  • Applications for access, secondary account creation, and administrator privileges must be set to password-based authentication

Okta Identity Engine OktaIdentityEngine

  • Group membership restriction on the creation of secondary accounts in macOS

  • User assignment to the Jamf Connect application in Okta is required

  • Authentication is defined by global session and individual app policies

  • Applications for access, secondary account creation, and administrator privileges must be set to password-based authentication

Okta OpenID Connect (OIDC)OktaOIDC

  • Web-based login interface similar to other Okta experiences

  • Local standard and administrator privileges can be assigned based on Okta group membership

  • User assignment to the Jamf Connect application in Okta is required

  • Authentication is defined by global session and individual app policies

  • To enforce multifactor authentication, two applications will be necessary.

Note:A reconfiguration of the Jamf Connect application to change from Okta Classic Engine to Okta Identity Engine is not required. If your organization is using a Jamf Connect configuration with Okta as a custom OIDC IdP, no changes are required as well. The Okta-OIDC identity provider type eliminates the need to include a specific Discovery URL and OIDCScope key.
If you are unsure which configuration to continue with, Jamf recommends using Okta Identity Engine as your tenant and Jamf Connect IdP.