© copyright 2002–2023 Jamf Bene fi ts of Single Sign-On with Jamf Pro and Okta Integration

260x260 head shot © copyright 2002-2023 Jamf Naoki KARIYA Chatwork Co., Ltd. Corporate Engineer

© copyright 2002-2023 Jamf Agenda • About our business • Problem statement • Identifying Mac users through Okta Single Sign-On • Using Okta LDAP functionality to import detailed user information into Jamf

© copyright 2002-2023 Jamf About our business

© copyright 2002-2023 Jamf We are a pioneer in business chat in Japan. *1 As of March 2023 *2 According to a survey of monthly active users (MAUs) conducted in May 2022 by Nielsen NetView and Nielsen Mobile NetView; applicable service selected by Chatwork Co., Ltd. Number of Group Employees *1 379 Persons Established November 11, 2004 Chatwork Adoption Results *1 397,000 Companies The largest number of users in Japan *2

© copyright 2002-2023 Jamf Making work more fun and creative Corporate mission People spend over half their lives working. That time is not just for earning money. We help companies create environments that enable as many employees as possible to enjoy their work more and express their creativity fully and freely.

© copyright 2002-2023 Jamf Have you ever had di ff i culty registering users manually? And thought if there are any e ffi cient way? Problem statement

© copyright 2002-2023 Jamf Have you ever had di ff i culty with manually-registered users? And thought if there was an easier way? Jamf Pro x Okta Integration can be the solution. Problem statement

© copyright 2002-2023 Jamf Case: distributing pro fi les and policies How do you control the distribution of con fi guration pro fi les and policies based on the attributes of your device users? For example, maybe only a small percentage of the sta ff needs a VPN. Developers *1 101 Persons *1 As of March 2023 Business or Corporate Sta ff *1 278 Persons Need VPN No need

© copyright 2002-2023 Jamf Jamf Pro has features such as “User and Location” that allow user-based management. However, this can be di ff i cult if users were registered manually. Developers *1 101 Persons Business or Corporate Sta ff *1 278 Persons Need VPN No need *1 As of March 2023 Case: Case: distributing pro fi les and policies

© copyright 2002-2023 Jamf Making it automated by integrating Jamf Pro and Okta. • Assuming that Okta has a directory of users that is always maintained • Showing how this directory can be used to assign policies and con fi guration pro fi les automatically to speci fi c roles, as in HR-driven • Jamf Connect will not be used in this presentation What I would like to propose

© copyright 2002-2023 Jamf Using Okta to accomplish the following: 1. Automate the assignment of devices and users in Jamf Pro using Single Sign-On via Okta. 2. Synchronize Okta and Jamf Pro directory by LDAP so that the Okta group can be assigned into a Smart Group. 3. Create a Smart Group subject to be registered in a speci fi c Okta Group and use it for scope in the policy and con fi guration pro fi le. What I would like to propose

© copyright 2002-2023 Jamf Identifying Mac users through Okta Single Sign-On

© copyright 2002-2023 Jamf In order to distribute settings to each user, it is necessary to associate the Mac with the user. I would like to be able to associate them automatically. To do so, use the following functions of Jamf: • PreStage enrollment (Automated Device Enrollment) • Single Sign-On • Enrollment customization Identifying Mac users through Okta Single Sign-On

© copyright 2002-2023 Jamf “Enrollment customization” enables you to request Okta authentication in the Setup Assistant. Identifying Mac users through Okta Single Sign-On

© copyright 2002-2023 Jamf After passing this authentication, the Okta user ID is registered in Jamf inventory. Identifying Mac users through Okta Single Sign-On.

© copyright 2002-2023 Jamf Setting up setup assistant to enable Single Sign-On

© copyright 2002-2023 Jamf 1. Setting up a SAML Single Sign-On between Jamf and Okta. You are ready for Single Sign-On to the Jamf dashboard. All Okta users must be able to use Jamf applications in Okta. How to set up Single Sign On available in the Setup Assistant.

© copyright 2002-2023 Jamf 2. Set “Enrollment customization.” Okta can be used by choosing the pane type to “Single Sign-On Authentication.” How to set up Single Sign-On available in the Setup Assistant

© copyright 2002-2023 Jamf How to set up Single Sign-On available in the Setup Assistant 3. “PreStage Enrollment” con fi guration Set the “Enrollment customization con fi guration” to the “enrollment customization” that you have just enabled.

© copyright 2002-2023 Jamf Importing user information from Okta

© copyright 2002-2023 Jamf ✔︎ Register Okta user ID in Jamf. → You’ll need to import the detailed Okta user information into Jamf. From here, Okta and Jamf are synchronized by LDAP. Importing user information from Okta

© copyright 2002-2023 Jamf 1. Enable “LDAP Interface” function in Okta. 2. Prepare a system account to access Okta from Jamf. This account MUST: ɾHave read-only administrator permissions ɾBe able to authenticate only with a password (MFA must not be enabled.) Importing user information from Okta

© copyright 2002-2023 Jamf Con fi gure Jamf settings. 1. Enable “Collect user and location information from Directory Service” in the "Inventory collection.” - This is to update the LDAP information when the inventory is updated. Importing user information from Okta

© copyright 2002-2023 Jamf 2. Register the LDAP server connection in Jamf. Here is a screenshot of the values you should input on the next page. Importing user information from Okta

© copyright 2002-2023 Jamf LDAP connection setting one

© copyright 2002-2023 Jamf LDAP connection setting two

© copyright 2002-2023 Jamf LDAP user mappings setting one

© copyright 2002-2023 Jamf LDAP user mappings setting two

© copyright 2002-2023 Jamf LDAP user group mappings setting

© copyright 2002-2023 Jamf LDAP user group membership mappings setting

© copyright 2002-2023 Jamf This establishes LDAP synchronization between Okta and Jamf. Let's test to see if it is working correctly. I will add a test group to Okta. I will test it using my account. Testing LDAP

© copyright 2002-2023 Jamf Jamf has the functionality to test LDAP. Now let's check to see if you have joined the Okta group. You will see that the results are as expected. Testing LDAP

© copyright 2002-2023 Jamf The “inventory collection” setting we talked about a while ago allows us to specify an LDAP query for the “input type” extension attribute. This feature is used to synchronize the user's LDAP values to the computer. About extension attributes

© copyright 2002-2023 Jamf Let's create an extension attribute. “Directory Service Attribute” must be “memberOf.” Get a list of Okta groups to which the user is attached.

© copyright 2002-2023 Jamf Update your inventory with the extension attributes enabled. The computer will list the Okta groups that the user has joined. Get a list of Okta groups to which the user is attached.

© copyright 2002-2023 Jamf The extension attributes of the Okta group can be used for criteria in a Smart Group. Use for Smart Group

© copyright 2002-2023 Jamf With these steps, the user has ✔︎ Synchronized Okta and Jamf ✔︎ Updated at the same time the computer's inventory is updated Use for Smart Group

© copyright 2002-2023 Jamf Improvement result Jamf daily routine tasks 0 Tasks

© copyright 2002-2023 Jamf Q & A

© copyright 2023-2023 Jamf Thank you for listening!