Please note: This article is deprecated but retained for archival purposes.
Please refer to the following article instead: Connecting datajar.mobi to Entra ID as a Cloud Identity Provider
Overview
Your datajar.mobi instance can be linked to your Azure AD over LDAPS. This allows for user authentication, assignment of devices and integrations into Apple School Manager.
Requirements / Dependancies
In order to configure this there is a number of requirements that must be met:
- A valid Azure subscription
- A fully configured Azure AD directory
- Azure AD Domain services enabled
- Azure AD user passwords re-hashed for NTLM and Kerberos authentication
- A valid and publicly trusted SSL certificate in use on LDAPS Azure Domain Services
- LDAPS enabled on the Azure Domain Services
- Recommended: Locking down LDAPS access to IP addresses
Please Note: More information on achieving this requirements can be found below
In addition to the above requirements, the implementation engineer will need to be provided with the below:
- The external IP address and / or DNS Name of your Azure LDAPS service
- The external port (if different from the standard 636) of your Azure LDAPS service
- A copy of the SSL certificate used on LDAPS Azure Domain Services
- Details (username and password) for a service LDAP account in order to perform lookups
- Details of the AD Search Base (for example: DC=ad,DC=datajar,DC=co,DC=uk)
Technical Details
This is a high-level guide to configuring the above requirements in order to meet the above dependancies:
Azure Subscription
This will require a Microsoft Account, as well as payment options configured with Microsoft.
Configured Azure AD Directory
This will require you to have your users and groups added or synced into your Azure AD directory.
Azure AD Domain Services
For more information, please see Microsoft support article Tutorial: Create and configure an Azure Active Directory Domain Services managed domain
1) Login into your Azure Portal, click "+ Create a resource", type "Domain Services" and select "Azure AD Domain Services"
2) On the "Azure AD Domain Services" click "Create" and the "Enable Azure AD Domain Services" wizard is launched.
3) Configure the basic settings as required. The suggested values / considerations are:
- DNS Domain Name: Your chosen domain. This should be a valid Top Level Domain and not a .local. e.g. ad.datajar.co.uk
- Subscription: Pick your relevant subscription
- Resource Group: Use the "Create new" option and give it an appropriate name
- Location: Pick your relevant location, typically the closet one
Click "Ok"
4) Configure the network settings as required. The suggested values / considerations are:
- Choose virtual network: Either create a new network or chose an existing one. If creating a new network it is suggested to call it "DomainServices"
Click "OK"
5) Configure the Administrative Group settings as required. The suggested values / considerations are:
- AAD DC Administrators: Add the relevant users and / or groups you wish to be administrators for this domain
Click "OK"
6) Configure the Synchronisation settings as required. The suggested values / considerations are:
- Synchronization: You can either sync the entire Azure AD or a subset. Select the option for you
Click "OK"
6) On the Summary page, click "OK". This will now deploy the Azure AD Domain Services product. This can take at least an hour.
7) Once complete and running, go to the "Overview" page, and under the "Required configuration steps" is "Update DNS server settings for your virtual network". Click "Configure" here.
Azure AD User Passwords Rehashed
In order to enable synchronisation of password hashes required for NT LAN Manager (NTLM) and Kerberos authentication, users will need to reset / change their password after Azure AD Domain Services is up and running.
Details for how to do this can be found here.
Valid and Publicly Trusted SSL Certificate
Create and pay for a fully and public trusted SSL certificate for your domain. Bear the following points in mind:
- Trusted issuer: You should purchase a certificate from a signing authority that is automatically trusted by all vendors
- Lifetime: This must be valid for a minimum of 3 months. If this expires it will stop the service from running so consider a longer validity and / or reminders to have this renewed before it expires
- Subject Name: This should be the name of your managed domain (e.g. for a managed domain of "datajar.co.uk", this should be "datajar.co.uk"). Set the DNS name (subject alternative name) to the wildcard of your domain (e.g. "*.datajar.co.uk")
- Key usage: This must be for Digital signatures and key encipherment
- Certificate purpose: SSL server authentication
The certificate-key pair needs to be exported as a .PFX file.
LDAPS Enabled on the Azure Domain Services
1) Login into your Azure Portal, search for "Domain Services" and select "Azure AD Domain Services". Click on your domain.
2) Select "Secure LDAP" on the left and click "Enable" on the right
3) Switch "Allow secure LDAP access over the internet" to "Enable" but review the warning shown
4) Upload your SSL Certificate and enter the export password to decrypt the .PFX file
5) Click "Save"
6) Wait 10-15 minutes for this to be enabled.
Recommended: Configure a DNS record to access the LDAPS
1) Login into your Azure Portal, search for "Domain Services" and select "Azure AD Domain Services". Click on your domain.
2) Select "Properties" on the left hand side
3) Find the value for "EXTERNAL IP ADDRESS FOR LDAPS ACCESS." This is the IP address
4) Create a new DNS Forward ("A") record in your DNS to point to the IP address from step 3 (e.g. ldaps.datajar.co.uk -> 52.165.38.113)
Recommended: Locking Down LDAPS Access to IP addresses
1) Login into your Azure Portal, search for "Domain Services" and select "Azure AD Domain Services". Click on your domain.
2) Select "Properties" on the left hand side
3) Find the value "NETWORK SECURITY GROUP ASSOCIATED WITH SUBNET" and select this to be taken to the security group
4) Under "Settings" on the left hand side, select "Inbound security rules"
5) Add a new rule to allow port 636 from a set number of IP addresses as required. The suggested values / considerations are:
- Source: IP Addresses
- Source IP Address/CIDR Ranges: This can take multiple values separated by a comma. If you are a Jamf Cloud customer, add the IP addresses for the region you are in, as detailed here. If you are a datajar.mobi customer add the IP addresses detailed here.
- Source Port Ranges: *
- Destination: Any
- Destination Port Ranges: 636
- Protocol: Any
- Action: Allow
- Priority: 312
- Name: Port_636
6) Click Save
Further reading
- Integrate Azure LDAP in Jamf Pro
- Permitting Inbound/Outbound Traffic with Jamf Cloud
- Configuring Jamf Pro to Use LDAP Over SSL When Authenticating with Active Directory
- Troubleshooting LDAP over SSL Connection Issues in Jamf Pro
- Configure secure LDAP (LDAPS) for an Azure AD Domain Services managed domain
- Enable Azure Active Directory Domain Services using the Azure portal
Need further support?
Automate. Simplify. Succeed. If you still require assistance with us or have any further questions, please raise a ticket with our support team.
Alternatively, please see our frequently updated knowledge base articles for reference.