You can integrate with any number of LDAP directory services. Integrating with LDAP directory services allow you to do the following:
Look up and populate user information from an LDAP directory service for inventory purposes.
Add Jamf Pro user accounts or groups from an LDAP directory service.
Require users to log in to Self Service or the enrollment portal using their LDAP directory accounts.
Require users to log in during mobile device setup using their LDAP directory accounts.
Base the scope of remote management tasks on users or groups from the directory service.
Jamf Pro may experience performance issues if too many LDAP groups are included in the scope of an object. If you need to use multiple LDAP criteria within a scope, consider creating a smart group with those criteria, and then scope to that smart group instead.
To integrate with LDAP directory services, you need to add an LDAP server to Jamf Pro. There are two ways to add LDAP servers to Jamf Pro: using the LDAP Server Assistant or manually. The best method to use depends on your environment.
If you are using Jamf Cloud, you must install a Jamf Infrastructure Manager server to allow Jamf Cloud to communicate with on-premise Active Directory services. Once you have added Jamf Infrastructure Manager, you can manually add an LDAP server. For more information, see the Jamf Infrastructure Manager for LDAP Proxy Installation Guide.
If you are using an on-premise environment, use the LDAP Server Assistant to add an LDAP server.
The LDAP Server Assistant guides you through the process of entering information about an LDAP server and ensuring that LDAP attributes are mapped properly. It allows you to integrate with the following directory services:
Apple’s Open Directory
Microsoft’s Active Directory
NetIQ eDirectory
When your configuration uses SSL, the LDAP server must be configured to issue the server certificate when Jamf Pro requests an SSL connection. If the server certificate is not natively trusted, in Jamf Pro, you need to add the trusted root certificate of the CA that issued the server certificate.
Manually adding an LDAP server involves entering detailed information about the LDAP server and manually configuring attribute mappings. This allows you to integrate with additional Directory Services. If manually configuring LDAP server settings for Active Directory, see the LDAP Attribute Mappings Reference article for information on configuration settings and example attribute values.
Optimizing LDAP Server Lookups
If your organization's LDAP service is very large, you can improve the speed of Jamf Pro's queries by creating an additional LDAP server object in Jamf Pro that connects to the same server but with a narrower search base. To do so, clone the LDAP server object that you want to improve search performance for, and then edit the Search Base field in the Mappings pane.
It is important to note that Jamf Pro queries LDAP servers in ascending order of their object ID, so in order for this method to be effective, you must ensure that the LDAP server with the lowest object ID is configured with the narrowest search base (The object ID is contained in the browser URL when viewing the LDAP server object in Jamf Pro).