Login Window Authentication Settings

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US
  • Domain —com.jamf.connect.login
  • Description —

    Used to allow Jamf Connect to complete authentication between your IdP and local accounts at the login window. Required settings vary by IdP.

Setting

Description

Identity Provider

OIDCProvider

Specifies your cloud identity provider. The following values are supported:

  • EntraID (formerly Azure)
  • IBMCI
  • GoogleID
  • OneLogin
  • Okta
  • OktaIdentityEngine
  • Okta-OIDC
  • PingFederate
  • Custom
<key>OIDCProvider</key>
<string>Azure</string>

Auth Server

AuthServer

(Okta Only) Specifies your organization's Okta domain URL for use with the authentication API.

<key>AuthServer</key>
<string>yourcompany.okta.com</string>

Client ID

OIDCClientID

Specifies the client ID of the Jamf Connect app in your IdP used to authenticate the user.

<key>OIDCClientID</key>
<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

Redirect URI

OIDCRedirectURI

Specifies the redirect URI used by your Jamf Connect app in your IdP.

https://127.0.0.1/jamfconnect is recommended by default, but any URI value may be used as long as the configured value in your IdP matches the value in your Jamf Connect login configuration profile.

<key>OIDCRedirectURI</key>
<string>https://127.0.0.1/jamfconnect</string>

Client Secret

OIDCClientSecret

Specifies the client secret used by Jamf Connect Login and your IdP.

<key>OIDCClientSecret</key>
<string>insert-client-secret-here</string>

Tenant ID

OIDCTenant

Specifies the Tenant ID for your organization that's used for authentication.

<key>OIDCTenant</key>
<string>c27d1b33-59b3-4ab2-a5c9-23jf0093</string>

Discovery URL

OIDCDiscoveryURL

Specifies your IdP's OpenID metadata document that stores OpenID configuration information. This value appears in the following format: "https://domain.url.com/.well-known/openid-configuration"

Note:

This key is required if your Identity Provider (OIDCProvider) is set to Custom or PingFederate

<key>OIDCDiscoveryURL</key>
<string>https://identity-provider-example-address.com/.well-known/openid-configuration</string>

Use Passthrough Authentication

OIDCUsePassthroughAuth

Securely sends a user's network password entered in the sign-in web view to Jamf Connect for local authentication. This allows Jamf Connect to complete network and local authentication without prompting users to re-enter a password. During local account creation, this ensures that the network password is automatically used as the local password. This setting is disabled ( set to false) by default.

If you are using Entra ID, the OIDCNewPassword setting must be disabled (set to false).

<key>OIDCUsePassthroughAuth</key>
<false/>
For more information, see Passthrough Authentication with Jamf Connect.

Change Password URL

ChangePasswordURL

(OIDC authentication only) Specifies a URL to your identity provider's password change page.This URL is used to help users change their password when a user's current or temporary password for newly provisioned computers does not meet an IT-managed password policy requirement.

<key>ChangePasswordURL</key>
<string>https://IDP_EXAMPLE.com/.well-known/change-password</string>

License File

LicenseFile

Specifies the contents of a Jamf Connect license file encoded in Base64 data format. License files are available from Jamf Account.

<key>LicenseFile</key>
<data>encoded-license-content</data>

Offline MFA

OfflineMFA

If enabled (set to true), this setting enables users to login with a time-based one-time password through their mobile device with a supported authenticator app, such as Google Authenticator or Okta Verify.
<key>OfflineMFA</key>
<false/>
For more information, see Configuring Offline Multifactor Authentication.

Remove Offline Multifactor Authentication

RemoveOfflineMFA		When enabled, users must authenticate their identity before being able to remove offline multifactor authentication. Adding OTPAuth or IdPAuth to the setting adds a preference key to your PLIST file, which indicates how the user will be required to authenticate.
<key>OfflineMFA</key>
<true/>
<key>RemoveOfflineMFA</key>
<string>OTPAuth</string>