[JNUC2023] Benefits of Single Sign-On with Jamf Pro and Okta Integration

Transcript

1. © copyright 2002–2023 Jamf Bene fi ts of Single Sign-On

   with Jamf Pro and Okta Integration

2. 260x260 head shot © copyright 2002-2023 Jamf Naoki KARIYA Chatwork

   Co., Ltd. Corporate Engineer

3. © copyright 2002-2023 Jamf Agenda • About our business •

   Problem statement • Identifying Mac users through Okta Single Sign-On • Using Okta LDAP functionality to import detailed user information into Jamf

4. © copyright 2002-2023 Jamf About our business

5. © copyright 2002-2023 Jamf We are a pioneer in business

   chat in Japan. *1 As of March 2023 *2 According to a survey of monthly active users (MAUs) conducted in May 2022 by Nielsen NetView and Nielsen Mobile NetView; applicable service selected by Chatwork Co., Ltd. Number of Group Employees *1 379 Persons Established November 11, 2004 Chatwork Adoption Results *1 397,000 Companies The largest number of users in Japan *2

6. © copyright 2002-2023 Jamf Making work more fun and creative

   Corporate mission People spend over half their lives working. That time is not just for earning money. We help companies create environments that enable as many employees as possible to enjoy their work more and express their creativity fully and freely.

7. © copyright 2002-2023 Jamf Have you ever had di ff

   i culty registering users manually? And thought if there are any e ffi cient way? Problem statement

8. © copyright 2002-2023 Jamf Have you ever had di ff

   i culty with manually-registered users? And thought if there was an easier way? Jamf Pro x Okta Integration can be the solution. Problem statement

9. © copyright 2002-2023 Jamf Case: distributing pro fi les and

   policies How do you control the distribution of con fi guration pro fi les and policies based on the attributes of your device users? For example, maybe only a small percentage of the sta ff needs a VPN. Developers *1 101 Persons *1 As of March 2023 Business or Corporate Sta ff *1 278 Persons Need VPN No need

10. © copyright 2002-2023 Jamf Jamf Pro has features such as

    “User and Location” that allow user-based management. However, this can be di ff i cult if users were registered manually. Developers *1 101 Persons Business or Corporate Sta ff *1 278 Persons Need VPN No need *1 As of March 2023 Case: Case: distributing pro fi les and policies

11. © copyright 2002-2023 Jamf Making it automated by integrating Jamf

    Pro and Okta. • Assuming that Okta has a directory of users that is always maintained • Showing how this directory can be used to assign policies and con fi guration pro fi les automatically to speci fi c roles, as in HR-driven • Jamf Connect will not be used in this presentation What I would like to propose

12. © copyright 2002-2023 Jamf Using Okta to accomplish the following:

    1. Automate the assignment of devices and users in Jamf Pro using Single Sign-On via Okta. 2. Synchronize Okta and Jamf Pro directory by LDAP so that the Okta group can be assigned into a Smart Group. 3. Create a Smart Group subject to be registered in a speci fi c Okta Group and use it for scope in the policy and con fi guration pro fi le. What I would like to propose

13. © copyright 2002-2023 Jamf Identifying Mac users through Okta Single

    Sign-On

14. © copyright 2002-2023 Jamf In order to distribute settings to

    each user, it is necessary to associate the Mac with the user. I would like to be able to associate them automatically. To do so, use the following functions of Jamf: • PreStage enrollment (Automated Device Enrollment) • Single Sign-On • Enrollment customization Identifying Mac users through Okta Single Sign-On

15. © copyright 2002-2023 Jamf “Enrollment customization” enables you to request

    Okta authentication in the Setup Assistant. Identifying Mac users through Okta Single Sign-On

16. © copyright 2002-2023 Jamf After passing this authentication, the Okta

    user ID is registered in Jamf inventory. Identifying Mac users through Okta Single Sign-On.

17. © copyright 2002-2023 Jamf Setting up setup assistant to enable

    Single Sign-On

18. © copyright 2002-2023 Jamf 1. Setting up a SAML Single

    Sign-On between Jamf and Okta. You are ready for Single Sign-On to the Jamf dashboard. All Okta users must be able to use Jamf applications in Okta. How to set up Single Sign On available in the Setup Assistant.

19. © copyright 2002-2023 Jamf 2. Set “Enrollment customization.” Okta can

    be used by choosing the pane type to “Single Sign-On Authentication.” How to set up Single Sign-On available in the Setup Assistant

20. © copyright 2002-2023 Jamf How to set up Single Sign-On

    available in the Setup Assistant 3. “PreStage Enrollment” con fi guration Set the “Enrollment customization con fi guration” to the “enrollment customization” that you have just enabled.

21. © copyright 2002-2023 Jamf Importing user information from Okta

22. © copyright 2002-2023 Jamf ✔︎ Register Okta user ID in

    Jamf. → You’ll need to import the detailed Okta user information into Jamf. From here, Okta and Jamf are synchronized by LDAP. Importing user information from Okta

23. © copyright 2002-2023 Jamf 1. Enable “LDAP Interface” function in

    Okta. 2. Prepare a system account to access Okta from Jamf. This account MUST: ɾHave read-only administrator permissions ɾBe able to authenticate only with a password (MFA must not be enabled.) Importing user information from Okta

24. © copyright 2002-2023 Jamf Con fi gure Jamf settings. 1.

    Enable “Collect user and location information from Directory Service” in the "Inventory collection.” - This is to update the LDAP information when the inventory is updated. Importing user information from Okta

25. © copyright 2002-2023 Jamf 2. Register the LDAP server connection

    in Jamf. Here is a screenshot of the values you should input on the next page. Importing user information from Okta

26. © copyright 2002-2023 Jamf LDAP connection setting one

27. © copyright 2002-2023 Jamf LDAP connection setting two

28. © copyright 2002-2023 Jamf LDAP user mappings setting one

29. © copyright 2002-2023 Jamf LDAP user mappings setting two

30. © copyright 2002-2023 Jamf LDAP user group mappings setting

31. © copyright 2002-2023 Jamf LDAP user group membership mappings setting

32. © copyright 2002-2023 Jamf This establishes LDAP synchronization between Okta

    and Jamf. Let's test to see if it is working correctly. I will add a test group to Okta. I will test it using my account. Testing LDAP

33. © copyright 2002-2023 Jamf Jamf has the functionality to test

    LDAP. Now let's check to see if you have joined the Okta group. You will see that the results are as expected. Testing LDAP

34. © copyright 2002-2023 Jamf The “inventory collection” setting we talked

    about a while ago allows us to specify an LDAP query for the “input type” extension attribute. This feature is used to synchronize the user's LDAP values to the computer. About extension attributes

35. © copyright 2002-2023 Jamf Let's create an extension attribute. “Directory

    Service Attribute” must be “memberOf.” Get a list of Okta groups to which the user is attached.

36. © copyright 2002-2023 Jamf Update your inventory with the extension

    attributes enabled. The computer will list the Okta groups that the user has joined. Get a list of Okta groups to which the user is attached.

37. © copyright 2002-2023 Jamf The extension attributes of the Okta

    group can be used for criteria in a Smart Group. Use for Smart Group

38. © copyright 2002-2023 Jamf With these steps, the user has

    ✔︎ Synchronized Okta and Jamf ✔︎ Updated at the same time the computer's inventory is updated Use for Smart Group

39. © copyright 2002-2023 Jamf Improvement result Jamf daily routine tasks

    0 Tasks

40. © copyright 2002-2023 Jamf Q & A

41. © copyright 2023-2023 Jamf Thank you for listening!