Pro Presentation agenda: Create an Office 365/Azure Account Configure Azure AD Domain Services & Secure LDAP Configure Azure for SSO Enable LDAP and SSO in Jamf Pro Look at different ways of provisioning access
What is Azure AD Domain Services? - Cloud AD environment - Replicates from Azure AD (And by proxy on-prem AD if using Azure AD Connect sync) - Extends your on-prem AD environment to Azure without having to managed DC VM’s and maintaining a persistent VPN connection to Azure How are we leveraging this? - Using secure LDAP feature - LDAP integration in Jamf Pro, User Assignment / Authentication
Story Oceanic Airlines Oceanic Airlines is a lean airline startup with a “Cloud First” mentality. Environment - Uses Office 365 and Azure AD as their IDP - Has no traditional on-prem infrastructure, no on premise directory - Uses Cloud Flare - Has decided to invest in macOS and iOS - Has chosen Jamf Pro as their MDM - Needs to easily integrate Jamf Pro with their Azure environment for SSO and LDAP
Security focussed organizations that would rather have a cloud service “talk” to another cloud service. - Organizations that have traditional infrastructure and on premise directories, but don’t have a DMZ or don’t want to expose another on-premise service. - Any org that doesn’t want to allow Jamf Cloud to reach their network but still want to use the LDAP feature.
individual account - We are matching the Azure username to the Jamf username - This can be customized For group based access - We are matching the SSO “memberOf” claim to a group in Jamf Pro
group? In order to leverage groups to authenticate SSO users we must create a standard group with the Azure Object ID as the name. Microsoft does not send the “Plain Text” group name in the SAML assertion for Jamf to match to the LDAP group name.
these precise permissions to ensure that administrators logging in via SSO cannot bypass or adjust SSO settings. An Example of why we would want to do this is to enforce conditional access on admins.
we need to be able to login as both an LDAP user and an SSO user? - SSO protects the Web App, UIE and Enrollment Customization - LDAP can be used for the “Classic” Jamf Pro apps like Recon, Admin, Remote, Imagining (please don’t image) as well as user assignment and lookups - LDAP accounts can also be used when making API calls
(Firefox) for SSO issues. -LDAP Admin tool for troubleshooting LDAP connection and mapping -Use Firefox or Chrome to configure Azure -Single Sign on Errors with Jamf Pro? Clear the cookies.