Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Integrate Azure Active Directory with Jamf Pro

9d350fa2294e1192f8f12b0ebf1a1d8b?s=47 Jamf
November 13, 2019

Integrate Azure Active Directory with Jamf Pro



November 13, 2019


  1. © JAMF Software, LLC Integrate Azure Active Directory with Jamf

    Pro 1:30 - 2:15 PM UP NEXT
  2. None
  3. © JAMF Software, LLC Tomek Dabrowski Software Engineer Jamf Marcin

    Pietrosian Software Engineer Jamf
  4. © JAMF Software, LLC Nicholas McDonald Senior Systems Engineer HCS

    Technology Group
  5. © JAMF Software, LLC Integrate Azure Active Directory with Jamf

    Pro Presentation agenda: Create an Office 365/Azure Account Configure Azure AD Domain Services & Secure LDAP Configure Azure for SSO Enable LDAP and SSO in Jamf Pro Look at different ways of provisioning access
  6. © JAMF Software, LLC Preface Azure Active Directory Domain Services

    What is Azure AD Domain Services? - Cloud AD environment - Replicates from Azure AD (And by proxy on-prem AD if using Azure AD Connect sync) - Extends your on-prem AD environment to Azure without having to managed DC VM’s and maintaining a persistent VPN connection to Azure How are we leveraging this? - Using secure LDAP feature - LDAP integration in Jamf Pro, User Assignment / Authentication
  7. © JAMF Software, LLC Where would this be useful? A

    Story Oceanic Airlines Oceanic Airlines is a lean airline startup with a “Cloud First” mentality. Environment - Uses Office 365 and Azure AD as their IDP - Has no traditional on-prem infrastructure, no on premise directory - Uses Cloud Flare - Has decided to invest in macOS and iOS - Has chosen Jamf Pro as their MDM - Needs to easily integrate Jamf Pro with their Azure environment for SSO and LDAP
  8. © JAMF Software, LLC Where else? Different Organizations Concerns -

    Security focussed organizations that would rather have a cloud service “talk” to another cloud service. - Organizations that have traditional infrastructure and on premise directories, but don’t have a DMZ or don’t want to expose another on-premise service. - Any org that doesn’t want to allow Jamf Cloud to reach their network but still want to use the LDAP feature.
  9. © JAMF Software, LLC Create your Office 365 Account

  10. © JAMF Software, LLC Image or video dimensions 1080 px

    525 px
  11. © JAMF Software, LLC Create your Azure Account

  12. © JAMF Software, LLC Image or video dimensions 1080 px

    525 px
  13. © JAMF Software, LLC Create a Virtual Network

  14. © JAMF Software, LLC Create a Virtual Network

  15. © JAMF Software, LLC Create a Virtual Network

  16. © JAMF Software, LLC Create a Virtual Network

  17. © JAMF Software, LLC Configure Azure AD DS

  18. © JAMF Software, LLC Create the resource

  19. © JAMF Software, LLC Configure Basic Settings

  20. © JAMF Software, LLC Configure Network Settings

  21. © JAMF Software, LLC Configure Administrator Group

  22. © JAMF Software, LLC Configure Synchronization Scope

  23. © JAMF Software, LLC Complete Resource Creation

  24. © JAMF Software, LLC Check Resource Creation

  25. © JAMF Software, LLC Configure Secure LDAP

  26. © JAMF Software, LLC Update Virtual Network DNS

  27. © JAMF Software, LLC Create SSL Certificate for LDAPS

  28. © JAMF Software, LLC Upload Certificate to Enable LDAPS

  29. © JAMF Software, LLC jamf.com/jamf-nation/articles/409/permitting-inbound-outbound-traffic-with-jamf-cloud Configure Network Security Group

  30. © JAMF Software, LLC Create DNS Entry

  31. © JAMF Software, LLC Configure Jamf Pro for Azure AD

  32. © JAMF Software, LLC Create LDAP Server Connection

  33. © JAMF Software, LLC Configure Mappings

  34. © JAMF Software, LLC Test Connection

  35. © JAMF Software, LLC Configure SSO in Azure AD

  36. © JAMF Software, LLC Add Enterprise Application

  37. © JAMF Software, LLC Assign Access

  38. © JAMF Software, LLC Configure SSO options

  39. © JAMF Software, LLC Edit Application Manifest

  40. © JAMF Software, LLC Configure SSO in Jamf Pro

  41. © JAMF Software, LLC Configure Single Sign-On

  42. © JAMF Software, LLC What are we matching? For an

    individual account - We are matching the Azure username to the Jamf username - This can be customized For group based access - We are matching the SSO “memberOf” claim to a group in Jamf Pro
  43. © JAMF Software, LLC Configure Group Based Access for Jamf

    Pro Administrators
  44. © JAMF Software, LLC Create an Azure Group

  45. © JAMF Software, LLC Add LDAP group in Jamf Pro

  46. © JAMF Software, LLC Set LDAP Group Permissions

  47. © JAMF Software, LLC Create Standard Group in Jamf Pro

  48. © JAMF Software, LLC Set Standard Group Permissions

  49. © JAMF Software, LLC Why did we add a standard

    group? In order to leverage groups to authenticate SSO users we must create a standard group with the Azure Object ID as the name. Microsoft does not send the “Plain Text” group name in the SAML assertion for Jamf to match to the LDAP group name.
  50. © JAMF Software, LLC Why the odd permissions? We used

    these precise permissions to ensure that administrators logging in via SSO cannot bypass or adjust SSO settings. An Example of why we would want to do this is to enforce conditional access on admins.
  51. © JAMF Software, LLC Test SSO and LDAP authentication LDAP

    User Authenticated via LDAP Group SSO User Authenticated via Standard Group
  52. © JAMF Software, LLC Configure Individual User Access for Jamf

    Pro Administrators
  53. © JAMF Software, LLC Add LDAP User to Jamf Pro

  54. © JAMF Software, LLC Set Account Permissions

  55. © JAMF Software, LLC Token Expiration https://docs.microsoft.com/ en-us/azure/active-directory/ conditional-access/howto- conditional-access-session-

    lifetime A Common Error
  56. © JAMF Software, LLC Why SSO and LDAP? Why do

    we need to be able to login as both an LDAP user and an SSO user? - SSO protects the Web App, UIE and Enrollment Customization - LDAP can be used for the “Classic” Jamf Pro apps like Recon, Admin, Remote, Imagining (please don’t image) as well as user assignment and lookups - LDAP accounts can also be used when making API calls
  57. © JAMF Software, LLC Tools Tools & Troubleshooting -SAML Tracer

    (Firefox) for SSO issues. -LDAP Admin tool for troubleshooting LDAP connection and mapping -Use Firefox or Chrome to configure Azure -Single Sign on Errors with Jamf Pro? Clear the cookies.
  58. © JAMF Software, LLC Questions?

  59. THANK YOU!

  60. © JAMF Software, LLC Thank you for listening! Give us

    feedback by completing the 2-question session survey in the JNUC 2019 app. UP NEXT Apple Deployment Essentials 2:45 - 3:30 PM