Tweet
Tweet

Slide 1

Slide 1 text

© JAMF Software, LLC Integrate Azure Active Directory with Jamf Pro 1:30 - 2:15 PM UP NEXT

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

© JAMF Software, LLC Tomek Dabrowski Software Engineer Jamf Marcin Pietrosian Software Engineer Jamf

Slide 4

Slide 4 text

© JAMF Software, LLC Nicholas McDonald Senior Systems Engineer HCS Technology Group

Slide 5

Slide 5 text

© JAMF Software, LLC Integrate Azure Active Directory with Jamf Pro Presentation agenda: Create an Office 365/Azure Account Configure Azure AD Domain Services & Secure LDAP Configure Azure for SSO Enable LDAP and SSO in Jamf Pro Look at different ways of provisioning access

Slide 6

Slide 6 text

© JAMF Software, LLC Preface Azure Active Directory Domain Services What is Azure AD Domain Services? - Cloud AD environment - Replicates from Azure AD (And by proxy on-prem AD if using Azure AD Connect sync) - Extends your on-prem AD environment to Azure without having to managed DC VM’s and maintaining a persistent VPN connection to Azure How are we leveraging this? - Using secure LDAP feature - LDAP integration in Jamf Pro, User Assignment / Authentication

Slide 7

Slide 7 text

© JAMF Software, LLC Where would this be useful? A Story Oceanic Airlines Oceanic Airlines is a lean airline startup with a “Cloud First” mentality. Environment - Uses Office 365 and Azure AD as their IDP - Has no traditional on-prem infrastructure, no on premise directory - Uses Cloud Flare - Has decided to invest in macOS and iOS - Has chosen Jamf Pro as their MDM - Needs to easily integrate Jamf Pro with their Azure environment for SSO and LDAP

Slide 8

Slide 8 text

© JAMF Software, LLC Where else? Different Organizations Concerns - Security focussed organizations that would rather have a cloud service “talk” to another cloud service. - Organizations that have traditional infrastructure and on premise directories, but don’t have a DMZ or don’t want to expose another on-premise service. - Any org that doesn’t want to allow Jamf Cloud to reach their network but still want to use the LDAP feature.

Slide 9

Slide 9 text

© JAMF Software, LLC Create your Office 365 Account

Slide 10

Slide 10 text

© JAMF Software, LLC Image or video dimensions 1080 px 525 px

Slide 11

Slide 11 text

© JAMF Software, LLC Create your Azure Account

Slide 12

Slide 12 text

© JAMF Software, LLC Image or video dimensions 1080 px 525 px

Slide 13

Slide 13 text

© JAMF Software, LLC Create a Virtual Network

Slide 14

Slide 14 text

© JAMF Software, LLC Create a Virtual Network

Slide 15

Slide 15 text

© JAMF Software, LLC Create a Virtual Network

Slide 16

Slide 16 text

© JAMF Software, LLC Create a Virtual Network

Slide 17

Slide 17 text

© JAMF Software, LLC Configure Azure AD DS

Slide 18

Slide 18 text

© JAMF Software, LLC Create the resource

Slide 19

Slide 19 text

© JAMF Software, LLC Configure Basic Settings

Slide 20

Slide 20 text

© JAMF Software, LLC Configure Network Settings

Slide 21

Slide 21 text

© JAMF Software, LLC Configure Administrator Group

Slide 22

Slide 22 text

© JAMF Software, LLC Configure Synchronization Scope

Slide 23

Slide 23 text

© JAMF Software, LLC Complete Resource Creation

Slide 24

Slide 24 text

© JAMF Software, LLC Check Resource Creation

Slide 25

Slide 25 text

© JAMF Software, LLC Configure Secure LDAP

Slide 26

Slide 26 text

© JAMF Software, LLC Update Virtual Network DNS

Slide 27

Slide 27 text

© JAMF Software, LLC Create SSL Certificate for LDAPS

Slide 28

Slide 28 text

© JAMF Software, LLC Upload Certificate to Enable LDAPS

Slide 29

Slide 29 text

© JAMF Software, LLC jamf.com/jamf-nation/articles/409/permitting-inbound-outbound-traffic-with-jamf-cloud Configure Network Security Group

Slide 30

Slide 30 text

© JAMF Software, LLC Create DNS Entry

Slide 31

Slide 31 text

© JAMF Software, LLC Configure Jamf Pro for Azure AD DS

Slide 32

Slide 32 text

© JAMF Software, LLC Create LDAP Server Connection

Slide 33

Slide 33 text

© JAMF Software, LLC Configure Mappings

Slide 34

Slide 34 text

© JAMF Software, LLC Test Connection

Slide 35

Slide 35 text

© JAMF Software, LLC Configure SSO in Azure AD

Slide 36

Slide 36 text

© JAMF Software, LLC Add Enterprise Application

Slide 37

Slide 37 text

© JAMF Software, LLC Assign Access

Slide 38

Slide 38 text

© JAMF Software, LLC Configure SSO options

Slide 39

Slide 39 text

© JAMF Software, LLC Edit Application Manifest

Slide 40

Slide 40 text

© JAMF Software, LLC Configure SSO in Jamf Pro

Slide 41

Slide 41 text

© JAMF Software, LLC Configure Single Sign-On

Slide 42

Slide 42 text

© JAMF Software, LLC What are we matching? For an individual account - We are matching the Azure username to the Jamf username - This can be customized For group based access - We are matching the SSO “memberOf” claim to a group in Jamf Pro

Slide 43

Slide 43 text

© JAMF Software, LLC Configure Group Based Access for Jamf Pro Administrators

Slide 44

Slide 44 text

© JAMF Software, LLC Create an Azure Group

Slide 45

Slide 45 text

© JAMF Software, LLC Add LDAP group in Jamf Pro

Slide 46

Slide 46 text

© JAMF Software, LLC Set LDAP Group Permissions

Slide 47

Slide 47 text

© JAMF Software, LLC Create Standard Group in Jamf Pro

Slide 48

Slide 48 text

© JAMF Software, LLC Set Standard Group Permissions

Slide 49

Slide 49 text

© JAMF Software, LLC Why did we add a standard group? In order to leverage groups to authenticate SSO users we must create a standard group with the Azure Object ID as the name. Microsoft does not send the “Plain Text” group name in the SAML assertion for Jamf to match to the LDAP group name.

Slide 50

Slide 50 text

© JAMF Software, LLC Why the odd permissions? We used these precise permissions to ensure that administrators logging in via SSO cannot bypass or adjust SSO settings. An Example of why we would want to do this is to enforce conditional access on admins.

Slide 51

Slide 51 text

© JAMF Software, LLC Test SSO and LDAP authentication LDAP User Authenticated via LDAP Group SSO User Authenticated via Standard Group

Slide 52

Slide 52 text

© JAMF Software, LLC Configure Individual User Access for Jamf Pro Administrators

Slide 53

Slide 53 text

© JAMF Software, LLC Add LDAP User to Jamf Pro

Slide 54

Slide 54 text

© JAMF Software, LLC Set Account Permissions

Slide 55

Slide 55 text

© JAMF Software, LLC Token Expiration https://docs.microsoft.com/ en-us/azure/active-directory/ conditional-access/howto- conditional-access-session- lifetime A Common Error

Slide 56

Slide 56 text

© JAMF Software, LLC Why SSO and LDAP? Why do we need to be able to login as both an LDAP user and an SSO user? - SSO protects the Web App, UIE and Enrollment Customization - LDAP can be used for the “Classic” Jamf Pro apps like Recon, Admin, Remote, Imagining (please don’t image) as well as user assignment and lookups - LDAP accounts can also be used when making API calls

Slide 57

Slide 57 text

© JAMF Software, LLC Tools Tools & Troubleshooting -SAML Tracer (Firefox) for SSO issues. -LDAP Admin tool for troubleshooting LDAP connection and mapping -Use Firefox or Chrome to configure Azure -Single Sign on Errors with Jamf Pro? Clear the cookies.

Slide 58

Slide 58 text

© JAMF Software, LLC Questions?

Slide 59

Slide 59 text

THANK YOU!

Slide 60

Slide 60 text

© JAMF Software, LLC Thank you for listening! Give us feedback by completing the 2-question session survey in the JNUC 2019 app. UP NEXT Apple Deployment Essentials 2:45 - 3:30 PM