In this tutorial, you'll learn how to integrate Jamf Pro with Azure Active Directory (Azure AD). When you integrate Jamf Pro with Azure AD, you can:
- Use Azure AD to control who has access to Jamf Pro.
- Automatically signs users into Jamf Pro using their Azure AD account.
- Manage your account in one central place: the Azure portal.
To get started, you need the following items:
- Azure AD subscription. If you don't have a subscription, you can getfree account.
- A Jamf Pro subscription with single sign-on (SSO) enabled.
In this tutorial, you will configure and test Azure AD SSO in a test environment.
- Jamf Pro supportSP initiatedandIdP initiatedsign in.
Add Jamf Pro from the library
To configure the integration of Jamf Pro with Azure AD, you need to add Jamf Pro from the gallery to the list of managed SaaS apps.
- Sign in to the Azure portal with your work or school account or your personal Microsoft account.
- In the left pane, selectAzure Active DirectoryServe.
- goEnterprise application, and selectall applications.
- To add a new application, select thenew application.
- insideadd from gallerysection, enterJamf Proin the search box.
- chooseJamf ProFrom the resulting panel, then Add Application. Wait a few seconds for the application to be added to your tenant.
Alternatively, you can useEnterprise Application Configuration Wizard.In this wizard, you can add the application to the tenant, add users/groups to the application, assign roles, and complete the SSO configuration.Learn more about the Microsoft 365 wizard.
Configure and test SSO for Jamf Pro in Azure AD
Configure and test Azure AD SSO with Jamf Pro using a test user named B.Simon. For SSO to work, you need to have a link relationship between the Azure AD user and the related user in Jamf Pro.
In this section, you will configure and test Azure AD SSO using Jamf Pro.
- Configure SSO in Azure ADso that your users can use this functionality.
- Create an Azure AD test userTest Azure AD SSO with B.Simon account.
- Assign an Azure AD test userThis allows B.Simon to use SSO in Azure AD.
- Configure SSO in Jamf ProConfigure SSO settings on the application side.
- Create a Jamf Pro test userHave a copy of B.Simon in Jamf Pro that is linked to the user's Azure AD representation.
- Test the SSO configurationVerify that the configuration is valid.
Configure SSO in Azure AD
In this section, you will enable Azure AD SSO in the Azure portal.
In the Azure portal,Jamf ProApplication Integration page, findmanagesection and selectsign in.
existChoose a single sign-on methodpage, selectSAML.
existSet up single sign-on using SAMLpage, select the pencil iconBasic SAML configurationEdit settings.
existBasic SAML configurationsection, if you want to configure the applicationIdP initiatedmode, enter values for the following fields:
a. insideidentifiertext box, enter the URL using the following formula:
b.insidereply urltext box, enter the URL using the following formula:
chooseSet additional URLs.if you want to configure the applicationSP initiatedmode, inLogin URLtext box, enter the URL using the following formula:
These values are not real. Update these values with the actual Identifier, Reply URL, and Login URL. You will start fromsign insection in the Jamf Pro portal, which is explained later in this tutorial. You can extract the actual subdomain value from the identifier value and use that subdomain information as your login URL and reply URL. You can also refer to the formula shown in the figureBasic SAML configurationsection in the Azure portal.
existSet up single sign-on using SAMLpage, go toSAML Signing Certificatesection, selectcopycopy buttonApp syndication metadata URL, and save it to your computer.
Create an Azure AD test user
In this section, you will create a test user named B.Simon in the Azure portal.
- In the left pane of the Azure portal, selectAzure Active Directory, chooseuser, and selectall users.
- choosenew userat the top of the screen.
- insideuserproperties, follow these steps:
- insideNamefield, enter
- insideusernamefield, enter [name]@[company domain].[extension]. For example,
- chooseshow passwordcheckbox, then make a note of thepasswordBox.
- insideNamefield, enter
Assign an Azure AD test user
In this section, you give B.Simon access to Jamf Pro.
- In the Azure portal, selectEnterprise application, and selectall applications.
- In the list of applications, chooseJamf Pro.
- On the app's overview page, find themanagesection and selectusers and groups.
- chooseAdd user, and selectusers and groupsinsideadd homeworkdialog box.
- insideusers and groupsdialog box, selectSimonfrom the list of users, then choosechoosebutton at the bottom of the screen.
- If you wish to assign a role to a user, you can do so from thechoose a rolefall. If no roles have been set for this application, you will see the Default Access role selected.
- insideadd homeworkdialog box, selectdistributebutton.
Configure SSO in Jamf Pro
For automatic configuration in Jamf Pro, installMy App Secure Login Browser Extensionby choosinginstall extension.
After adding the extension to your browser, selectSet up Jamf Pro.When the Jamf Pro application opens, provide administrator credentials to log in. The browser extension will automatically configure the application and perform steps 3 through 7 automatically.
To set up Jamf Pro manually, open a new web browser window and log in to your Jamf Pro company site as an administrator. Then, perform the following steps.
choosesettings iconfrom the top right corner of the page.
existsign inpage, follow the steps below.
b. to chooseEnable single sign-on authenticationcheckbox.
c. chooseblueas an optionidentity providerdrop-down menu.
d. copyentity numbervalue and paste it inIdentifier (Entity ID)fields inBasic SAML configurationsection in the Azure portal.
value in use
fields to complete the login URL and reply URLBasic SAML configurationsection in the Azure portal.
e. chooseMetadata URLfromIdentity Provider Metadata Sourcedrop-down menu. In the field that appears, paste theApp Federation metadata URLsValues copied from the Azure portal.
F. (Optional) Edit the token expiration value or select Disable SAML Token Expiration.
On the same page, scroll down touser mappingpart. Then, perform the following steps.
a. chooseName IDoptionsIdentity Provider User Mapping.By default, this option is set toName ID, but you can define custom properties.
b. to choosee-mailforJamf Pro User Mapping. Jamf Pro maps the SAML attributes sent by the IdP, first by the user and then by the group. When a user tries to access Jamf Pro, Jamf Pro gets information about the user from the identity provider and matches it with all Jamf Pro user accounts. If an incoming user account is not found, Jamf Pro tries to match it by group name.
c. paste value
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsinsideIdentity provider group attribute namesite.
d. On the same page, scroll down toSafetysection and selectAllow users to bypass single sign-on authentication.So instead of being redirected to the identity provider login page for authentication, the user can log in directly to Jamf Pro. IdP-initiated SSO authentication and authorization occurs when a user attempts to access Jamf Pro through an identity provider.
Create a Jamf Pro test user
In order for Azure AD users to log in to Jamf Pro, they must be provisioned to Jamf Pro. Configuration in Jamf Pro is a manual task.
To provide a user account, perform the following steps:
Log in to your Jamf Pro company site as an administrator.
chooseset upicon in the upper right corner of the page.
chooseJamf Pro User Accounts and Groups.
chooseCreate a standard account.
existnew accountdialog box, perform the following steps:
a. insideusernamefield, enter
Britta Simon, the full name of the test user.
b. Select optionsaccess permission,privilege set, andaccess statusMatch your organization.
c. insidefull namefield, enter
d.insideemail addressfield, enter the email address for Britta Simon's account.
e. insidepasswordfield, enter the user's password.
F. insideverify passwordfield, enter the user password again.
Test the SSO configuration
In this section, you will test your Azure AD single sign-on configuration using the following options.
clicktest this appin the Azure portal. This will redirect you to the Jamf Pro Sign on URL where you can start the sign in process.
Go directly to the Jamf Pro login URL and start the login process from there.
Initiated by IDPs:
- clicktest this appIn the Azure Portal, you should be automatically logged into the Jamf Pro that you set up SSO for
You can also test applications in any mode using Microsoft My Apps. When you click on the Jamf Pro tile in My Apps, if configured in SP mode, you will be redirected to the application login page to start the login process, if configured in IDP mode, you should be automatically logged in to Jamf Pro you set up SSO. For more information on My Apps , seeAbout my application.
Once Jamf Pro is configured, you can enforce session controls, protecting your organization's sensitive data from exfiltration and exfiltration in real time. Session control extends from conditional access.Learn how to enforce session control with Microsoft Defender for Cloud Apps.